When a determined malicious actor has the time and money and is looking for a way into your, or your company’s network, they will most likely execute a spear phishing attack. Spear phishing is the choice of champions (if by champion we mean a successful malicious hacker) and a popular method to successfully bypass sophisticated technical implementations designed to protect systems and networks against exploits and malware.
Spear Phishing VS Phishing
Spear phishing is a type of phishing that is highly targeted against a single individual inside an organization. A spear phish is built using content that is personal, believable and doesn’t stand out too much from the company’s normal email stream. Spear phishing requires more effort than a regular run-off-the-mill phish but is also more effective. When regular phishing emails get detected by the company employees, the attacker will focus on spear phishing and will be more likely to succeed in getting what they are after.
Even nation state sponsored sophisticated actors are using spear phishing to hack high profile individuals, private organisations and critical industrial systems. APT (Advanced Persistent Threat) groups might have the know-how and financial support, but because complex exploits are expensive, hard to come by and not as reliable as email, spear phishing is the next best thing. Spear phishing is also a perfect method to gain a foothold into a company unnoticed, because a high-quality spear phishing attack is extremely hard to detect and highly successful.
Spear Phishing Example
As a social engineer, I have had the privilege to legally conduct spear phishing attacks against large, well known organisations as well as organisations managing critical industrial systems. The most successful campaigns have usually started from a single piece of media that our customer has published online. They were unaware that the news interview, job listing, marketing video or a simple image taken inside the company premises might also contain information that could be used in a malicious way. From there I have been able to gather or guess some intimate social practices or information that the company employees might think is only available to the current employees.
Posing as a high-profile employee and with an email mimicking the way internal email is written, containing important intimate information about current event will most likely yield in a high number of people clicking the possibly malicious link or opening an attachment that could have been malware.
Spear Phishing Prevention
Detecting spear phishing email is a lot like detecting regular phishing email. Largely, the same methods apply to both types of attacks. Spear phishing might use more sophisticated methods to spoof the sender, hide the actual domain in a link or obfuscate the payload in an attachment.
Check the Sender & Domain
You should always check the sender address and validate that the email is coming from the real domain. However, this shouldn’t be your only method of detecting if the email is fraudulent or not. In some cases, the domain could be real, but the email coming from an attacker. These cases include improperly configured email servers or if the attacker has access to a legit trusted email (EC, email compromise).
Hover over links
If the email has a link, you should always check where the link points to by hovering over it. This also shouldn’t be your only method. There are many ways to make it hard or even impossible for you to detect if the link is legit or not. The attackers could try to fool you with subdomains, URL shorteners, homoglyphs, open redirects, look-alike domains or even exploiting flaws in browsers and email clients.
Read & Verify
Read the email content with care. If it is from someone you have been sending emails with before, see if the style and tone is familiar. If the email has a signature, check that the signatures match. If the email is asking you to visit a link, open an attachment, reveal any information or make an action, contact the sender via a different channel and ask if the email is really from them.
You should do all of these, always, but most importantly, treat every email as potential phishing attack.
Luckily, I am on a good mission, but I am not the only one sending spear phishing emails. Organisations should be concerned, because the threat is real, and nobody is safe. However, I can see my work getting harder. Our customers are becoming more aware as they learn to detect and report all kinds of phishing emails. Security awareness training is currently the most effective way to mitigate the threat of spear phishing attacks.