When a determined malicious actor has the time and money and is looking for a way into your personal or company’s network, he/she will most likely execute a spear phishing attack. Spear phishing is the choice of champions (by champion, we mean a successful malicious hacker) and a popular method to successfully bypass sophisticated technical implementations designed to protect systems and networks against exploits and malware.
Spear Phishing vs. Phishing
Spear phishing is a type of phishing that is highly targeted against a single individual inside an organization. A spear phish is built using content that is personal and believable. It usually doesn’t stand out too much from the company’s normal email stream. Spear phishing requires more effort than a regular run-of-the-mill phish, but it is also more effective. When regular phishing emails get detected by the company´s employees, the attacker will focus on spear phishing and will be more likely to succeed in getting what they are after.
Even nation state-sponsored sophisticated actors are using spear phishing to hack high profile individuals, private organizations, and critical industrial systems. APT (Advanced Persistent Threat) groups might have the know-how and financial support, but because complex exploits are expensive, hard to come by, and not as reliable as email, spear phishing is the next best thing. Spear phishing is also a perfect method to gain a foothold into a company´s network unnoticed because a high-quality spear phishing attack is extremely hard to detect, which makes it highly successful for the hacker.
Spear Phishing Example
As a social engineer, I have had the privilege to legally conduct spear phishing attacks against large, well-known organizations as well as companies managing critical industrial systems. The most successful campaigns have usually started from a single piece of media that our customer had published online. They were unaware that the news, interview, job listing, marketing video, or a simple image taken inside the company premises might also contain information that could be used in a malicious way. From that small piece of information, I have been able to gather or guess some intimate social practices or information that the company´s employees might think is only available to current team members.
I could pose as a high-profile employee with an email mimicking the way an internal email is written. The email would contain important intimate information about current events to increase the likelihood of a high number of people clicking the possibly malicious link or opening an attachment that could have been malware.
Spear Phishing Prevention
Detecting spear phishing email is a lot like detecting regular phishing email. Largely, the same methods apply to both types of attacks. Spear phishing might use more sophisticated methods to spoof the sender, hide the actual domain in a link, or obscure the payload in an attachment.
1. Check the Sender & Domain
You should always check the sender address and validate that the email is coming from a real domain. However, this shouldn’t be your only method of detecting if the email is fraudulent or not. In some cases, the domain could be real, but the email could still be coming from an attacker. These cases include improperly configured email servers or if the attacker has access to a legit trusted email (EC, email compromise).
2. Hover over Links
If the email has a link, you should always check where the link points to by hovering over it. This also shouldn’t be your only method. There are many ways to make it hard or even impossible for you to detect if the link is legit or not. The attackers could try to fool you with subdomains, URL shorteners, homoglyphs, open redirects, look-alike domains or even exploiting flaws in browsers and email clients.
3. Read & Verify
Read the email content with care. If it is from someone you have been sending emails with before, see if the style and tone is familiar. If the email has a signature, check that the signatures match. If the email is asking you to visit a link, open an attachment, reveal any information or make an action, contact the sender via a different channel and ask if the email is really from them.
You should do all of these, always, but most importantly, treat every email as a potential phishing attack.
Luckily, I am on a good mission, but I am not the only one sending spear phishing emails. Organizations should be concerned, because the threat is real, and nobody is safe. However, I can see my work getting harder. Our customers are becoming more aware as they learn to detect and report all kinds of phishing emails. Security awareness training is currently the most effective way to mitigate the threat of spear phishing attacks.