As a particular type of phishing attack, spear phishing targets from the preliminary phase a certain group, company or organization, with the intent of data stealing. The final goal might be facilitated by an identified or generic weak entry point – and the fraudulent email is tailored to suit this preliminary target.
Another specificity of spear phishing is that the entire attack and following data retrieval can go on without any warning signs – remaining undetected.
Often this is the case in big companies, when a certain employee is important for the cyber-attackers because of its position – once accessing the network from his/hers workstation, the hackers can reach critical data. When a certain individual is not the target, an entire company might make the object of a custom-tailored attack via emails.
Deemed the most successful Internet attack method, spear phishing is the current favorite intrusion technique in 91% of the cases.
Usual M.O. in spear phishing
The delivery method consists in a cleverly designed email message. Particularly targeted and spoofing a trusted source email – the message is crafted using research on the unaware victim, social engineering techniques and it overall appears very personalized. Such emails have tricked from simpler people to the high-ranking employees inside the targeted organizations or agencies.
Such emails could use the target’s name in the salutation, or a spoofed ID of one of the target’s connections. Different staged-up situations are presented, with the goal of determining the recipient to act quickly (often the email may announce an ongoing cyber-security breach and pushes the recipient to provide data in order to stop it – ironical, isn’t it?!).
When the bait email mimics a person that’s well known to the target, maybe even has an authority position in relation to the recipient, we have the “colonel effect.” National Security Agency expert Aaron Ferguson established this term by experimenting with 500 cadets to whom he sent a bait email appearing to come from a Colonel from their academy. Over 80% of the recipients felt compelled to click the link from the email (and received an instructional security notification in response).
Once the target made the mistake of going for the prompted action, a link inside the email takes them onto a fake page, where any provided data goes straight into the hackers’ hands. Passwords, access codes, IDs, PINs, affiliated accounts or personal data – any kind of sensitive information – are seized in this stage.
Cyber-Protection against spear phishing
When establishing a line of #defense for your company, there are software tools that you can use:
- Phishing filters (or updated, latest browser versions which integrate such filters);
- Cyber practices and rules knowledge (like never prompting or sending personal data via email, and being aware that most legitimate companies do not request such details via email) – cyber best practices that will guide user #behavior;
- Keeping your passwords as diversified as possible, so in case one of then got compromised, all others might stay safe – and not just represent variations of the stolen one;
- Employ multi-factor authentication systems (MFA) – useful in mitigating damages in case such an attack is successful;
- Decrease spear phishing attacks exposure by using file reputation systems – they increase the difficulty for the attackers (whitelisted and blacklisted files deployment could have in fact prevented the infamous RSA breach, had it not been for one employee reading his spam email);
- Protect the work email addresses against spoofing (authenticated SMTP and digital signatures), and protect the accessed data amount with network access controls strategies (NACs);
- Good software security habits (keeping all your software up-to-date and patched, including your browsers, disabling unused software).
Behavioral Protection against spear phishing
Many breaches have revealed that the cyber-attack might have been averted if the human behavior have been more precautionary, and the staff more aware of the latest cyber-security issues. There are a few basic rules by which it’s useful to guide your staff:
- When an email seemingly coming from a friend asks you for passwords or any other kind of sensitive data, confirm first by a phone call or a different email that the said friend is the author of the request;
- Again, keeping in mind that legitimate businesses do not ask for your confidential data via email, if you still are under the impression such an email might be genuine, call the said company, bank or institution and confirm first;
- Keep informed on the latest cyber-security threats and scams, especially if your professional capacity might make you a spear phishing target (the better educated and informed a target is, the less likely is for the unsophisticated, usual spear phishing campaign to succeed);
- Always enter suspicious URL addresses by hand instead of just following the link; be vigilant to any pages that look slightly different from the usual company/bank/enterprise page you previously visited;
- Specialized research also suggest in-company simulated phishing attacks, but there some key rules, such as:
> Avoiding the collection of real personal data via these simulations (it is actually illegal);
> Absolutely refraining from embarrassing the employees which slip into the trap – the objective is educating, not humiliating or punishing those who still have things to learn;
> Really going for it when it comes to conceiving the email: the more personal, the better, since an actual spear phishing email can really be a work of art, depending on just how important the catch is.
A more unusual type of behavioral protection against spear phishing is described in a 2015 paper from the University College of London. The authors talk about establishing a pattern for the usual email senders (“modeling the email-sending behavior of users over time”). This pattern is used as a standard, and any email seemingly from the same user can be authenticated by comparing it to the standard user model.
Financial Phishing
As an “honorable” mention – this type of attacks, going for the targets’ financial data and access codes, is constantly in the graphs. In 2014 the leading service in payment service phishing focus was PayPal, followed by Visa Inc. The structure of such attacks became more fragmented and shifted from large brands spoofing to smaller businesses – making it even harder to notice.
The Kaspersky Report for 2014 might prove an interesting lecture, or at least an interesting browsing – you can check it here.
