Spear phishing is an email-spoofing attack. It targets a specific organization or individual, seeking unauthorized access to sensitive information. Spear-phishing attempts are not typically initiated by random hackers. But they are more likely to be conducted by perpetrators out for financial gain, trade secrets or military information.
Spear phishing is a social engineering attack in which a perpetrator, disguised as a trusted individual, tricks a target into clicking a link in a spoofed email, text message or instant message. As a result, the target unwittingly reveals sensitive information, installs malicious programs (malware) on their network or executes the first stage of an advanced persistent threat (APT), to name a few of the possible consequences.
While similar to phishing and whaling attacks, spear phishing is launched in a unique way and its targets differ from other social engineering assaults. As a result, the attack deserves special attention when formulating your application security strategy.
How Does It Work?
Spear phishing follows a well-known pattern. The phishers will begin by researching you and learning about the company you work for, your colleagues, and projects that you may be currently working on.
Then you’ll receive an email that appears to come from someone you know. As an example, it may reference a project you are working on or an issue you are dealing with. Alternatively, it might reference a forthcoming event, or a mutual contact. There would be a file in the email that instructs you to download.
Often the file will be hosted by a service like Dropbox or Google Drive. When you go to the page hosting the file, it will ask you to enter your credentials. The log in site will look just like a legitimate Google or similar log in page.
But this page is actually being run by the scammer. When you enter your username and password, scammer will access your information instead of logging you in. This can even work with two-factor authentication. When you enter your authentication code, this is sent to the scammer as well.
The scammer then has the username and password for your Google account or other important account. They can use this to access your other accounts too. Therefore they invade your security.
Spear Phishing Examples
The following example illustrates a spear phishing attack’s progression and potential consequences:
- A spoofed email is sent to an enterprise’s sysadmin from someone claiming to represent www.itservices.com, a database management SaaS provider. The email uses the itservices.com customer mailing template.
- The email claims that itservices.com is offering a free new service for a limited time. And it invites the user to sign up for the service using the enclosed link.
- After clicking on the link, the sysadmin is redirected to a login page on itservice.com. A fake website identical to the itservices.com registration page.
- At the same time, a command and control agent is installed on the sysadmin’s machine, which can then be used as a backdoor into the enterprise’s network to execute the first stage of an APT.
Spear Phishing vs. Phishing vs, Whaling
This familiarity is what sets spear phishing apart from regular phishing attacks. Phishing emails are typically sent by a known contact or organization. These include a malicious link or attachment that installs malware on the target’s device. Or directs the target to a malicious website that is set up to trick them into giving sensitive information. Like passwords, account information or credit card information.
Spear phishing has the same goal as normal phishing, but the attacker first gathers information about the intended target. This information is used to personalize the spear-phishing attack. Instead of sending the phishing emails to a large group of people, the attacker targets a select group or an individual. By limiting the targets, it’s easier to include personal information. Like the target’s first name or job title, and make the malicious emails seem more trustworthy.
The same personalized technique is used in whaling attacks, as well. A whaling attack is a spear-phishing attack directed specifically at high-profile targets like C-level executives, politicians and celebrities. Whaling attacks are also customized to the target and use the same social-engineering, email-spoofing and content-spoofing methods to access sensitive data.
How Spear Phishers Make their Messages Look Legit?
Regular phishing emails are easy to spot if you know what to look for. But unlike the generic phishing emails that are sent out in bulk, a spear phishing attack is targeted to you specifically. The phishers use techniques to make their emails more convincing.
One common trick is for the phisher to buy a domain very similar to the real domain they want to fake a message from.
Alternatively, a phisher might use email spoofing to forge a fake email from someone you know.
The email messages will be well-written and professional, with no spelling or grammar mistakes. And phishers can be very cunning in the way they make the emails look urgent and important. They could fake an email from your boss or from the CEO of your company. Someone you wouldn’t want to question.
Phishers may even do research to find out when one of your colleagues is away on a business trip. Then they’ll email you, pretending to be that colleague, as they know you won’t be speaking to them in person. There are lots of ways for a phisher to find out about your company and to use that information to trick you.
Tips to Avoid a Spear Phishing Attack
The targeted nature of spear phishing attacks makes them difficult to detect. However, several risk prevention measures can help.
1. Watch What Personal Information You Post on the Internet
Look at your online profiles. How much personal information is available for potential attackers to view? If there is anything that you do not want a potential scammer to see, do not post it. Or at the very minimum make sure that you’ve configured privacy settings to limit what others can see.
2. Have Smart Passwords
Do not just use one password or variations of passwords for every account that you own. Reusing passwords or password variations means that if an attacker has access to one of your passwords, they effectively have access to all of your accounts. Every password that you have should be different from the rest. You need to create strong passwords. Passwords with random phrases, numbers, and letters are the most secure.
3. Frequently Update Your Software
If your software provider notifies you that there is a new update, do it right away. The majority of software systems include security software updates that should help to protect you from common attacks. Where possible, enable automatic software updates.
4. Do not Click Links in Emails
If an organization, such as your bank, sends you a link, launch your browser and go directly to the bank’s site instead of clicking on the link itself. You can also check the destination of a link by hovering your mouse over it. If the URL does not match the link’s anchor text or the email’s stated destination, there is a good chance that it could be malicious. Many spear-phishing attackers will try to obfuscate link destinations by using anchor text that looks like a legitimate URL.
5. Use Logic When Opening Emails
If you get an email from a “friend” asking for personal information including your password, carefully check to see if their email address is one that you have seen them use in the past. Real businesses will not send you an email asking for your username or password. Your best bet would be to contact that “friend” or business outside of email. Or visit the business’ official website to see if they were the party who actually contacted you.
6. Implement a Data Protection Program at Your Organization
A data protection program that combines user education around data security best practices and implementation of a data protection solution will help to prevent data loss due to spear-phishing attacks. For midsize to larger corporations, data loss prevention software should be installed to protect sensitive data from unauthorized access or egress. Even if a user falls for a phishing scam.
7. Two factor authentication
2FA helps secure login to sensitive applications by requiring users to have two things: something they know, such as a password and user name, and something they have, such as a smartphone or cryptographic token. When 2FA is used, even if a password is compromised using a technique like spear phishing, it’s of no use to an attacker without the physical device held by the real user.
Spear phishing is a much more sophisticated version of traditional phishing attacks. It uses a great deal of research to target a particular individual. It does this by faking email correspondence from one of their contacts.
These emails can look very convincing and instruct the recipient to download a file which contains malware. So it allows the phisher to gain access to the target’s email account or other accounts. Therefore it is essential for you to watch out for these emails which may look legit. But they can be a way to compromise your accounts.