Spear phishing is an attack on specific groups or individuals within an organization. This is a powerful variant of phishing that uses social media and instant messaging to convince users to share personal information or take actions that could cause financial loss, network compromise or data loss. Spear phishing is more targeted and involves prior research, unlike phishing that relies on mass email delivery to random people.
An email and an attachment are typical examples of spear phishing attacks. The email contains information about the target, including his name and rank within company. This social engineering tactic increases the likelihood that the victim will perform all necessary actions to infect others, including opening the attachment and opening the email.
Phishing or spear phishing?
Spear phishing targets specific targets with specially crafted emails. While regular phishing campaigns target large numbers of low-yield targets and are generally successful, spear phishing targets targeted targets. Aaron Higbee is the cofounder and chief technology officer of anti-phishing company Cofense, formerly known as PhishMe. They don’t care who their target is. They are just trying to catch as many people as possible.
Higbee says that spear phishing is a campaign designed by a threat actor to penetrate one company, and where they will actually research names and roles within the company.
Spear phishing attacks, which are more complex than mass phishing, involve the use of automated off-the shelf kits to collect credentials en masse via fake log-in pages for email or banking services. Targeted campaigns may include documents that contain malware or links to credential-stealing sites. This can be used to steal valuable intellectual property or sensitive information, as well as to compromise payment systems. Some people avoid malware payloads and use social engineering instead to hijack processes for small or large payouts via one or more bank transfers.
An email’s “from” section can often be spoofed to appear like it is from a trusted partner or a known entity. The letter “o” could be replaced by the number “0” or the letter w might be changed to the Russian alphabet “sh”.
Older spear phishing campaigns contained malicious files in an email, or in a zip file. Criminals have modified their methods. Higbee says that malicious documents can now be found on legitimate sites like Box, Dropbox and OneDrive, as they are not likely to be blocked by IT. “We are also seeing phishing attacks to compromise API tokens and session tokens to gain access to email boxes or SharePoint sites.
The key to spearphishing is recognition
Spear-phishing campaigns include a lot of reconnaissance, in addition to highly targeted targeting. The threat actors may start with emails from a data breach but then add a variety of online information. The Nigerian criminal group London Blue has used legitimate lead generation websites to collect information about CFOs and other employees of finance departments.
LinkedIn and Twitter offer insight into the roles, responsibilities, and professional relationships within organizations. This helps to determine who is the best person to target or impersonate. While company websites may provide information about processes, suppliers, and technology, Instagram and Facebook might offer personal insights into potential targets that might be leveraged.
Spear Phishing and Whaling
Spear-phishing attacks against high-ranking executives are also known as whale-phishing attacks. They involve an attacker trying to impersonate the CEO of the company or a similar important person in the company to coerce them into paying money or sharing their information. Research suggests that executives are more susceptible to being attacked than employees. An Rapid7 experiment recently fooled three-quarters the CEOs it was targeting.
Alashe explains that executives at the top of organizations are more vulnerable to being targeted than others, they may be under pressure, juggling time-critical tasks, and suffer from attentional bias. They might underestimate the spear-phishing threat. They are both highly valuable and easily accessible to criminals, which is a dangerous combination. Cybercriminals can reap the rewards of targeting executives in comparison to junior employees. It is worth the effort spent researching and crafting highly-targeted emails.
Vishing and smishing are targeted attacks that target texting and voice calls. They follow the same patterns as email-based attacks.
Spear Phishing Tools
Although perpetrators can be criminal organizations or nation states, Ukraine stopped a Russian attack on the State Judicial Administration. The tools are almost identical. Attacks that rely solely on business transactions could be carried out through an email account with a regular provider.
What makes spear phishing so effective?
According to the most recent Symantec’s Internet Security Threat Report 2017, spear phishing was used by 71% of organized crime groups. Wombat’s State of the Phish Study found that 53 percent of infosec professionals experienced spear phishing in 2017. The majority of them were subject to one to five targeted attacks per quarter.
Recent notable attacks include the targeting of Hillary Clinton’s volunteers and employees in the Democratic National Committee attack, and the loss $45 Million of Leoni AG, a European manufacturer. This was after the finance department duped into transferring funds to the wrong account.
Spear phishing’s effectiveness is a result of a combination both of psychological and technical reasons. Gee says that spear phishing emails can be difficult to spot because they are targeted. They look just like regular business emails, with normal business chatter. It’s hard for spam detection systems not to recognize that it’s not genuine. Because spam phishers use that, you don’t want spam protection blocking genuine email. End users become frustrated and business processes begin to fall apart.
Gee says that criminals may spend time building the reputation of email domains and IP addresses by sending legitimate traffic to help them avoid being blocked.
Spear phishing’s effectiveness also depends on the human element. They contain a large amount of social engineering, which plays on people’s thinking and actions.
Targeted Attacks and Spear Phishing
Spear Phishing is used to impersonate an individual or gain access to their account. Trend Micro researchers discovered that spear phishing emails were responsible for more than 90% of targeted attacks in 2012.
Before launching attacks, spear phishing attackers use reconnaissance methods. This can be done by gathering multiple out-of office notifications from companies to find out how they format their email addresses. Others use social media and other publicly accessible sources to collect information.
How to Protect Against Spear Phishing Attacks?
Attackers may pick you to be their next spear-phishing target, regardless of your position in an organization’s structure. These are the best ways to protect yourself against spearphishing attacks.
- Unsolicited mail and emails that seem urgent should be avoided. Always confirm with the individual involved by using a different communication method, such as phone calls or face to face conversation.
- Learn how to recognize common tactics in spear-phishing emails. This includes CEO fraud, tax-related fraud, email compromise scams and other social engineering tactics.
- Avoid clicking on links and downloading attachments from emails, especially if they are from unknown sources.
- Hosted email security and antispam protection can block email threats.
Prevention of spear-phishing
To mitigate spear phishing, organizations can implement both technical and human controls. Companies should also consider using phishing simulations, user education, and a process that allows users to report suspicious email to the IT security department.