Revealing some of the tactics behind a spear phishing attack

Marketing tactics have changed. Gone are the days of mass mailings, marketers now target each individual customer – think of Amazon’s recommendations page. Criminals have learnt the same lesson, as phishing emails are no longer sent to thousands of people. Instead, criminals now target individuals with well-crafted messages that are designed to appeal to them, a practice known as spear phishing.

Spear phishers start by identifying their target. Perhaps they want to get into one company to access its R&D records or to install malware on the network. The first step is to spend some time online researching that company and deciding which employee (or group of employees) they should attack. For instance, a company’s LinkedIn page will reveal the names of individuals who work there.

Criminals will look into those individuals and find out as much as they can about them. An individual’s public LinkedIn profile could reveal his corporate email address (as well as the naming structure used for email addresses at that company) and the names of his supervisor and co-workers. His public Facebook page could reveal personal information, such as how many kids he has, the names of his boss or a co-worker, or a recent conference he attended. A few simple Internet searches of information freely available to the public can provide enough information to develop a well-disguised, credible spear phishing email that is of interest to the recipient.

Once they have done the research, phishers will build their emails. This will include a spoofed email address and will be mocked up to look genuine. For example, they might send an email that looks like it came from the organisers of the recent conference, telling the recipient that she won the draw for a new Kindle Fire, and to click a link for more details.

At first glance that link will look genuine (it will be the underlying URL that in fact takes the user to a different site). Or perhaps it will look like it comes from her boss’s work email account with an attachment to a document marked “2013 Budget – FINAL”. Whatever they do, the criminals will make that email appear genuine and deal with a topic of interest to the recipient.

Inside that email will be the trap they want the recipient to fall for – opening an attachment (which will install malware on the network), clicking a link on a URL, or entering specific information (such as a username and password).

The clever phishers won’t stop there though – they will make the rest of the process look as incongruous as possible so they don’t arouse suspicion. Perhaps the link will take the recipient to a genuine-looking site that says someone will contact them in a month, or the budget spreadsheet might just be empty and look like a mistake.

But the spear phisher has succeeded and managed to get inside the company’s network. Now they can take over your email account and start sending more malicious emails internally; or siphon data from your customer database; perhaps access financial information. For the determined spear phisher, the possibilities are seemingly endless.

Technical controls are of limited use against individual targeted attacks, as well-crafted spear phishes can often slide through an organisation’s filters without being detected, so user education is essential. Users must be trained to look at every email they receive and try to spot the red flags indicating that everything isn’t as it seems – such as spoofed URLS – and try to ensure they don’t fall for them.

Aaron Higbee is the Co-Founder and CTO of PhishMe, Inc. directing all aspects of development and research that drives the feature set of this market leading solution. The PhishMe method for awareness training was incubated from consulting services provided by Intrepidus Group, a company that Aaron Co-Founded with Rohyt Belani in 2007. Aaron remains on the board of directors for Intrepidus Group to ensure it focuses on forging new service lines and attracting motivated researchers and consultants.

Topics