What is spear phishing?
Spear phishing is a type of “targeted phishing” attack in which a cybercriminal focuses their efforts on a specific entity or individual, using individualized text messages or emails to access confidential information. These types of phishing campaigns commonly incorporate information of interest to victims in order to gain their trust.
How spear phishing works
To prepare for a spear phishing attack, a cybercriminal investigates his victims to gather information that he can use to impersonate a trusted source. Using that information, the attacker contacts his victim via text message or email, attempting to get him to interact with the message in a way that will ultimately reveal sensitive data or take some action that may benefit him in some way. to the attacker.
Below, we break down the detailed process of how a spear phishing attack works:
1. The aggressor or cybercriminal entity determines specific information they wish to obtain, for example: a Social Security number, financial information or account login details, among others.
2. Conduct research on individuals or organizations through public profiles on social networks or company websites. This study seeks to find specific data from a member of an organization or collaborator of its target, which it will later use to design a personalized attack in which it can develop a completely credible impersonation.
3. If possible, investigate the cybersecurity protections your victim may have, including antivirus software, to find vulnerabilities you can exploit so that if you need to deploy malware on the victim’s computer, you are not hindered technique or a defensive solution that prevents it.
4. Send a personal message to your victim. The message usually contains an urgent request and is usually sent by email, social networks, phone call (vishing) or via text message or instant messaging application (smishing).
It should be noted that, sometimes, the attacker uses a previous message that has nothing to do with the attack but that gets the recipient to lower their guard and establish cordial communication with the cybercriminal. In these messages, victims are not asked to take any action and are usually friendly messages that establish a link that the cybercriminal will then take advantage of to carry out their plan. Furthermore, this communication helps the attacker to know what degree of collaboration the victim offers. Once she verifies that the victim is receptive to her messages and does not identify him as a threat, she will execute the next step.
5. Convince your victim to give in to your requests so that they carry out an information leak, providing you with the data you want (which you can use to commit fraud or another malicious act) or perform some action normally for the benefit of the cybercriminal, such as a bank transfer, to the detriment of the attacked company or a third party that the cybercriminal needs to attack.
The success of a spear phishing campaign depends largely on how much prior research and customization goes into the attack. This is why these attacks are carefully organized and executed with patience and time. Government-sponsored hackers are often identified with attack plans and infiltrations that can span years, focusing on quality over quantity.
To appear as trustworthy sources, cybercriminals carry out a deep reconnaissance of their victims, which is one of the biggest differences between traditional phishing and spear phishing. Due to the detail and personalization that an attack often entails, spear phishing can be understood as one of the most advanced forms of social engineering.
What is the difference between phishing and spear phishing?
The biggest difference between traditional phishing and spear phishing is that a spear phishing attack targets a specific person or organization, while phishing is a more generic cyber attack that typically targets a large group of people.
Attackers carefully vet potential victims to find those who have the data or information they want and personalize their messages to convince them to trust them. In fact, to carry out a spear phishing attack, it is possible that cybercriminals previously use other types of attacks that allow them to extract the necessary information with which to tailor their attack, so that it is as convincing as possible.
For example, if I were a cybercriminal intending to attack “company A”, if I know that their supplier of a certain product is “company B” and I manage to complete an attack on this supplier, so that I can credibly impersonate your identity, the attack on “company A” will be much easier and more credible.
Phishing emails are often sent to hundreds or thousands of recipients simultaneously with little personalization in the body of the message. However, in the case of spear phishing, cybercriminals often impersonate a friend, boss, family member, brand or organization known to be of interest to the attacker, generating a unique email, to gain their trust and trick them into providing them. information or act according to your wishes.
Ultimately, the intent of phishing and spear phishing is the same: to acquire private information for malicious purposes. However, because spear phishing attacks are well crafted and feature more personalized messages, they can be much harder to detect.
Examples of spear phishing
Spear phishing techniques, being personalized, differ depending on the type of purpose the attacker wants to achieve and who they are targeting. Here are some examples of spear phishing to consider:
CEO Fraud Scams
CEO fraud and spear phishing
CEO fraud scams, often also known as “CEO fraud,” are a variant of this scam, which often uses spear phishing. On this occasion, cybercriminals pose as a high-level executive or someone influential in the production chain, to get an employee with certain executive power to comply with an urgent request or disclose important data.
The variant called “whaling” or whaling is an attempt to execute a social engineering attack, which often makes use of spear phishing, directed at a high-level executive. That is, the cybercriminal’s objective is to deceive someone on the board or with an important position in the organization using personalized phishing.
For example, a fake CEO could email an employee over a weekend and ask them to complete a wire transfer to a contractor, indicating that this operation is of vital importance to the company. If the employee completes the transfer, he could simply be transferring company funds to the account established by the attacker.
Let’s look at some real examples of spear phishing:
Snapchat – 2016
In the dizzying world of technology and communication, cases of virtual attacks on important companies, such as Snapchat, are not a rarity. A landmark 2016 phishing scam on the popular Snapchat messaging service involved a human resources employee in an imposter’s game. Presenting himself as Snapchat CEO Evan Spiegel, the scammer managed to solicit significant payroll and stock option information from current and former employees.
FACC – 2016
Similarly, scammers targeted the reputed Austrian aerospace manufacturing firm, FACC. In a classic CEO impersonation move in 2016, a transfer of $55.8 million to unidentified offshore accounts was triggered. The effects of the attack quickly shook FACC’s work environment, causing the dismissal of several senior company officials, including the CEO and CFO.
