Environment
Situation
What are SpearPhising
E-mails? To get a better understanding of spear-phishing, here is the
difference between phishing and spear-phising e-mail:
Phising E-mails: are
e-mail attacks from spammers that try and gather confidential information.
Spammers will send out a message that may contain a link to a website, a file
to download, or any other type of scam to gather information, such as social
security numbers, phone numbers, customer records, e-mail information, credit
card information etc... and more often times than not the message may contain
harmful malware, or link to a website that has malicious software. Phishing is
done in bulk, sending hundreds if not thousands to e-mail addresses, valid or
not, often using spoofed e-mail, acting as a person in the internal network, or
someone in the user’s address book, or domain.
Spear-Phising Emails are
essentially the same type of attack as phishing, still trying to glean
sensitive information from the end user, and contain malware. The biggest
difference is that spear-phishing is not entirely sent out in bulk. These
e-mails are created in a more precise way to choose their targets more
carefully. After finding information from the internet, person’s email address,
location, or even address book, the attacker then acts as a friend or from an alleged
known source to send a message that looks authentic, and quite convincing. They are much more difficult to detect, and
even more difficult to block, even by sophisticated spam filters.
Spear-Phising
Click here on more information on Spear-Phishing
Resolution
How can Secure
Messaging Gateway (SMG)/GWAVA Block Spear-Phising E-mail:
The following can help block Spear-Phising Emails.
1)
Definition Updates: SMG updates automatically every
hour to ensure it has the latest signature algorithms to stop spammers.
2)
SPF Setup: Be sure to setup SPF filtering, as
this is the first line of defense against anything that is being spoofed by the
spammers. Click here for more information on SPF: https://support.microfocus.com/kb/doc.php?id=7019848
3)
Remove
Exceptions: Any exception that will allow a message through from the domain
that could potentially be spoofed can allow spear-phishing e-mails through.
4)
Content Filtering: Any patterns that can be
seen, such as subject lines, attachment names or extensions, or text in the
body, can be put into a content filtering in the Mail Filter Policy.
5)
Spam Reporting: Spear-Phishing e-mail that may
get through can be submitted to the SPAM corpus of SMG, and teach the filtering
system to be stricter on the type of content that is being sent. Although this
is a really efficient way to teach the system, and block spam messages, this
can take some time, and multiple messages to start seeing blocked results.
6)
DKIM: Domain
Keys Identified Mail (DKIM) helps to detect e-mail spoofing, much like SPF. It
checks to see if an e-mail is authorized to be the owner of the domain that is
found in the message, and is mostly intended to verify and prevent forged
sender e-mail addresses. It is a complex setup, as it requires work on the DNS
to get setup, and keys to know what to look for in the different areas of the
message. For further help in setting up DKIM for SMG click here.
7)
User Education