Spear Phishing Protection

How spear phishing works

Any spear phishing attack involves two phases

 

» 

Researching the target-

In spear phishing, the scammer typically already knows some information about the target before making a move. When you consider the amount of personal data available publicly (e.g. job titles, companies, reporting hierarchy at a job, previous employment, names of friends etc.)  it is really not that difficult for someone to pose as a trusted party and trick an unsuspecting target into handing over some additional info. This basic information is further enriched with extensive research on social media, business websites, industry portals and other such publications. Social engineering techniques play a prominent role in this phase.

» 

Sending out communication that is most contextually relevant and with the greatest likelihood of success-

This is the culmination of all the research and planning. It involves creating the message with fake (but convincing) corporate branding, domain setup etc. and perhaps most importantly, the time at which the communication is actually sent out.

Given its targeted nature, spear phishing attacks typically enjoy a much higher success rate as compared to normal phishing attacks.

 

Spear phishing attack examples

Spear phishing attacks can be carried out on private individuals or on business employees. Some of the most glaring examples of spear phishing come from the corporate world.

 

» 

RSA Attack (2011)

Irony struck the security giant RSA in March 2011 when the systems behind the EMC division’s flagship SecurID 2-factor authentication product were compromised using spear phishing. The attackers managed to get one of the targets to open an email attachment which ended up in the installation of a variant of the Poison Ivy Trojan using a zero-day vulnerability in Adobe Flash. Even though RSA managed to spot the attack in progress, the attackers still managed to steal sensitive data from RSA’s network.

 

» 

Sony Pictures (2014)

This phishing attack apparently had a political motive and was launched by a hacker group named Guardians of Peace, which the US investigators traced back to North Korea. Via phishing emails, the attackers managed to install malware and steal sensitive information about Sony Pictures and its employees, a large selection of unreleased films and then managed to permanently delete from a large part of Sony’s infrastructure. The attackers also demanded that Sony also withdraw its film The Interview, a comedy about a plot to assassinate North Korean leader Kim Jong-un, and threatened terrorist attacks at cinemas screening the film. Sony did have to cancel the release in theatres but managed to release a digital copy of the movie instead.

 

» 

U.S Department of Energy Attack

One of the most prominent examples of spear phishing in the public sector involves the case of Charles Harvey Eccleston who pleaded guilty to sending out emails to U.S Department of Energy employees. These emails carried a virus that could potentially compromise government computers and result in sending sensitive data about US nuclear weapon program to foreign governments.

 

 

» 

Anthem Medical Data Breach

The health insurance giant Anthem witnessed a devastating phishing attack in 2015 and which resulted in the theft of private data of over 35.5 million customers and key employees including that of Anthem CEO Joseph Swedish. The attack took the form of a phishing email that was opened by five employees and which resulted in the download of a keystroke logging software. Healthcare data is apparently worth more on the black market than even financial data and could have potentially resulted in profits of millions of dollars for perpetrators.

 

» 

Email Marketing Services Company Epsilon Breach

In the corporate environment, one of the biggest spear phishing attacks was that on email marketing services company Epsilon back in 2011. The company maintained large databases of emails from multiple corporate clients and more importantly, some very rich behavioural data that could be a goldmine for a sophisticated scammer. The attack involved an email with a link to a malicious site which resulted in downloading of Win32.BlkIC.IMG, which disabled anti-virus software, a Trojan keylogger called iStealer, that was used to steal passwords, and an administration tool called CyberGate, which was used to gain complete remote control of compromised systems.

 

» 

Targeting Airbnb Customers (2018)

This is an interesting example of spear phishing targeting private individuals as opposed to a business. In this attack, scammers used social engineering techniques to identify Airbnb targets who were sent out fake emails about GDPR implications. The email advised that the hosts could not accept any more bookings until they accept compliance with GDPR policy from Airbnb. Clicking on the link would take the user to a spoof site that then harvested personal information.

Of course, these are just a few examples of prominent attacks that made it to the front pages of the internet. Many scams, especially the ones that target private individuals are likely never reported but still, perform their mission with devastating precision.

 

Spear phishing protection

Targeted spear phishing attacks are carefully designed to go undetected. Given their highly personalized nature, these attacks are far more difficult to prevent as compared to regular phishing scams. There is no fixed script that can be followed against spear phishing protection, but the following best practices almost always work

 

» 

On-ongoing user education-

This involves constantly educating the users about what spear phishing attacks are, and how to guard against them. Presenting the users with the anatomy of a typical spear phishing attack and outlining the pitfalls of falling victim can make the users more vigilant in dealing with emails involving links and calls to action.

 

» 

Selecting the right technology-

Unlike phishing, spear phishing is significantly harder to detect given the amount of research and prior planning that goes into these scams. Cybercriminals use various techniques to monitor emails, file sharing, and internet browsing activities of target users to meticulously gather background information. Effectively preventing these attacks requires monitoring all these activities and, often, in real-time. For this reason, users must invest in the right technology that is purpose-built for such multi-dimensional threat protection. This is very different to antivirus or other malware protection tools that look only at isolated instances of attack.  

 

While technology alone cannot provide robust protection against spear phishing, it is also certain that general purpose anti-virus or even anti-phishing tools will not suffice. Scammers invest heavily in creating innovative spoofs and the only way to protect against them is to use purpose-built technology that constantly invests into upgrading its capabilities to detect spams. This could be done by incorporating measures against known cases of spear phishing or through using advanced machine learning techniques that can predict the likelihood of an email being part of a spear phishing attack.