Firm Wins Patent for Novel Way to Detect Spearphishing

Hackers in recent weeks have stepped up their efforts to steal employee tax information from companies in all kinds of industries.

Typically, the information contained on IRS form W-2 is used to file false tax returns or steal someone’s identity.

The situation has become so bad that the IRS earlier this month issued an alert to human resources and payroll professionals about the subject: Beware of an emerging phishing email scheme that purports to be from company executives and requests personal information on employees.

“This is a new twist on an old scheme using the cover of the tax season and W-2 filings to try tricking people into sharing personal data,” IRS Commissioner John Koskinen said.

“Now the criminals are focusing their schemes on company payroll departments,” he continued.

“If your CEO appears to be emailing you for a list of company employees, check it out before you respond. Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees,” Koskinen warned.

Hard to Spot Crooks

What makes spearphishing attacks so effective is that they’re hard to identify — both by automated defenses and human beings.

“These scams do not generally have any active payload. They don’t have an attachment. They don’t have a URL of any sort that a traditional email security solution can associate with malicious behavior,” noted Vidur Apparao, CTO of


“Most of these attacks are pure social engineering attacks,” he told TechNewsWorld.

In addition, the attacks originate from legitimate Net infrastructure, not, as was seen in the past, from malicious infrastructure like botnets.

“Eighty-five percent of these attacks [are] coming from public cloud infrastructure,” Apparao said. “The fact that they’re coming from legitimate infrastructure makes them almost invisible to existing security solutions.

No Confidence in Execs

Once a spearphisher evades an organization’s automated defenses, the next layer of defense is people.

However, more than one in two (52 percent) infosec pros didn’t believe execs in their organizations could spot a phishing scam, according to a survey released last week by

Tripwire of 200 attendees at the RSA conference in San Francisco in February.

That figure is likely to be higher as you move down the corporate food chain, suggested Travis Smith, a security researcher with Tripwire.

“An entry-level HR person with access to personnel information may not have the same level of training for spotting social engineering and phishing that a high-level executive has,” he told TechNewsWorld.

Even with training, though, the attacks are getting harder to spot by their targets.

“The criminals that are sending these phishing emails are getting increasing efficient in how they’re attacking their victims,” Smith said.

“They’re doing a lot of profiling before they send these emails,” he noted. “They’re doing background research. They’re investigating a company’s business activities.”

Fighting Phishing With Stories

If an automated solution is to counter clever spearphishers, it’s going to need some smarts of its own, which is what

ZapFraud seeks to do in a patent it was awarded earlier this month.

The patent is for detecting email scams by what it calls their “storylines.”

While scammers constantly change their formulations, they very rarely depart from one of a relatively small number of storylines, ZapFraud said.

Consider an email that has a greeting from an apparent stranger, an expression of surprise, mention of large sums of money, an expression of urgency, and a request for a response.

“While you can’t enumerate all the ways a scam email can be produced, you can enumerate the building blocks,” said Markus Jakobsson, CTO of ZapFraud.

“By identifying the building blocks in a message, you can determine when something matches a story associated with risk,” he told TechNewsWorld.

When fighting phishing with storylines, you have to be aware of false positives.

“Identifying a storyline doesn’t mean something is evil,” Jakobsson said. “It means that one has to be cautious.”

Breach Diary

  • March 21. Administration of Concordia University in Montreal advises students and staff to change passwords to their accounts after keylogging software was found on some computers in two campus libraries.
  • March 21. City Utilities in Missouri announces the personal information of more than 1,000 employees is at risk because of a phishing scam.
  • March 21. Discover Financial Services reports two data breaches to the California attorney general. The company claims its systems were not compromised and is sending new credit cards to an undisclosed number of customers.
  • March 22. U.S. Department of Veterans Affairs reports it blocked 63.9 million intrusion attempts, 788.2 million malware occurrences and 85.7 million malicious emails during February.
  • March 22. The Pulaski County Special School District in Arkansas announces the personal information of more than 3,000 employees is at risk after it was copied to a former employee’s personal email account over a period of more than three years.
  • March 23. WINK news in Florida reports more than 300 people have joined three lawsuits against 21st Century Oncology stemming from data breach in which the medical records of some 2.2 million current and former patients were illegally exposed.
  • March 24. Krebs on Security reports a database containing contact information for some 1.5 million Verizon Enterprise customers has been listed for sale on the computer underground for $100,000.
  • March 24. Insurance broker Marsh reports 27 percent year-over-year increase in purchases of cybersecurity insurance in 2015.
  • March 24. A jury awards Mount Olympus Mortgage $25 million in a case involving a former employee stealing client data and taking it to his new employer, Guaranteed Mortgage, an Olympus competitor.
  • March 25. Verizon confirms and fixes vulnerability on its enterprise client portal that allowed the theft of contact information of 1.5 million customers.
  • March 25. A Utah district attorney reports the personal information of some 14,200 current and former Salt Lake County employees was accessible to the public on the Internet for 75 days last year because of a configuration error by a third-party vendor.
  • March 25. Tidewater Community College in Virginia announces tax information for 3,193 employees was stolen in a spear-phishing scam involving W-2 forms.
  • March 25. OpSec informs some 200 employees their tax information was compromised after an unauthorized party accessed the data as an attachment in an email.
  • March 25. Pivotal confirms tax information for all U.S. employees was sent to an unauthorized party as the result of a spear-phishing scam.

