The most risky and
highly popular type of cyber attacks is the
spear phishing attack. How is spear phishing different from the regular phishing? Let’s discuss some terms first.
Phishing is the act of sending emails that falsely claim to be from a legitimate organization. This is usually combined with a threat or request for information: for example, that an account will close, a balance is due or information is missing from an account. The email will ask the recipient to supply confidential information, such as bank account details, PINs or passwords; these details are then used by the originators of the phishing email to conduct fraud.
Phishing is an all encompassing word for all forms of online attack in an attempt to get victims to share sensitive information about themselves. The perpetrators usually disguise themselves as trustworthy entities and then make contact with their target through email, phone calls (also called vishing for voice phishing), social media and even text messages (also called smishing for SMS-phishing).
What then is spear phishing?
Spear phishing is a targeted attempt to steal sensitive information such as account credentials or financial information from a specific victim. The phisher acquires personal details of victims such as their friends, hometown, employer, locations they frequent, and what they have recently bought online. The attackers often disguise themselves as very close friends to get this information. Security firm Trend Micro estimated that spear phishing accounted for 91% of cyberattacks.
Why does spear phishing work?
Spear phishing may sound simple, but the attack emails have greatly improved in the last few years and are now extremely difficult to detect. If there is no prior knowledge or spear phishing protection in place, attackers can easily target victims who put personal information on the internet. They go through such individuals’ profiles to get their email addresses, geographic locations and friends lists. The fraudulent but convincing messages are usually very urgent in nature and demand sensitive information or contain malware that the victim unwittingly activates. Once this information is provided, the attacker can use it to gain access into such individuals’ bank accounts or even steal an identity to create a new one using the information obtained.
Some spear phishing attack examples include:
» RSA Attack (2011)
Irony struck the security giant RSA in March 2011 when the systems behind the EMC division’s flagship SecurID 2-factor authentication product were compromised using spear phishing. The attackers managed to get one of the targets to open an email attachment which ended up installing a variant of the Poison Ivy Trojan using a zero-day vulnerability in Adobe Flash. Even though RSA managed to spot the attack in progress, the attackers still managed to steal sensitive data from RSA’s network.
» Sony Pictures (2014)
If you’re a fan of Hollywood movies, chances are you have heard of the hack that involved the leaking of emails linking various celebrities including then President Barack Obama, Angelina Jolie, Leonardo DiCaprio and David Fincher, which ultimately led to the forced resignation of the targeted Sony executive and the the payment of $8 million in compensation – $4.5 million to employees and $3.5 million to attorneys. This phishing attack apparently had a political motive and was launched by a hacker group named Guardians of Peace, which the US investigators traced back to North Korea. Via phishing emails, the attackers managed to install malware and steal sensitive information about Sony Pictures and its employees, a large selection of unreleased films and then managed to permanently delete from a large part of Sony’s infrastructure. The attackers also demanded that Sony also withdraw its film The Interview, a comedy starring Seth Rogen and James Franco with a story plot to assassinate North Korean leader Kim Jong-un, and threatened terrorist attacks at cinemas screening the film. Sony did have to cancel the release in theaters but managed to release a digital copy of the movie instead.
» U.S Department of Energy Attack
One of the most prominent examples of spear phishing in the public sector involves the case of Charles Harvey Eccleston who pleaded guilty to sending out emails to U.S Department of Energy employees. These emails carried a virus that could potentially compromise government computers and result in sending sensitive data about US nuclear weapon program to foreign governments.
» Anthem Medical Data Breach
The health insurance giant Anthem experienced a devastating phishing attack in 2015, which resulted in the theft of private data of over 35.5 million customers and key employees including that of Anthem CEO Joseph Swedish. The attack took the form of a phishing email that was opened by five employees and which resulted in the download of keystroke logging software. Healthcare data is apparently worth more on the black market than even financial data and could have potentially resulted in profits of millions of dollars for perpetrators.
