What is Spear Phishing?

Spear phishing is a type of cyber attack that uses email to trick a recipient into performing an action that is not in their best interest. That might mean providing a password, sharing confidential information, transferring money into the attackers account, or some other activity.  

Spear phishing is a targeted phishing attack that uses a tailored email to legitimize their ask, and increase the likelihood that the victim responds to the email.  

Spear phishing might use the victims name, address, personal information found from social media, or company information to increase trust.  Once a recipient trusts an email the chance of opening and responding increases significantly.

If Phishing is a Shotgun, Spear Phishing is a Sniper Rifle.

Traditional phishing is a numbers game. Bad guys send a generic email to thousands, or hundreds of thousands of emails in hopes that a few people click.

In the 90s, phishing scams were easy to identify.  They often told a story of a prince in Nigeria that needed help to claim his fortune, and he found you as a trustworthy person to share in his riches if you help him to claim them.  

Or, these phishing emails would have poor spelling and grammar, making it easy for the targeted recipient to determine that the sender is not trustworthy.  

Still, by attacking the masses with a simple, easy, and cheap phishing attack, the bad guys could make a living by just a converting a small percentage of their list.

Identifying Phishing Attacks

Today, these phishing attacks have been much more difficult to identify.  Hackers know that millions of people use Amazon, Paypal, Google, and other services, so by mimicking an email from these organizations they are able to increase the likelihood of a successful attack.

The emails below were designed by Wuvavi and available for simulating phishing attacks in their Employee Cybersecurity Platform.  The first looks like an Amazon email, and employees often click on the email when they see it.  However, by paying minimal attention to the email it’s easy to see this is not an Amazon email.  By looking at the sender they will see it’s not coming from Amazon, and by hovering over the links they will see that it’s not directing them to Amazon.com.  There’s one more easy way to identify that this is a pseudo-malicious phishing email – can you see it?  Answer below the image.

spear phishing
wuvavi.com

Did you see it?  The smile in the logo is backwards.  Come on!

The email below, also designed by Wuvavi, shows a popular email that Google Docs users know well, and the folks that received a malicious version of the email.  By clicking on this email victims shared their information with the attackers.

spear phishing
www.wuvavi.com

These generic attacks might look like the phishing emails with an Amazon gift card for $25, or the Google Docs link to view a document from a friend named Jeff.  These are attacks pulled from real world events.

Who doesn’t use Amazon, Google, and know someone named Jeff?

As these attacks become more sophisticated, they also become more difficult to identify.

Marketers often use a term called the Shotgun vs Sniper approach.  The shotgun approach is when a marketer sprays as many bullets as possible and hopes that one of them hits.  The sniper approach is when a marketer identifies their prospect, plans for how they’ll connect with them, and executes on that strategy.  They know exactly who they are selling to and why.

Phishing and spear phishing are very similar.  In phishing, the attack takes a shotgun approach.  They want to hit as many people as possible, and hope that just a small number convert to their desired action.

In spear phishing, the attacker takes a sniper’s approach.  They identify a target, plan for how they’ll connect with them, and then execute on their strategy.  

The planning stage is most interesting.  

If an attack wants to target the C-Level of a mid size organization they may find the names of the CEO and CFO.  They might then watch the social channels of the CEO to find how their kids names, pets name, favorite hobby, and travel schedule.

Or, they spoof your email address through an SMTP server which is a server that can send emails.  By providing an alternative display name and email address they can send an email that look like it’s coming from an email address they don’t own, like that of the CEO.  

Or, they could just make a new email using that CEOs name….FirstName.LastName@yahoo.com

Then, they can put all this information together to create trust with the victim.  The email might say,

Hey Sherry.  Having a great time with the family on vacation.  Here’s a picture of Little Noah, Fido, and my wife.  I’m making a stop at a customers on our way back, but I don’t have my credit card. Can you transfer $10,000 to my account at xxx?

That’s an example of spear phishing. See the difference from phishing?   Highly targeted, well researched, and much more likely to yield a payoff than a generic email.  

The Cost to the Attacker

Another difference between spear phishing and phishing is cost to the attacker.  Not so much the financial cost, but the cost of time.

Identifying, researching, and executing a spearphishing attack takes time – days, weeks, and sometimes attackers quietly monitor for years.  It would be impossible to do this on a large scale, so the attackers have to be selective, and only go through the effort for big ticket pay offs like CEO/CFO transfers, or title insurance fraud when ordinary people are writing big checks to buy a home.

Mass Spear Phishing

If an attacker can reduce the cost (research and execution time) of spear phishing they can unleash a hell of an attack – like automating a sniper approach.  

The time for this may not be far away; the time for this may be now.  

Lately there’s been a shame scam going around in which the attackers claim they’ve filmed you watching porn from your webcam.  What makes this such a powerful attack is that the attack creates trust and fear immediately by including an actual username and password that you’ve used in the subject line and first paragraph of the email.  It looks something like this:

“I will cut to the chase. I am aware your password is 12345. I also know your secret but you do not know me.”

This is a phishing attack in that it’s going out to thousands, if not hundreds of thousands of people.  This is a spear phishing attack in that it’s highly targeted by using your email and your password. It’s a mass spear phishing attack that is highly effective.  

The attackers claim they’ve downloaded malware on your computer and taken over your webcam to record you while you watch porn, with a side by side recording of the porn video that you’re watching.  You can read the full break down of the attack.

In reality, most security experts believe they’ve simply scraped usernames and passwords from a previous data breach, and they are now using that to shame scam people into paying ransom.  

They’ve cut the cost of spear phishing, and are now executing on a mass spear phishing campaign.  

What’s Next?

I predict that mass spear phishing will increase as the bad guys find ways to monetize on the large amount of information available from previous attacks.  

They do not need to be technical hackers to monetize in attacks like the shame shame described above.  

They simply need to be creative enough to develop a scenario that moves their victims to taking a desired action.  

How to Avoid a Spear Phishing Attack

Care More, Share Less – First, check your privacy controls on your social channels to limit them to friends only.  Be careful and attentive to what information you share on the internet. Also, be vigilant of friend requests.  

If there’s a beautiful girl or handsome man that you don’t know, with only a few friends, it’s likely a fake profile.  At best, there’s zero value in connecting with them. At worst, they are trying to extract information from your profile.  

If you see friends that you’re already connected with make a new profile, be wary.  It’s easy to steal pictures and create a second profile to build trust with you and increase the likelihood of a connection.

Good passwords are Happy Passwords – Make good passwords for all of your sites, and make sure that you do not repeat passwords.  Especially the passwords used for your work, bank, and other sensitive accounts.

Do Not Click Links – Avoid clicking links in email.  If you really want to learn more, simply hover over the link to find out where it’s going.  If it seems legitimate, user your browser to find the page you’re looking for yourself. If it’s directing you to somewhere that doesn’t seem to make sense, then it’s definitely not worth a click.

Provide Employee Cybersecurity Awareness Training – Spear phishing, and social engineering attacks, are targeted at people.  Training them to be aware of the risks, and the red flags that they should be aware of helps employees to identify risk situations and act accordingly.  Learn more about employee cybersecurity training for employees.

About Me

Jon Santavy is the CEO of Wuvavi (www.wuvavi.com) – the world’s leading employee cybersecurity awareness platform for small and medium sized business. Through innovative training, simulated phishing attacks, and the right analytics, Wuvavi customers reduce their employee related cybersecurity risks.  Wuvavi’s goal is to create a culture of awareness in every organization.