Ubiquiti Networks – 2015
On the other hand, the world of finance has not been spared from these tricks either. In 2015, the renowned Ubiquiti Networks fell into a deceptive trap, when its Hong Kong subsidiary was convinced to move $46.7 million to foreign accounts unrelated to the company. Despite managing to recover $14.9 million, the negative effects on his reputation could no longer be turned back.
EMT Valencia – 2019
The former executive of the EMT of Valencia, Celia Zafra, was the victim of a million-dollar scam that led to the waste of four million euros from the public entity. She was deceived by a supposed lawyer who pretended to negotiate a deal with China, causing her to be fired after the scam was revealed. As she sought and tried to recover funds sent to China, Zafra experienced legal repercussions, even though she denied her guilt and accused her prosecution of being politically motivated. Although she was compensated, the Supreme Court confirmed her dismissal, and the Court of Auditors found her guilty, requiring her to repay the defrauded money. Actions are underway to determine her criminal liability and trace the fraudulently transferred funds.
FBI as a hook – 2008
Finally, it is worth noting one of the first documented examples of these scams. In 2008 the FBI subpoena campaign was unleashed. The scammers had a high target of approximately 20,000 CEOs, successfully recruiting an impressive 2,000. Managers were tricked into clicking a malicious link presented as a browser security add-on; However, what it really did was install a keylogger (a program that records the keys pressed on the victim’s keyboard and sends them to the attacker) to record their credentials and passwords.
Spear Phishing and Ransomware
Spear phishing emails can be deceptively sophisticated, often choosing to send malware rather than explicitly request sensitive information. For example, an attacker can camouflage it as an innocent attachment, transforming a simple email into “a bomb” ready to hijack your devices and data.
As we have already seen, spear phishing can be covered with the cloak of familiarity; A cybercriminal could impersonate a friend or relative. A link to a “funny video” may seem harmless, but one click is enough to trigger a ransomware attack, making your device information available to attackers.
Ransomware is especially destructive, having your data hijacked by this form of malware often results in placing the organization in a dead end. Decrypting the data can be nearly impossible without meeting ransom demands, and even if compromised, recovery is not guaranteed. Therefore, anticipatory action is imperative. Possessing a deep understanding of how spear phishing can contain ransomware and taking measures for comprehensive cybersecurity protection is essential to safely navigate today’s digital world.
Tips to protect yourself from spear phishing attacks
Here we propose some valuable tips that will help avoid falling into spear phishing attacks:
– Carefully examine the sender’s addresses
Attackers often impersonate known people or entities, but have difficulty replicating their language and tone. If you notice something strange in an email, examine the sender address; There can usually be small spelling variations, such as the number “0” instead of the letter “o.”
– Check links beforehand
If an email has a link, move your cursor over the URL to check its destination. A cybercriminal can subtly manipulate the characters in the link. If it seems suspicious or you have doubts, refrain from clicking. Instead, go directly to the website on your own through your usual search engine.
– Confirm through other communication channels
If it seems suspicious that “that friend” or that trusted work contact sends you an email requesting private information, it could be an attacker. Use another means of communication, such as a call or video call, to confirm if the email is legitimate.
– Protect personal information
Avoid sharing your account, phone, or financial details with anyone online. And be careful with the information you publish on social networks. Keeping your personal information private can prevent spear phishing attacks by making it more difficult for attackers to access your data.
– You should know that everything you publish on the internet is beyond your control
Every time you post something on social media or create an account for some purpose, even a questionnaire, you are providing more personal data on the web. Before you know it, details from your hometown to your pet’s name could be in the hands of data brokers or attackers. Once this data is in the public domain, even if you delete it, you will most likely no longer have control over who may have collected it to make use of it.
– Keep your software up to date
Software updates often contain fixes for critical device security vulnerabilities, so it’s crucial to keep your operating system and all of your programs and applications up to date.
– Recognize the signs of spear phishing
One of the most efficient strategies to protect yourself from spear phishing is to be aware of the common characteristics of these attacks, such as urgent requests, unsolicited messages from a “trusted” source, unsolicited links or attachments, or requests for information. staff. Always report an email as spam or phishing if you are suspicious.
– Handle the situation appropriately
If you think you have accidentally clicked on a spear phishing link, disconnect from the network immediately to avoid installing malware. Afterwards, change all your passwords from another device. Finally, perform a malware scan on your device to detect and remove potential malware.
– Report to whom appropriate
In any case, if you suspect that you may be a victim of spear phishing, do not interact with the email or the attacker and report it as soon as possible to the relevant authorities. If this happens at a corporate level, notify your organization’s security team immediately.
– Prevents using second factor authentication
Remember that it is much more complex for a cybercriminal to get their way if you have activated the second factor of authentication (2FA) wherever its activation is possible.
– Have a state-of-the-art awareness solution
It is essential that people, the priority target of cybercriminals, are duly aware. To achieve this, in the corporate sphere it is vitally important to have a comprehensive solution that allows those responsible for cybersecurity to ensure that their employees know what the threats are (in this case, spear phishing) and everything it entails.
Kymatio offers a solution for employee cyber risk management, information security awareness and credential exposure risk management: lean on the most advanced solution on the market to minimize risks.