Spear Phishing

Spear Phishing is an advanced and evolved form of phishing. Highly targeted and effective, it accounts for over 90% of successful data breaches. Phishing Tackle has the information you need to stay safe.

What is Spear Phishing?

Spear phishing emails differentiate themselves from “regular” phishing emails by cleverly convincing their victims they are from a trusted source.

This is often achieved by the hacker using the victim’s name, title or even home address. Many times the email will appear to have come from a person of high power within the victim’s organisation (CEO Fraud).

All these steps are taken by the hacker to add more authenticity to the email, thus increasing their chance of success. And success they most certainly have had:

"The average impact of a successful spear-phishing attack: $1.6 million"

Vanson Bourne - "The Impact of Spear Phishing"

Spear phishing vs "spray and pray" - What's the difference?

Though we have touched on this already, it is worth making clear the key differences between spear phishing and regular, broad-reach phishing (often referred to as Spray and Pray Phishing).

Regular phishing campaigns use automated, broad-reaching sending lists to hit as wide an audience as possible (think deep-sea dredging rather than fishing from a line). The majority of campaigns go after basic (though very sensitive) user data such as login credentials, credit card numbers etc. They require very little social engineering skill and are often just sent once before moving onto another campaign (a one-hit wonder).

Spear phishing, though it shares a few similarities to the previous method, takes the opposite approach. Targeting specific employees, groups or organisations and using careful planning and execution, hackers go after data with far more value. Organisation secrets, confidential documents, access codes to large databases of users, much bigger phish. Not only does this require a social engineer with significantly more skill than the first method, it requires more patience, tenacity and cunning to successfully execute.

In the next section we’ll outline the steps hackers perform in a successful spear phishing attack.

How does spear phishing work - 7 deadly steps...

The creation of a spear phishing campaign is not something to be taken lightly. It requires an expertly skilled hacker. Unlike the ‘spray and pray’ method of broad-reach phishing campaigns, spear phishing requires a social engineer with a strong underlying knowledge of content and information theft.

Below we’ll explore the steps taken by spear phishing attackers so we can better understand what can be done to reduce this threat.

Target reconnaissance

The hacker (also known as a “black-hat”) trawls through pages of information, obtained from either free or subscription-based sources to gain a deeper understanding of their target individual or organisation. 

All this information is available to the hacker from public websites, social media pages and posts, published articles, marketing materials and more. In many cases the information won’t even be directly from the target organisation but from publications of their business partners or competitors.

The more information the hacker can find, the more detailed their knowledge becomes of the victim’s organisational hierarchy, security and procedures.

This information is called Open Source Intelligence (OSINT) and the gathering thereof is known as OSINT Reconnaissance.

For the hacker, just as in many other walks of life, knowledge is power.

Research has shown the key information hackers look to obtain during OSINT Reconnaissance is:

  • Staff contact details
  • Organisation charts
  • Job descriptions
  • Technical information such as IP addresses
  • Project names
  • Software versions currently used
  • Email addresses – which leads us on to stage two…

Email enumeration

Enumerating email addresses, in it’s purest form is not an illegal, nor even a malicious act.

It consists of using whatever means necessary (much like in step one) to find email addresses from the target organisation.

The difference to step one is that hackers often use custom scripts run over large search engines to automatically download and categorise email addresses.

This allows them to sift through thousands of potential target addresses, finding the one(s) which will have the greatest chance of successful impact.

Where do hackers find all these email addresses?

Predominantly, hackers rely on 3 methods to acquire the email addresses for their campaigns:

  1. Buying or acquiring lists of email addresses. This could be from the dark web, an employee of an ISP (looking to make some extra cash) or even a staff member of the target organisation. It is a breach of several privacy laws and is illegal.
  2.  Using custom harvesting programs to scour the internet looking for email addresses publicly listed, for example, on a corporate web site.  
  3. Using a fake subscription service and coaxing people to sign up.
 
Email addresses are valuable and they should be protected at all times and shared only when necessary and only to trusted parties.

Antivirus evasion

This section is probably one of the most actively covered topics in the world of hacking.

No matter how well-crafted the email used in a spear phishing campaign is, it needs to get past the target’s antivirus software.

While DNS cache spoofing and multiple social media sites offer useful information to a hacker, often the first thing a hacker will look for is a job!

