2nd March, 2020
Spear Phishing is a widely used technique by malicious actors with an estimated 88% of global organisations being targeted by Spear Phishing in 2019, according to a survey conducted by Proofpoint.
Spear Phishing provides an excellent opportunity for malicious actors to bypass security systems and deliver malware to victims within an organisation, without ever having to enter the network or organisation in person.
Spear Phishing attacks are increasing every year and falling victim to such an attack can have devastating consequences for both organisations and individuals, therefore it is essential to know what to look out for and how to prevent becoming the next victim.
WHAT IS THE DIFFERENCE BETWEEN PHISHING AND SPEAR PHISHING?
Spear Phishing stems from Phishing. Phishing is the technique of creating a scattergun blast of emails to a large number of victims and hoping that at least one person will reply with personal information or open a link containing in order to release malware of some description.
Spear Phishing, however, is much more refined. It is a targeted attack towards specific individuals usually via email (although it can be executed via phone calls, text messages, applications or social networks) with the intent to either infect the victim’s device with malware or trick them to replying with sensitive information.
Their ultimate goal is to gain access to the individual’s device so they can gather sensitive information and/or gain further access to their accounts & data. Due to the success of Spear Phishing we’ve witnessed increased phishing attacks year on year with no signs of it being stopped.
BREAKDOWN OF AN EMAIL SPEAR PHISHING ATTACK
This breakdown focuses on the email vector of Spear Phishing, however the same principle applies to the other methods.
An unsuspecting target receives an email that portrays itself as a legitimate and trusted source by mimicking the same mannerisms and style of real trusted sources. This tricks the user into thinking the email is safe and can be trusted to open any links within when in reality these links actually lead to websites capable of infecting their device with malware.
Alternatively, the email may not contain any links at all and is instead aimed to trick the user into replying with sensitive information. The malicious actor can then use this information to gain access into their accounts/organisation, or for further social engineering purposes against their organisation such as the image below.
FIGURE 1 – AMAZON PRIME SUBSCRIPTION PHISHING ATTEMPT
The attack relies on the malicious actor’s ability to trick the recipient into thinking the email is legitimate. In the above example, the user has an Amazon Prime account associated with the email to which the Spear Phishing attempt was made, which had been recently renewed. Whilst a Phishing email would likely be much more vague ie ‘Dear sir/ madam’, a Spear Phishing attack is deliberate.
This makes a Spear Phishing attack much more difficult to identify and with employees not being trained to know what signs to look out for or simply a lack of vigilance, the attacks are becoming more and more successful.
HOW DAMAGING CAN SPEAR PHISHING BE?
One of the highest-profile attacks was initiated via a Spear Phishing email was in 2015 on the Ukrainian power grid. Attackers were able to gain access to the systems used throughout the Ukrainian power grid covertly months before they executed their main attack which resulted in a power outage affecting thousands of end users.
Whilst the final attack was a carefully orchestrated attack using a number of different vectors from Denial-of-Service on customer call-centres, IT destabilisation and SCADA system infection, the point of infiltration was from a Spear Phishing email opened by one of their employees. This attack highlights the possible scope of damage a single Spear Phishing email can have on an entire organisation.
WHAT STEPS CAN YOU TAKE TO PROTECT YOURSELF?
There are a number of ways to protect yourself and your organisation from Spear Phishing attacks. The first line of defence is reducing the human error factor; train yourself/employees to know what to look out for and what to do if they think they’ve encountered a Spear Phishing attempt. Letting your IT security know you may have received a Spear Phishing attempt will allow them to assess whether it was a spammed attempted or if your organisation is being targeted specifically.
On an IT level there are a number measures you can take such as encryption to prevent data access without correct authentication, multi-factor authentication, DMARC authentication to prevent domain spoofing and proactively investigate any reports of possible Phishing attempt.
User error is human, therefore as long as humans remain the ultimate end user in a network, social engineering attacks such as Spear Phishing will continue. However, with training and appropriate security procedures and policies in place, organisations can reduce the risk of falling victim, or at least the potential fallout if they do fall victim.