One of the most dangerous and highly successful type of cyber attacks is spear phishing attacks. This is a highly sophisticated well engineered attack to penetrate into the defense of a targeted victim and has high likelihood of success. The attackers knows enough about the victim to communicate with the victim as an alias and dupe the victim by infiltrating the system or network.
Phishing and Spear Phishing
While phishing is in general going after large number of low yield target whereas spear phishing aims at specific targets using specially emails crafted to their intended victim. Phishing adversaries do not care who their victim is but spear phishing actor know exactly what they are after and this precise reason makes them very dangerous and successful. There is repeated targeted attack on the victim and one of the times, the bait works.
Where mass phishing primarily involves using automated off-the-shelf kits to gather credentials en masse using faux log-in pages for common banking or email services or spread ransomware or cryptomining malware, spear phishing attacks are more complicated. Some targeted campaigns involve documents containing malware or links to credential stealing sites to steal sensitive information or valuable intellectual property, or to simply compromise payment systems. Others avoid malicious payloads and instead use social engineering to hijack processes for a small number of large payouts via a single or series of bank transfers.
Deep observation is the key to spear phishing
Spear phishing works on large amount of observation done over a period of time. Threat actors might start with emails harvested from a data breach, but supplement that with a host of information easily found online. The Nigerian criminal group known as London Blue, , has even used legitimate commercial lead generation sites to gather information on CFOs and other finance department employees. This is highly professional for hat is being done.
Social media such as LinkedIn and Twitter provide insight into roles, responsibilities and professional relationships within an organization, and thus help inform who is best to both target and impersonate. Company websites might provide insight into processes, suppliers and technology, while the likes of Facebook and Instagram might provide personal insight into potential targets that could be leveraged.
Combining all the information personas can be carefully crafted for receiver to believe what the sender is after. Recently Chinese hacker group duped the Indian arm of an Italian company for about INR 130 crore by making it look like the parent company in Italy is asking for the money for a top secret deal.
Whaling and Spear Phishing
Since spear phishing attacks are often used to impersonate people in position of power and decision making, they are also known as whale phishing attacks. Since the employees are more likely to listen to someone at the top level. They are both highly valuable and high available to the criminals.
Some other targeted attacks involving texting or voice calls are known as smishing and vishing, respectively, and follow similar patterns as email-based attacks.
Prevention against Spear phishing attacks
The most important defense against spear phishing attacks other then standard controls such as spam filters, malware detection and antivirus, companies should consider phishing simulation tests, user education, and having an established process for users to report suspicious emails to the IT security team. Advanced AI/ML driven defenses are required to stay smart against the sophisticated attacks.
This is crucial because educating is the key against staying secure. Organizations need to put both technical and human controls into place to mitigate the threat of spear phishing. A simple external tag, can red flag a reader into considering a possibility that something might not be right about the mail.