Spear Phishing – How complicit are you?

Spear phishing is what happens to gullible idiots who are not paying proper attention, right?

Wrong! Spear phishing mixes increasingly clever social engineering to make spoof emails appear real, and it’s all too easy to become a victim.  Even if you are way too clever to get caught, your business users, who are not necessarily thinking about technology and security every minute of their day, may fall victim to these types of attacks.

And their mobile phones could be helping…?

Here’s how. Details of supposedly private conversations between colleagues can be used to make a spear phishing scam more believable. If your business users are subject to an IMSI catcher attack, where a fake base station is used to intercept calls, forcing them down to 2G technology (which negates the stronger encryption used across 3G & 4G networks), their conversations, which they think are private, can actually be listened to.  See our previous blog for details on how this works.

Then all it takes is a phishing email addressed from a trusted colleague, referring to an earlier conversation, which gives the email credibility, a request to click a link, and a virus or Trojan could be launched. The person that has been hacked doesn’t even know.

So how can you tell if your mobile phone has been subject to interception?  Short answer, you wouldn’t, unless you are in the covert ops industry with access to some pretty heavy duty technology. Who could launch such an attack? Almost anyone that wants to – with entry level hacking skills, and a piece of kit that can be purchased online for about €300. This could be a disgruntled ex-employee, competitors looking to steal your intellectual property, or even just pranksters/script kiddies.

The security and IT press has been talking about ‘protecting the endpoint’ for years, now the endpoint includes mobile phones. If your business users have intellectual property to protect, commercial secrets that you’d rather remained a secret, then perhaps now is a good time to start looking at protecting your ultimate endpoint – the mobile phone!