This article breaks down the attack into four stages: Identity, Research, Email and Action. Many of the tell-tale signs of spear phishing are the same as for phishing and more information is available in Caught in the Net, one of our previous articles.
Stage 1 – Identify
Identify key personnel within the target business likely to have access to confidential data of interest. Professional skills are often the most substantial asset, and along with client and project details, are used to demonstrate credibility in the marketplace. This information helps to identify targets for data theft and in many cases, can be found as follows:
- Personal CVs which identify current and previous roles and responsibilities
- Staff profiles on business websites
- Social Media profiles which often include visibility and easy access to a list of colleagues
- Business details on Social Media can provide public access to a list of all past and present employees to help build a profile of the company
- Client details which build up a supply chain profile
- CVs and Job Descriptions are often sufficient to build up a profile of an organisation’s cyber defence posture
Information is publicly available to identify key persons within a target business. Reduce what is published and be mindful of how someone could use the details against you or your employers.
Stage 2 – Research
Now that a compiled list of individuals within the target business is available, the next step is to research them individually to identify their interests and how they will respond to communication attempts.
With phishing, an email that looks like it came from your bank, for example, could be sent to 1 million people offering them a discounted or free 90-minute helicopter trip over the city of London. To claim the offer, click a link to login to a website which looks like your bank. Such an email would rule out anyone not interested in helicopter rides and also rule out anyone with a different bank. With spear phishing, the research on individuals allows a more targeted approach and for communication to be more relevant, and consequently more likely to get attention. With so much personal information published on social media, this is achievable. For example, if someone:
- Posts a complaint on Twitter about how a specific bank is refusing to deal with a problem
- Lists paragliding as a hobby on Facebook or Linked In
- Posts photographs on Instagram with notes on how they enjoyed the view of the mountains while paragliding
Although detailed personal interests might not be available for everyone on the target list, if the target business has 20000 staff, and 100 individuals are potential targets, a significant amount of personal information will likely be available for many of these.
So much information is publicly available to identify the personal interests of any potential target. People need to think more carefully and be mindful about how much information they release into the public domain, and how others could use the information.
Stage 3 – Email
The next step is to write a convincing and personalised email to get the attention of their target and encourage them to take action, such as opening an email attachment, clicking on a link to a website, or calling an expensive premium rate telephone number. The email would be personalised and could ask you to log in for a special offer or tell you that information is available in your account involving your previous complaint.
This approach is not always a single email requiring immediate action; it could be a longer game to increase the level of confidence. The initial email may not have any links or attachments but only written in a way that expects a reply, for the perpetrator to insinuate themselves into your life. The initial email could be something along the lines of, ‘Hi Michael, great to meet last week at the paragliding event’. With other information on social media such as photographs taken in the bar after all paragliders had safely landed, the email could be more detailed. With enough relevant detail, the recipient could genuinely believe the email is from someone they had met in person.
With a follow-up email containing an attachment about paragliding, or if the initial email turns into an ongoing dialogue, a follow-up email at any time is an opportunity to introduce malware. The end game could equally be about seeking investment or other financial help and building a relationship to a point where someone is more receptive to a request for money.
Again, the key difference is the use of detailed personal information to deliver a targeted attack. The more personalised it is, the more realistic the situation is.
With phishing, many emails are often flagged as spam by Anti-Spam services within a relatively short period, so their effectiveness is limited. Some email systems also flag emails as spam because the email is similar to previously known spam. However, because of the personalised nature of spear phishing, emails are less likely to be flagged. Suppose someone registers an email address with Google, Yandex, Yahoo or one of the many free email services available, and uses it to send a personal message. In that case, that is most likely how the email systems will treat it unless the recipient marks it as spam. Email tools can send spear-phishing emails in bulk using databases of previously compiled data.
Other tactics, such as impersonating other employees in the same business, will serve to encourage the desired outcome. As a result of the level of research that goes into target selection, spear phishing is significantly more effective than phishing.
Stage 4 – Action
Phishing and spear-phishing emails ultimately require the recipient to take some action, such as:
- Giving away personal information
- Logging in to fake websites
- Registering with fake websites that take your information
- Allowing attackers to take what they want, for example by opening an attachment which installs malware designed to email or update data to a remote location
Many phishing and spear-phishing attacks work well because the emails lead people to believe that actions are required urgently. This urgency is only there to reduce the available thinking time. Things are seldom so urgent that you need to ignore common sense and not exercise due diligence; measure twice, cut once!
- Exercise caution when making personal information publicly available
- Use effective Anti-Virus / Anti-Malware
- Use an effective anti-spam solution
- Be vigilant when opening and reading emails
- Avoid taking actions which deviate from standard established practices. More information is available here in Deviation from the norm
Robert is an information security consultant with over 20 years of experience across various organisations, both in the United Kingdom and internationally. Robert graduated in 1997 with an honours degree in software engineering for security and safety-critical systems. Contact Robert directly through Linked In.