» Email Marketing Services Company Epsilon Breach
In the corporate environment, one of the biggest spear phishing attacks was that on email marketing services company Epsilon back in 2011. The company maintained large databases of emails from multiple corporate clients and more importantly, some very rich behavioral data that could be a goldmine for a sophisticated scammer. The attack involved an email with a link to a malicious site which resulted in downloading of Win32.BlkIC.IMG, which disabled anti-virus software, a Trojan keylogger called iStealer, that was used to steal passwords, and an administration tool called CyberGate, which was used to gain complete remote control of compromised systems.
» Targeting Airbnb Customers (2018)
This is an interesting example of spear phishing targeting private individuals as opposed to business. In this attack, scammers used social engineering techniques to identify Airbnb host targets who were sent out fake emails about General Data Protection Regulation (GDPR) implications. The email advised that the hosts could not accept any more bookings until they accept compliance with GDPR policy from Airbnb. Clicking on the link would take the user to a spoof site that then harvested personal information.
Of course, these are just a few examples of prominent attacks that made it to the front pages of the Internet. Many scams, especially the ones that target private individuals are likely never reported but still, perform their mission with devastating precision.
Spear phishing protection
Targeted spear phishing attacks are carefully designed to go undetected. Given their highly personalized nature, these attacks are far more difficult to prevent as compared to regular phishing scams. There is no fixed script that can be followed against spear phishing protection, but the following best practices are highly recommended.
»On-ongoing user education
It is almost impossible to protect against spear phishing considering the number of nuances and intricacies that go into the planning and execution. Your curiosity to see what’s in the message and the personalized nature of the message with your first name are examples of factors working against you to encourage you to click or open the malware. But there are ways to actually protect yourself against spear phishing.
This involves constantly educating the users about what spear phishing attacks are, and how to guard against them. Presenting the users with the anatomy of a typical spear phishing attack and outlining the pitfalls of falling victim can make users more vigilant in dealing with emails involving links and calls to action.
»Selecting the right technology
Cybercriminals use various techniques to monitor emails, file sharing, and internet browsing activities of target users to meticulously gather background information. Effectively preventing these attacks requires monitoring all these activities and, often, in real-time. For this reason, users must invest in the right technology that is purpose-built for such multi-dimensional threat protection. This is very different to antivirus or other malware protection tools that look only at isolated instances of attack.
Scammers invest heavily in creating innovative spoofs, and people and businesses must also invest accordingly, including incorporating measures against known cases of spear phishing or using advanced machine learning techniques that can predict the likelihood of an email being part of a spear phishing attack.
»Don’t assume that you’re too smart to fall for a spear phishing attack
Researchers at Verizon concluded that under the right conditions anyone can be fooled by a spear-phishing message.
Keep in mind the following tips to be safe from this cyber crime.
1. Watch what personal information you put on the internet.
Be careful and meticulous about what you post online. Do not post anything that you do not want a potential scanner to see!
2. Frequently update your software.
It is important to update your software once you get update notification. Most of these updates have security software that help prevent attack.
3. Be smart about your passwords.
The best passwords are a mix of numbers, special characters and a mix of upper and lower case letters. Avoid using one password for all your accounts. Generally set passwords that are a minimum of 12 to 14 characters in length. The longer the password is, the harder it will be to crack. Consider also whether your password is unique, and, critically, whether you will be able to remember it.
4. Use logic when opening email, and do not click links in emails.
I personally suggest making
sure the authenticity of the links present in email body before clicking on it.
If you are suspicious about links, don’t click on them. Type the claimed sender’s website
address directly into your browser to get to your
5. Implement a data protection program.
If you haven’t already installed
an ample backup and retrieval program for your business, you should, and soon.
Data protection needs to be an essential part of your overall IT strategy, so
I recommend a storage and data protection assessment be conducted twice a year
to assess the state of health of your data protection program.
These helpful tips will save you and your bank account from undue attack and impersonation.