Hackers search for IT Support, Network admin or other computer-based roles in the target organisation. The role descriptions often include vital information about exactly what AV suite is used within the business, even down to the version number.

As soon as the hacker knows the antivirus they need to bypass, they install it on a virtual or test-bed computer. This allows them to tweak their emails and scripts, ensuring their safe delivery in the victim’s inbox.

You can find near-limitless blogs, YouTube videos, IRC channels covering the subject, Metasploit’s evading antivirus wiki is an immense source of knowledge and has this to say:

 

There are approximately 14 million other resources out there on the why’s and wherefores of evading antivirus…

Bypassing egress filtering

In a best-practice scenario, firewall egress (this is outbound traffic from your organisation to the internet) rules prevent any traffic from being sent from the victim’s computer to a potentially malicious destination. This is often achieved by “locking down” all network ports and only “opening” those that are strictly necessary.

The hacker must bypass these filters, should they be in place, if they hope to get any information back from the phishing attack.

To do this, within the ‘payload’ (the component of the phishing email which executes the malicious activity) the hacker will include a module which will allow traffic back out of the victims computer without getting caught by the firewall.  The path of least resistance here for the hacker is to use a port such as 443 (HTTPS) as this will usually be “open”, and also has the added benefit of being encrypted and, therefore, almost impossible to detect nefarious activity over.

Reverse_https is very popular among hackers as it creates an encrypted tunnel from the victim’s computer to a metasploit server. In case you’re wondering, metasploit is a framework used by ethical hackers (“white-hats”) for penetration testing. 

Unfortunately not-so-ethical hackers also use this framework to aid their malicious activity, including phishing campaigns.

Security software & firewalls will find it nearly impossible to detect any foul-play when egress filtering is bypassed correctly.

Choosing the phishing scenario

This is (technically) by far the simplest of stages though its importance must not be overlooked. All it requires is choosing a fitting scenario (or template) for the phishing email.

This could be an email appearing to come from a friend/relative giving urgent information, or from a manager or CEO demanding immediate action.

One of the most commonly chosen scenarios, favoured for its simplicity and efficacy, appears as an email from the victims IT department, requesting installation of an urgent security patch.

They might also find out who communicates with them the most, and tailor the scenario to be in-keeping with their regular messages.

The key here, for the attacker, is that they have researched the victim thoroughly enough to understand what they are most likely to click on.

The less security awareness training a victim has had, the more susceptible they will be to the phishing campaign. Regular simulated phishing and training make it infinitely more difficult for hackers to craft convincing emails as potential victims become adept at spotting the phishing attempts.

CTRL + Enter...it's time to send​

With the perfect scenario chosen and the payload ready to go, the hacker must still get the emails safely to the victims inbox, preferably not their junk mail folder.

Some less experienced hackers will set up a temporary mail server from which to send the attacks. Those longer in the tooth will know that temporary servers have no reputation score and will be instantly caught by even the most basic spam blockers. An experienced social engineer will have bought and configured a valid domain from a reputable registrar, such as domain.com, Bluehost or GoDaddy.

Using the mail server provided with the domain, the hacker will have the reputable MX records and be in a position of strength to launch their campaign.

Changing the WHOIS information to match the custom domain is also possible (and simple) when using a domain registrar.

All this adds digital authenticity to the email, increasing the hackers chance of a successful infiltration.

Plunder, liberate, ransack & appropriate

If campaign was successful, the victim clicked the malicious link and unleashed the payload into their (almost) defenceless computer.
Exactly what the payload was designed for will vary with each campaign, but invariably it will begin with stealing key information.

This could be in the form of silent keylogging software which routinely sends back all the victims keystrokes, allowing the hacker to learn their credentials.

Once the right information is obtained, the hacker can access the vital data they need to take control of the victim’s websites, computer or even their entire network.

From here, they are in control, and the amount of damage they can inflict is limited only to the hackers imagination.

Why is it still so effective?

According to Symantec’s latest Internet Security Threat Report, spear phishing remains the most popular attack. Out of all the known groups of online attackers, 65% of them relied on spear phishing as their primary infection vector.

This is given further light in Mimecast’s State of Email Security Report for 2019, which contains research and insights from over 1,000 global IT decision makers. It found that 94 percent of respondents had experienced phishing or spear phishing attacks in the last 12 months. Of the same group, 55 percent reported seeing an increase in phishing attacks over the same period.

