Phishing is a broader term for any attempt to gain victims sensitive information such as passwords, usernames, and credit card details for malicious reasons. Unlike phishing attacks, spear-phishing attacks are personalized to their victims. Spear phishing is an email-spoofing attack that are personalised to the victims and targets a specific organization or individual, seeking unauthorized access to sensitive information. Spear-phishing attempts are not usually initiated by random hackers, but are more likely to be conducted by cybercriminals out for financial gain or install malware.
Characteristics of Spear Phishing attack
A spear-phishing attack can exhibit one or more of the following characteristics:
- Blended or multi-vector threat: Spear phishing uses a blend of email spoofing, dynamic URLs and drive-by downloads to bypass traditional defences.
- Use of zero-day vulnerabilities: Advanced spear-phishing attacks leverage zero-day vulnerabilities in browsers, plug-ins and desktop applications to compromise systems.
- Multi-stage attack: The initial exploit of systems is the first stage of an APT attack that involves further stages of malware outbound communications, binary downloads and data exfiltration.
- Well-crafted email forgeries: Spear phishing email threats are usually targeted to individuals, so they don’t bear much resemblance to the high-volume, broadcast spam that floods the Internet. This means traditional reputation and spam filters routinely miss these messages, rendering traditional email protections ineffective.
Source: Verizon 2016 DBIR
According to the FBI, “spear-phishers have netted some $2.3 billion since 2013 in a variety of semi-sophisticated, global email frauds.” This appetite for fortune has paved the way for Ransomware, a type of malware that is now found in more than 90 percent of phishing.
How to protect against Spear Phishing?
Any form of phishing can ultimately lead to the compromise of sensitive data. As email is the most common entry point of targeted attacks, it is important to secure this area against spear phishing attacks.
- Training and awareness of employees: Employee education is highly critical to combat different phishing techniques. Training employees to spot misspellings, odd vocabulary, and other indicators of suspicious mails could prevent a successful spear phishing attack. Additionally, enterprises need an expanded and layered security solution that provides network administrators the visibility, insight, and control needed to reduce the risk of targeted attacks regardless of vector of choice.
- Passwords should be strong: There should be a strict and strong password policy in an organization. Do not just use one password or variations of passwords for every account that you own. Reusing passwords or password variations means that if an attacker has access to one of your passwords, they effectively have access to all of your accounts. Every password that you have should be different from the rest – passwords with random phrases, numbers, and letters are the most secure.
- Keep software updated: The majority of software systems include security software updates that should help to protect you from common attacks. Where possible, enable automatic software updates.
- Do not click links in emails: If an organization, such as your bank, sends you a link, launch your browser and go directly to the bank’s site instead of clicking on the link itself. You can also check the destination of a link by hovering your mouse over it. If the URL does not match the link’s anchor text or the email’s stated destination, there is a good chance that it could be malicious. Many spear-phishing attackers will try to confuse link destinations by using anchor text that looks like a legitimate URL.
- Check the source before opening emails: If you get an email from a known source asking for personal information including your password, carefully check to see if their email address is one that you have seen them use in the past.
- Implement a data protection solution: A data protection solution will help to prevent data loss due to spear-phishing attacks. It will protect sensitive data from unauthorized access or egress, even if a user falls for a phishing scam.
A case of Spear Phishing
One of the most eminent examples of a spear-phishing attack that succeeded regardless of its suspicious nature targeted the RSA Security firm in 2011.
The attackers sent two different targeted phishing emails to four workers at RSA’s parent company EMC. The emails contained a malicious attachment with the file name “2011 Recruitment plan.xls,” which contained a zero-day exploit.
When one of the four recipients clicked on the attachment, the exploit attacked a vulnerability in Adobe Flash to install a backdoor onto the victim’s computer.