Spear-Phishing E-mail

  • 7023227
  • 30-Jul-2018
  • 03-Aug-2018

Environment

GWAVA (Secure Messaging Gateway) 7

Situation

What are SpearPhising E-mails? To get a better understanding of spear-phishing, here is the difference between phishing and spear-phising e-mail:

Phising E-mails: are e-mail attacks from spammers that try and gather confidential information. Spammers will send out a message that may contain a link to a website, a file to download, or any other type of scam to gather information, such as social security numbers, phone numbers, customer records, e-mail information, credit card information etc... and more often times than not the message may contain harmful malware, or link to a website that has malicious software. Phishing is done in bulk, sending hundreds if not thousands to e-mail addresses, valid or not, often using spoofed e-mail, acting as a person in the internal network, or someone in the user’s address book, or domain.

Spear-Phising Emails are essentially the same type of attack as phishing, still trying to glean sensitive information from the end user, and contain malware. The biggest difference is that spear-phishing is not entirely sent out in bulk. These e-mails are created in a more precise way to choose their targets more carefully. After finding information from the internet, person’s email address, location, or even address book, the attacker then acts as a friend or from an alleged known source to send a message that looks authentic, and quite convincing.  They are much more difficult to detect, and even more difficult to block, even by sophisticated spam filters.

 Click these links for more information on Spear-Phishing:

Phising vs. Spear-Phishing

Spear-Phising
Click here on more information on Spear-Phishing

Resolution

How can Secure Messaging Gateway (SMG)/GWAVA Block Spear-Phising E-mail:

The following can help block Spear-Phising Emails.

1)      Definition Updates: SMG updates automatically every hour to ensure it has the latest signature algorithms to stop spammers.  

2)      SPF Setup: Be sure to setup SPF filtering, as this is the first line of defense against anything that is being spoofed by the spammers. Click here for more information on SPF: https://support.microfocus.com/kb/doc.php?id=7019848

3)       Remove Exceptions: Any exception that will allow a message through from the domain that could potentially be spoofed can allow spear-phishing e-mails through.

4)      Content Filtering: Any patterns that can be seen, such as subject lines, attachment names or extensions, or text in the body, can be put into a content filtering in the Mail Filter Policy.

5)      Spam Reporting: Spear-Phishing e-mail that may get through can be submitted to the SPAM corpus of SMG, and teach the filtering system to be stricter on the type of content that is being sent. Although this is a really efficient way to teach the system, and block spam messages, this can take some time, and multiple messages to start seeing blocked results.

6)      DKIM: Domain Keys Identified Mail (DKIM) helps to detect e-mail spoofing, much like SPF. It checks to see if an e-mail is authorized to be the owner of the domain that is found in the message, and is mostly intended to verify and prevent forged sender e-mail addresses. It is a complex setup, as it requires work on the DNS to get setup, and keys to know what to look for in the different areas of the message. For further help in setting up DKIM for SMG click here. 

7)      User Education