Spear phishing wields such massive power due to it’s subtle mix of technical and psychological elements. By building just a small element of trust and validity with the target, the psychological barriers are lowered and victims click-rate skyrockets.

"It could take as little as a well-known logo or image to gain employees’ trust in the validity of the sender"

Steve Malone, Cyber resilience expert, Mimecast.

Decision makers are losing faith…

This increase in targeted email-borne attacks is causing organisations to lose faith in their own cyber security defences. According to the Mimecast report, 61 percent of the IT decision makers believed it either likely or inevitable that their organisation will suffer a negative impact from phishing attacks this year.

"Email security systems are the frontline defense for most of attacks. Yet, just having and providing data on these attacks is not what creates value for most respondents."

Josh Douglas, Vice President of Threat Intelligence, Mimecast.

Due to the reliance on human psychology and the weaknesses therein, spear phishing requires more than advanced technological hardware to spot the emails. It requires strong psychological training and vigilance from all potential victims.

This is where security awareness training plays such an important role in the holistic approach to organisation security and completes the information security triangle of people, process and technology.

"Regular staff awareness training is so important, so many people do it once a year and it’s not enough. You need to encourage staff to be more aware." 

Tony Gee, Associate Partner, Pen Test Partners.

Caught in the wild - Real World Examples

Also known as ‘Whaling’, it is a form of “Business Email Compromise” (BEC), this is one of the most commonly used methods of spear phishing as it creates a sense of urgency and panic within its victim. Few employees want to get on the bad side of their boss, hackers know this to be true and use the issue to leverage their campaigns.

The email itself is incredibly simple, intentionally poorly written to convey the “CEO”s need for a hasty response.

CEO Fraud Spear Phishing email asking for a wire transfer
The sense of urgency in the tone of the sender is often enough for an employee to panic, which can lead to disaster

Ransomware - Rare and extremely dangerous

Spear phishing attacks occasionally contain ransomware payloads, installing malicious software onto the victims computer. What the software will do exactly is a mystery to all but the hacker. That is, until the target activates the malicious software and becomes the victim. 

Similar to the CEO Fraud email, this is very simple design. It gives employees the feeling of “Don’t ask questions, just do it” which is exactly what the hacker wants. Instead of requiring further communication and the free release of bank details/wiring instructions, all the victim needs for the hacker to be successful is click the link.

One click of the link and the damage is done...

Success Story - Thwarted by Phishing Tackle

This email, sent to a member of the finance team of one of our clients, contained malicious software ready to be installed on the potential victim’s machine.

Using only first names, it shows the hacker has researched and knows the hierarchy within the potential victim’s organisation. You can also see the language used is casual, instead of formal, which suggests the hacker may have studied publications or other documentation to learn how the two interact. 

As this potential victim had a high level of security awareness training, they didn’t fall for it, instead they used Phishing Tackle’s Phish Hook button to report it to the IT Security team. This saved the company from a potential data breach, a fantastic result.

Spear phishing email with malicious attachment masquerading as a word document
Invoices are commonly used when targeting finance departments

How to help stop spear phishing attempts

While there is no catch-all method that can protect you from all phishing attacks, there are several steps which can be taken which will massively reduce your attack surface.

Follow the 5 steps below to slash your chances of being another spear phishing victim:

  1. DO NOT rely on a single layer of security. Spam filters, firewalls, malware detection and antivirus suites are all useful in their own right. Much like musicians in an orchestra, in isolation they are good, but working together they are great.
  2. DO Perform regular simulated phishing campaigns and security awareness training. This keeps your staff on the ball, with a keen eye for spotting malicious emails. Remember, your employees are your most important and effective defence. Without targeted and effective training all the security hardware in the world can and will eventually be undone by a well-meaning employee.
  3. Regularly use checks such as HaveIBeenPwnd.com or Phishing Tackle’s own data breaches page to find out if you or a staff member’s credentials have been compromised.
  4. Never send personal or sensitive information via email. This is one of the cheapest tickets to hacktown, and it’s a one-way ride.
  5. Keep all your equipment and software current with the latest security updates. Make this a company policy so as not to end up with multiple vulnerabilities from unsupported software.

or contact us for more information

Start Phishing & Security
Awareness Training Today!

 (no credit card required)

You have Successfully Subscribed!