The ubiquitous use of the Internet has made it possible for terrorist groups to remotely foment attacks with little risk of capture. Among the newest forms of attacks is cyber hacking, which has seen increased use by terrorist groups for acts ranging from pinpointing targets for assassination to holding organisations hostage and embarrassing governments. In almost all these attacks, spear phishing is the vector used to gain access to a computer network – making it imperative that policymakers find ways to stop it. This chapter provides an overview of the different types of spear phishing attacks and the reasons they succeed. The chapter then provides an overview of the different strategies being used to combat it and their relative effectiveness. Drawing from the latest social science research and from initiatives that have worked around the world, the chapter culminates with six policy suggestions, which could significantly reduce the effectiveness of spear phishing and protect nations from a major cyber attack.
TopIntroduction
Terrorism is broadly defined as the unlawful use of force or violence to intimidate or coerce a civilian population or government to further political or social objectives (Federal Bureau of Investigation [FBI], n.d.). In the not so distant past, such acts required terrorists to physically enter national boundaries and conduct acts of terror. Geography, border security, and the risk of capture often limited the scope of these attacks. Our dependence on the Internet for all manner of activities, from the household monitoring of thermostats to the control of a nation’s electric grid, and its democratised nature – the lack of gatekeepers (such as the editors of traditional news), the availability of standardised operating platforms, and open source software – have made it easier for today’s terrorist groups to remotely foment acts of terror without the risk of capture.
Ongoing news reports of Al-Qaeda and the Islamic State in Iraq and Syria (ISIS) using YouTube, Twitter, and Facebook to disseminate videos of successful attacks, recruit individuals, and promote propaganda demonstrate how technically adept these groups have become (Hingham & Nakashima, 2015). But there is another troubling trend: the use of spear phishing attacks by terrorist groups.
In December 2014, ISIS launched a spear phishing attack on citizen media groups sympathetic to the Syrian government – an attack intended to place position-beacons in individual computers that could reveal the sympathisers’ locations, presumably for assassination (Scott-Railton & Hardy, 2014). In another attack, ISIS used spear phishing to gain access to the U.S. Military Central Command’s (Centcom) Twitter and YouTube accounts, and on the very day that U.S. President Obama made a speech on cyber security, posted images with threats against American soldiers (Zetter, 2015).
ISIS, however, is not alone. Another prolific hacker group, the Syrian Electronic Army (SEA), with links to Syria, Iran, and Hezbollah, recently hacked the Twitter account of the Associated Press (AP) and tweeted false news to AP’s 2-million plus followers of two explosions in the White House that injured U.S. President Obama. Although the hack was quickly discovered and a correction sent out within three minutes of the tweet, by then the Dow Jones had dropped 143-points (Shell, 2013), and the S&P (Standard and Poor’s) Index had lost USD 136 billion (Prigg, 2015). SEA has also defaced websites of news media they considered hostile to the Syrian government such as BBC News and The New York Times; defaced Facebook pages of President Obama and French President Nicholas Sarkozy; and also hacked into the recruiting websites of the U.S. Marine Corps (Acohido, 2013). Other reports of Palestinian hackers using spear phishing attacks to breach computer networks of the Israeli Defense Force (IDF) (Fisher-Ilan & Finkle, 2014); of the Iranian sponsored hacker group Tahr Andishan breaching Saudi Aramco, the state-owned national oil company of Saudi Arabia, in retaliation for Saudi Arabia government’s support for sanctions against Iran (Nakashima, 2012); and of Russian hackers breaching German Chancellor Angela Merkel’s computers (“Russian hackers accused”, 2015), demonstrate the variety of groups utilising such modus operandi.
Almost all these major breaches have one thing in common: they all extensively utilise spear phishing. Figure 1 presents the lifecycle of a breach. As shown in the figure, spear phishing is usually the first step in a typical hacking attack that leads to a breach. It is often used early for initial information gathering, for locating individuals, and for gauging the interest of potential targets. This is usually accomplished by assessing target individuals’ reactions to emails sent with varying information cues (headers, subject-line, reply-to address, etc.) or by getting access to individuals’ social media accounts using fake friend requests. This data-mined information is often used to craft more targeted malware-carrying spear phishing emails, which then allow the phisher to establish a foothold, maintain presence, move laterally to other computers or vertically to other connected servers and escalate access, and finally accomplish the breach. Thus, spear phishing is the proverbial ‘tip of the spear’ used by cyber terrorists all over the world to launch hacking attacks with goals ranging from cyber espionage and terrorism to vandalism and acts intended to embarrass individuals, governments, and organisations – making it the focus of this chapter.