Just last week, Google publicly revealed a zero-day flaw in Windows that Russian hackers exploited via spear phishing attacks. The hackers targeted a specific set of customers and used malicious code to exploit an Adobe Flash vulnerability to gain control of the browser process and take advantage of a Windows kernel bug to gain admin privileges and access to the insecure PCs.
What is spear phishing? It is a term used when hackers target a specific company or group of individuals with e-mails designed to trick them into divulging sensitive or confidential information. Spear phishing is much more focused than a general phishing e-mail which is sent to a large group of people. A spear phishing campaign will use specific, carefully researched details in order to seem authentic.
For example, if a hacker wants to gain access to XYZ organization. A simple LinkedIn search reveals that the organization’s CISO is an alum of the Sigma Chi Fraternity. is e-mail is found on the company contact page. The CISO then receives an e-mail from his fraternity inviting him to the annual alumni BBQ next month. The email references an attachment with more details on the event. He clicks the attachment, but nothing happens. Or does it…? He may have just granted the hackers access to his PC!
Below are some best practices to follow:
- Limit the use of organizational email addresses.
- Do not open e-mail attachments on communications that you were not expecting.
- Limit the amount of information shared on social networking sites.
- Never ask for personal information from your staff via e-mail.
- Report any suspicious emails to your IT department immediately.
- Ensure all applications and systems are kept current, and updates/patches are applied as soon as possible.
Microsoft is planning to release a patch for the identified flaw as part of its regularly scheduled updates on November 8th. Whether or not you agree with Google’s decision to share the zero-day flaw before a patch was released, one thing is certain, the best practices remain the same. Stay vigilant and remember – your users are your first line of defense.