Introduction to Spear Phishing
In a previous blog post, we explained the Basics of Phishing. This post will go into detail on Spear Phishing.
What is Spear Phishing?
Phishing involves a scam, transported via electronic communication, that aims to steal sensitive data or lead a user to a bogus site containing malware.
Spear Phishing differs from other types of Phishing attacks as it is aimed at a specific person or organisation. The attacker will learn details about the individual they are planning to attack using Open Source Intelligence gathering techniques and use this to make the scam more believable, and as a result, more successful. If an e-mail contains factual information about the victim they are more likely to trust the e-mail.
What is the Risk of Spear Phishing?
Spear Phishing has led to a lot of data breaches, identity theft and loss of large sums of money. Some examples include:
- Ubiquiti Networks Inc. lost $46.7 million as a result of a Spear Phishing attack.
- The RSA security unit of data-storage giant EMC Corp had credentials stored on their database harvested due to a flash object disguised as a spreadsheet named “2011 recruitment plan.xls”
- Chinese Military Hackers allegedly stole American trade secrets through cyber espionage.
Why does Spear Phishing Pose a High Risk to a Business?
As the attacker has gathered so much information about a company prior to carrying out the attack, they may know details such as schedules and tasks. This will make it easy for the attacker to find a relevant topic to scam people with. For example, if the attacker knew there was a member of staff on holiday on a specific day they could send an email claiming they are that employee, and they must use their personal email address for some reason. From this point, they are free to ask for things such as invoices or sensitive data. Clever attackers that use schemes such as this are quite likely to have success.
How can we Defend against Spear Phishing?
Spear Phishing is very difficult to identify. The main defence against these attacks is awareness. As these e-mails aren’t obvious, spam filters may not always protect you from them. Dubious e-mails should be followed up with phone calls before any action is taken, staff should be informed that they will never receive e-mails from personal e-mail addresses, and recipients must check where links go before they are clicked on.
Pentest People have a full Phishing Platform that can be used as part of a Social Engineering engagement. Be sure to get in touch with us if this is something of interest.
