What is Spear Phishing?
When a determined malicious actor has the time and money and is looking for a way into your, or your company’s network, they will most likely execute a spear phishing attack. Spear phishing is the choice of champions (if by champion we mean a successful malicious hacker) and a popular method to successfully bypass sophisticated technical implementations designed to protect systems and networks against exploits and malware.
Spear Phishing VS Phishing
Spear phishing is a type of phishing that is highly targeted against a single individual inside an organization. A spear phish is built using content that is personal, believable and doesn’t stand out too much from the company’s normal email stream. Spear phishing requires more effort than a regular run-off-the-mill phish but is also more effective. When regular phishing emails get detected by the company employees, the attacker will focus on spear phishing and will be more likely to succeed in getting what they are after.
Even nation state sponsored sophisticated actors are using spear phishing to hack high profile individuals, private organisations and critical industrial systems. APT (Advanced Persistent Threat) groups might have the know-how and financial support, but because complex exploits are expensive, hard to come by and not as reliable as email, spear phishing is the next best thing. Spear phishing is also a perfect method to gain a foothold into a company unnoticed, because a high-quality spear phishing attack is extremely hard to detect and highly successful.
Spear Phishing Example
As a social engineer, I have had the privilege to legally conduct spear phishing attacks against large, well known organisations as well as organisations managing critical industrial systems. The most successful campaigns have usually started from a single piece of media that our customer has published online. They were unaware that the news interview, job listing, marketing video or a simple image taken inside the company premises might also contain information that could be used in a malicious way. From there I have been able to gather or guess some intimate social practices or information that the company employees might think is only available to the current employees.
Posing as a high-profile employee and with an email mimicking the way internal email is written, containing important intimate information about current event will most likely yield in a high number of people clicking the possibly malicious link or opening an attachment that could have been malware.
Spear Phishing Prevention
Detecting spear phishing email is a lot like detecting regular phishing email. Largely, the same methods apply to both types of attacks. Spear phishing might use more sophisticated methods to spoof the sender, hide the actual domain in a link or obfuscate the payload in an attachment.
You should do all of these, always, but most importantly, treat every email as potential phishing attack.
Luckily, I am on a good mission, but I am not the only one sending spear phishing emails. Organisations should be concerned, because the threat is real, and nobody is safe. However, I can see my work getting harder. Our customers are becoming more aware as they learn to detect and report all kinds of phishing emails. Security awareness training is currently the most effective way to mitigate the threat of spear phishing attacks.