Upcoming Security Events

  • April 4. Transparencia: A Symposium on Open Data and Anticorruption in Latin America. 9 a.m. to 5 p.m. ET. David Rockefeller Center for Latin American Studies, Harvard University, 1730 Cambridge St., Cambridge, Massachusetts. Free.
  • April 5. User and Entity Behavior Analytics Using the Sqrrl Behavior Graph. 2 p.m. ET. Webinar by Sqrrl. Free with registration.
  • April 6. Atlanta Cyber Security Summit. The Ritz-Carlton Buckhead, 3434 Peachtree Road, Atlanta. Registration: $250.
  • April 7. Every organization of every size in every industry: What are your breach risks and gaps? 2 p.m. ET. Webinar by ID Experts. Free with registration.
  • April 8-10. inNOVAtion! Hackathon. Northern Virginia Community College, 2645 College Drive, Woodbridge, Virginia. Free with registration.
  • April 9. B-Sides Oklahoma. Hard Rock Cafe Casino, 777 West Cherokee St., Catoosa, Oklahoma. Free.
  • April 12. 3 Key Considerations for Securing Your Data in the Cloud. 1 p.m. ET. BrightTalk webinar. Free with registration.
  • April 13. A Better Way to Securely Share Enterprise Apps Without Losing Performance. 11 a.m. ET. BrightTalk webinar. Free with registration.
  • April 15-16. B-Sides Canberra. ANU Union Conference Centre, Canberra, Australia. Fee: AU$50.
  • April 16. B-Sides Nashville. Lipscomb University, Nashville, Tennessee. Fee: $10.
  • April 16. B-Sides Tampa. Stetson College of Law, Tampa Center, 1700 N. Tampa St., Tampa, Florida. Free.
  • April 16. B-Sides NOLA. Hilton Garden Inn, New Orleans Convention Center, 1001 S. Peters St., New Orleans. Fee: $15.
  • April 20-21. SecureWorld Philadelphia. Sheraton Valley Forge Hotel, 480 N. Guelph Road, King of Prussia, Pennsylvania. Registration: conference pass, $325; SecureWorld Plus, $725; exhibits and open sessions, $30.
  • April 20-22. CSA Summit 2016. Lichtstr. 43i, first floor, Cologne, Germany. Registration: 500 euros.
  • April 23. B-Sides ROC. B. Thomas Golisano College of Computing and Information Sciences, Rochester Institute of Technology, 20 Lomb Memorial Drive, Rochester, New York. Free with registration.
  • April 23-24. B-Sides Charm City. Baltimore Convention Center, One West Pratt St., Baltimore. Tickets: $15 to $60.
  • April 25. “Some Musings on Cyber Security by a Cyber Iconoclast.” 1:30-3 p.m. ET. University of New Haven, Tagliatela College of Engineering, Buckman Hall, Schumann Auditorium, room B120, 300 Boston Post Road, New Haven, Connecticut. Presentation by Professor Gene Spafford, Purdue University. Free with registration.
  • April 26. 3 Key Considerations for Securing Your Data in the Cloud. 1 p.m. ET. Webinar sponsored by BrightTalk. Free with registration.
  • April 28-29. B-Sides Calgary. SAIT Polytechnic (Orpheus Theater), 1301 16 Ave. NW, Calgary, Alberta. Tickets: students, CA$20; professional, CA$50; VIP, CA$150.
  • May 4. SecureWorld Kansas City. Overland Park Convention Center, 6000 College Blvd., Overland Park, Kansas. Registration: conference pass, $195; SecureWorld Plus, $625; exhibits and open sessions, $30.
  • May 11. SecureWorld Houston. Norris Conference Centre, 816 Town and Country Blvd., Houston. Registration: conference pass, $195; SecureWorld Plus, $625; exhibits and open sessions, $30.
  • May 18-19. DCOI|INSS USA-Israel Cyber Security Summit. The Marvin Center, 800 21st St. NW, Washington, D.C. Hosted by George Washington University. Free.
  • June 13-16. Gartner Security Risk Management Summit. Gaylord National Resort Convention Center, 201 Waterfront St., National Harbor, Maryland. Registration: until April 15, $2,950; after April 15, $3,150; public sector, $2,595.
  • June 29. UK Cyber View Summit 2016 — SS7 Rogue Tower Communications Attack: The Impact on National Security. The Shard, 32 London Bridge St., London. Registration: private sector, Pounds 320; public sector, Pounds 280; voluntary sector, Pounds 160.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on

comments powered by Disqus