Email has traditionally been a popular means for cybercriminals to perpetrate fraud, sabotage, network infiltration, data theft, extortion, and other malicious acts. And for scam artists, phishing remains a popular pastime. Recently, there’s been an upsurge in a particular brand of phishing activity – namely, Spear Phishing.
What is Spear Phishing?
Just as in the angling world there are various methods of hauling in a catch, in the field of online fraud and baited email, there are some variants. Like its riverbank equivalent, spear phishing is a targeted exercise. Once the desired “fish” is spotted, a specific snare is used, to pinpoint it.
The “fish” in this case may be an individual, a corporate body, or functionary within an organisation – typically, a middle-ranking official, with access to information, funds or trade secrets, or with contacts, rank, and network privileges that can steer the infiltrators on to better things.
The sender of a spear phishing email usually appears to be someone within the victim’s own organisation – typically an official of a higher rank, or in a different department. The message is a spoof of course, but the requests within it (and the wording of the body text itself) will have been specially crafted to give the recipient the impression that it’s a genuine communication from the person concerned.
So when the email recipient is urgently requested to transfer a certain file here or there, wire funds to a specified account, or visit a particular website, the demand doesn’t necessarily seem out of place. But compliance will typically lead to the leakage of confidential data from the enterprise, the loss of funds, or the unwelcome intrusion of malware. And if a spear phishing website manages to extract user credentials from a single victim, this may be the springboard for a sustained intrusion to their corporate network, or worse.
Spear Phishing – Who Sets the Bait?
Sabotage, a media attention-grabbing disruption of operations, or the theft of confidential information are typical motives for a spear phishing campaign – and the organisers are more likely to be members of a rival corporation, government agency (foreign or domestic), or “hacktivist” political group, than a “lone wolf” perpetrator. Cyber-criminal networks also mount attacks to gain information and access privileges which may be sold on to third parties (including governments and corporations).
Classified in cyber-security terms as a tool for advanced persistent threat or APT attacks, spear phishing campaigns may be prolonged and sustained, depending on their level of infiltration and success within a targeted organisation. The specially tailored messages and social engineering tactics used by the perpetrators are often sufficient to hook high-level officials who would otherwise be resistant to standard phishing techniques.
Spear or Trident?
Spear phishing typically adopts a three-pronged mode of attack to assure its success:
- The apparent sender of a spear phishing email must appear to be someone who’s known and trusted by the recipient. The cyber-criminals will have done their homework on the intended victim, and (for example) use their familiar name in the message salutation, or refer to a recent incident or transaction in which they and the supposed sender were involved.
- There’s information in the body text to make the message seem genuine and viable. Again, this may take the form of a reference to some recent activity – which again, is the result of good research on the fraudster’s part. This creates an atmosphere of trust and credibility which makes it easier to move to Stage 3.
- The action requested by the sender appears to have a logical basis. In the light of recent market activity, developments within the enterprise, or ongoing projects, a request for funds, access credentials (e.g. a shared password for a team collaboration project), or for the recipient to download an urgent document file may seem perfectly reasonable.
And since standard security software doesn’t tend to have inbuilt protection against this kind of activity, users need to take steps on their own, to avoid becoming prey to it.
Don’t Tell All
Information on the intended victim is at the heart of a successful spear phishing exercise. And with the online activities of a typical individual these days, there’s a lot of it to be had. Personal histories, nicknames, family names, buying preferences, employment details, even passwords – all could be available to the perpetrators from browsing logs, user profiles and interactions on social media, comments on blogs and forums, or sustained hacking attempts on login protocols.
So it’s important to be circumspect, in what you reveal about yourself online. Resist the urge to give away too much – and be strict with your privacy settings on social media and online communities. Otherwise, you risk providing spear phishing perpetrators with the social engineering lures and triggers needed to get a favourable response from you.
Mix Them Up
If you’re in the habit of using similarly formatted passwords over several of your online accounts, you’ve already given cyber-criminals a head-start in cracking them. If you have multiple accounts, you should have significantly different passwords for each one.
Use a random password generator and / or secure password manager – there are plenty of software products for this which you can download (safely) for free.
Watch Those Downloads
Beyond the fund transfers and simple access gains, spear phishing often encourages its victims to download malware – usually disguised as an email attachment, or file from a baited website.
Microsoft Office-type formats like .DOC .XLS or .DOCX are highly favoured, as are .PDF and .HWP files. Most security applications are configured to watch out for suspect executable files with .EXE extensions, so perpetrators may try to mask them as .ZIP .LZH or .RAR compressed archives.
Update Your Protection to guard against Spear Phishing attacks
Keep your operating system, Web browsers, and application software patched and up to date. The same advice extends to your anti-virus and Internet security software.
Verify Your Contacts
Email is only one of the communication tools available. So if a message from a trusted source raises a hint of suspicion, you should use other means (phone call, Skype, in-person visit, etc.) to establish whether or not the request actually originated from its supposed sender.
And don’t forget that many established institutions like banks and government departments have email addresses to which you can forward suspect messages, for verification.
Share this Post