To understand how spear phishing works, how it differs from phishing attacks, this article breaks down the attack into 4 stages: Identify, Research, Email and Action. Many of the tell-tale signs of spear phishing are similar for phishing and covered in more detail in Caught in the Net, one of our previous articles.
Stage 1 – Identify
Identify key personnel within the target business likely to have access to confidential data of interest. Professional skills are often the strongest asset, and along with client details and projects undertaken, are used to demonstrate credibility in the marketplace. This information can be used to identify targets for data theft and in many cases can be found as follows:
- Personal CVs which identify current and previous roles and responsibilities
- Staff profiles on business websites
- Social Media profiles which often include visibility and easy access to a list of colleagues
- Business details on Social Media can provide public access to a list of all past and present employees to help build a profile of the company
- Client details which can be used to build a supply chain profile
- CVs and Job Descriptions are often sufficient to build up a profile of an organisation’s cyber defence posture
Information is publicly available to identify key persons within a target business. There is, however, also plenty of scope for people to reduce what information is published and to be mindful of how such information can be used against them and their employers.
Stage 2 – Research
Now that a list of individuals within the target business has been compiled, the next step is to research them individually to identify their interests and how they will respond to communication attempts.
With phishing, an email that looks like it came from your bank, for example, could be sent to 1 million people offering them a discounted or free 90-minute helicopter trip over the city of London. Along with instructions to click a link to logon to a website which looks like your bank, to claim your helicopter ride. Such an email would rule out anyone not interested helicopter rides and also rule out anyone with a different bank.
With spear phishing, the research on individuals allows a more targeted approach and for communication to be more relevant, and consequently more likely to get attention. With so much personal information published on social media, this is achievable. For example, if someone:
- Posts a complaint on Twitter about how a specific bank is refusing to deal with a problem
- Lists paragliding as a hobby on Facebook or Linked In
- Posts photographs on Instagram with notes on how they enjoyed the view of the mountains while paragliding
Although detailed personal interests might not be available for everyone on the target list, if the target business has 20000 staff, and 100 individuals were identified as potential targets, it is highly likely that a significant amount of personal information will be available for many of these.
So much information is publicly available to identify the personal interests of any potential target. People need to think more carefully, and be mindful about how much information they release into the public domain, and how the information could be used.
Stage 3 – Email
Using the information gathered, the next step is to write a convincing and personalised email to get the attention of their target and encourage them to take action, such as opening an email attachment, clicking on a link to a website, or calling an expensive premium rate telephone number. Extending the previous analogy, the email would be personalised and could ask you to login for a special offer, or tell you that information is available in your account involving your previous complaint.
This approach is not always a single email with an immediate action to be taken, a longer game can be played to increase the level of confidence. The initial email may not have any links or attachments but only written in a way that expects a reply, for the perpetrator to insinuate themselves into your life. The initial email could be something along the lines of, ‘Hi Michael, great to meet last week at the paragliding event’. With other information on social media such as photographs taken in the bar after all paragliders had safely landed, the email could be more detailed. With enough information, the recipient could genuinely believe the email is from someone they had met in person.
With a follow-up email containing an attached document about another paragliding event referred to on social media, or if the initial email turns into an ongoing dialog, a follow-up email at any time, is an opportunity to introduce malware. The end game could equally be about seeking investment or other financial help and building a relationship to a point where some money can comfortably be requested.
Again, the key difference is that detailed personal information is being used to deliver a targeted attack. The more personalised it is, the more realistic the situation is.
With phishing, many emails are often flagged as spam by Anti-Spam services within a relatively short space of time so their effectiveness is limited. Some email systems also flag emails as spam because the email is similar to previously known spam. However, because of the personalised nature of spear phishing, emails are less likely to be flagged. If someone registers an email address with Google, Yandex, Yahoo or one of the many free email services available, and uses it to send a personal message, that is most likely how the email systems will treat it, unless the recipient marks it as spam. Spear phishing emails can still be sent in bulk using databases of previously compiled data
Other tactics, such as impersonating other employees in the same business, will serve to encourage the desired outcome. As a result of the level of research that goes into target selection, spear phishing is significantly more effective than phishing.
Stage 4 – Action
Phishing and spear phishing emails ultimately require the recipient to take some action. This will either involve you giving away personal information such as by logging in or registering with fake websites that take your personal data, or by allowing attackers to take what they want, for example by opening an attachment which installs malware designed to email or update data to a remote location.
Many phishing and spear phishing attacks work well because people are led to believe that actions are required urgently. This urgency is only there to reduce the available thinking time. Things are seldom so urgent that common sense and due diligence need to be ignored; measure twice, cut once!
- Exercise caution when making personal information publicly available
- Use effective Anti-Virus / Anti-Malware
- Use an effective anti-spam solution
- Be vigilant when opening and reading emails
- Avoid taking actions which deviate from normal established practices. More information is available here in Deviation from the norm
Robert is an information security consultant with over 20 years of experience across a diverse range of organisations, both in the UK and internationally. Robert graduated in 1997 with an honours degree in software engineering for security and safety-critical systems. Robert is contactable directly through LinkedIn.