Spear Phishing Protection
How To Protect Yourself from Spear Phishing Threats and Attacks Online
A spear phishing attack is a kind of cybercrime that targets specific individuals for fraudulently obtaining sensitive information such as financial details, personal information, business or military secrets.
It is more common in corporate and public sector environments given the higher stakes that can justify the amount of time and effort it takes to create successful spear phishing attacks.
Table of contents
- Spear Phishing Protection
- How To Protect Yourself from Spear Phishing Threats and Attacks Online
- Spear phishing vs. phishing
- How spear phishing works
- Spear phishing attack examples
- Spear phishing protection
Spear phishing vs. phishing
Phishing is a broader attempt by scammers to trick victims into sharing sensitive information. It is not personalized, and the intention is to reach as many targets with as possible in the hope that many of them will fall victim. Phishing attacks are carried out through general purpose emails that can often carry generic information (e.g. name) and information about events that the user may or may not have been part of (e.g. winning a lottery, authorizing a payment).
Spear phishing, on the other hand, is a specialized form of phishing that is hyper-targeted.
The focus here is on creating conviction in emails through heavy prior research which is then followed by very real-looking, legitimate-sounding emails that do the trick. Unlike phishing, scammers often do extensive profiling of the targets and may also include other activities such as monitoring emails, tracking file sharing activities or even social media messages through active spyware.
How spear phishing works
Any spear phishing attack involves two phases
Researching the target-
In spear phishing, the scammer typically already knows some information about the target before making a move. When you consider the amount of personal data available publicly (e.g. job titles, companies, reporting hierarchy at a job, previous employment, names of friends etc.) it is really not that difficult for someone to pose as a trusted party and trick an unsuspecting target into handing over some additional info. This basic information is further enriched with extensive research on social media, business websites, industry portals and other such publications. Social engineering techniques play a prominent role in this phase.
Sending out communication that is most contextually relevant and with the greatest likelihood of success-
This is the culmination of all the research and planning. It involves creating the message with fake (but convincing) corporate branding, domain setup etc. and perhaps most importantly, the time at which the communication is actually sent out.
Given its targeted nature, spear phishing attacks typically enjoy a much higher success rate as compared to normal phishing attacks.
Spear phishing attack examples
Spear phishing attacks can be carried out on private individuals or on business employees. Some of the most glaring examples of spear phishing come from the corporate world.
RSA Attack (2011)
Irony struck the security giant RSA in March 2011 when the systems behind the EMC division’s flagship SecurID 2-factor authentication product were compromised using spear phishing. The attackers managed to get one of the targets to open an email attachment which ended up in the installation of a variant of the Poison Ivy Trojan using a zero-day vulnerability in Adobe Flash. Even though RSA managed to spot the attack in progress, the attackers still managed to steal sensitive data from RSA’s network.
Sony Pictures (2014)
This phishing attack apparently had a political motive and was launched by a hacker group named Guardians of Peace, which the US investigators traced back to North Korea. Via phishing emails, the attackers managed to install malware and steal sensitive information about Sony Pictures and its employees, a large selection of unreleased films and then managed to permanently delete from a large part of Sony’s infrastructure. The attackers also demanded that Sony also withdraw its film The Interview, a comedy about a plot to assassinate North Korean leader Kim Jong-un, and threatened terrorist attacks at cinemas screening the film. Sony did have to cancel the release in theatres but managed to release a digital copy of the movie instead.
U.S Department of Energy Attack
One of the most prominent examples of spear phishing in the public sector involves the case of Charles Harvey Eccleston who pleaded guilty to sending out emails to U.S Department of Energy employees. These emails carried a virus that could potentially compromise government computers and result in sending sensitive data about US nuclear weapon program to foreign governments.
Anthem Medical Data Breach
The health insurance giant Anthem witnessed a devastating phishing attack in 2015 and which resulted in the theft of private data of over 35.5 million customers and key employees including that of Anthem CEO Joseph Swedish. The attack took the form of a phishing email that was opened by five employees and which resulted in the download of a keystroke logging software. Healthcare data is apparently worth more on the black market than even financial data and could have potentially resulted in profits of millions of dollars for perpetrators.
Email Marketing Services Company Epsilon Breach
In the corporate environment, one of the biggest spear phishing attacks was that on email marketing services company Epsilon back in 2011. The company maintained large databases of emails from multiple corporate clients and more importantly, some very rich behavioural data that could be a goldmine for a sophisticated scammer. The attack involved an email with a link to a malicious site which resulted in downloading of Win32.BlkIC.IMG, which disabled anti-virus software, a Trojan keylogger called iStealer, that was used to steal passwords, and an administration tool called CyberGate, which was used to gain complete remote control of compromised systems.
Targeting Airbnb Customers (2018)
This is an interesting example of spear phishing targeting private individuals as opposed to a business. In this attack, scammers used social engineering techniques to identify Airbnb targets who were sent out fake emails about GDPR implications. The email advised that the hosts could not accept any more bookings until they accept compliance with GDPR policy from Airbnb. Clicking on the link would take the user to a spoof site that then harvested personal information.
Of course, these are just a few examples of prominent attacks that made it to the front pages of the internet. Many scams, especially the ones that target private individuals are likely never reported but still, perform their mission with devastating precision.
Spear phishing protection
Targeted spear phishing attacks are carefully designed to go undetected. Given their highly personalized nature, these attacks are far more difficult to prevent as compared to regular phishing scams. There is no fixed script that can be followed against spear phishing protection, but the following best practices almost always work
On-ongoing user education-
This involves constantly educating the users about what spear phishing attacks are, and how to guard against them. Presenting the users with the anatomy of a typical spear phishing attack and outlining the pitfalls of falling victim can make the users more vigilant in dealing with emails involving links and calls to action.
Selecting the right technology-
Unlike phishing, spear phishing is significantly harder to detect given the amount of research and prior planning that goes into these scams. Cybercriminals use various techniques to monitor emails, file sharing, and internet browsing activities of target users to meticulously gather background information. Effectively preventing these attacks requires monitoring all these activities and, often, in real-time. For this reason, users must invest in the right technology that is purpose-built for such multi-dimensional threat protection. This is very different to antivirus or other malware protection tools that look only at isolated instances of attack.
While technology alone cannot provide robust protection against spear phishing, it is also certain that general purpose anti-virus or even anti-phishing tools will not suffice. Scammers invest heavily in creating innovative spoofs and the only way to protect against them is to use purpose-built technology that constantly invests into upgrading its capabilities to detect spams. This could be done by incorporating measures against known cases of spear phishing or through using advanced machine learning techniques that can predict the likelihood of an email being part of a spear phishing attack.