Family Encyclopedia >> Electronics

How Spear Phishing Detection Works

There's an offshoot of email scam techniques that's starting to do the rounds, and it's called spear phishing. This new type of phishing has been on a steady upward trend since 2015, causing businesses to suffer massive losses and draining millions of dollars from the economy at the hands of enterprising hackers.

It has received so much attention in recent years that on August 18, 2017, Facebook awarded its annual Internet Defense Prize to a group of researchers from the University of California, Berkeley, who successfully created an automated spear detection project. phishing. they have published a useful document on the subject that will help us understand how spear phishing detection should work in a corporate environment.

What makes Spear Phishing such a threat

Despite the fact that spear phishing emails generally seem very legitimate compared to messages distributed using the traditional "lottery" style of phishing, the spear isn't as sharp as it looks. air. Every false message has its message. In this particular case, it involves doing a simple heuristic analysis of all messages sent to and from the victim, spotting patterns in both body language and message header content. email.

If, for example, you have a contact who usually sends you messages from the United States and suddenly receives a message from that same contact from Nigeria, this could be a red flag. The algorithm, known as Directed Anomaly Scoring (DAS), also examines the message itself for signs of suspicious content. For example, if there is a link in the email to a website and the system notices that no other employee of your company has visited it, it could be flagged as something suspicious. The message could be further analyzed to determine the "reputation" of the URLs it contains.

Since most attackers will only spoof the sender's name and not their email address, the algorithm may also try to correlate the sender's name to an email used in the past month. If the sender's name and email do not match anything used in the past, this will trigger alarms.

In a nutshell, the DAS algorithm will analyze the email content, its header and corporate LDAP logs to decide if the email is a result of a spear phishing attempt or if it is It's just a strange but legitimate message. In its test analyzing 370 million emails, DAS detected 17 out of 19 attempts and recorded a false positive rate of 0.004%. Not bad!

Now, here's another issue:do you think email scanners violate individuals' privacy, even when used in a closed corporate environment solely for scam detection? Let's discuss it in the comments!