The news is full of reports of “spear-phishing attacks” being used against governments, large corporations, and political activists. Spear-phishing attacks are now the most common way corporate networks are compromised, according to many reports.
Spear-phishing is a newer and more dangerous form of phishing. Instead of a casting a wide net in hopes of catching anything at all, the spear-phisher crafts a careful attack and aims it at individual people or a specific department.
Phishing Explained
Phishing is the practice of impersonating someone trustworthy to try and acquire your information. For example, a phisher might sent out spam emails pretending to be from Bank of America asking you to click a link, visit a fake Bank of America website (a phishing site), and enter your banking details.
Phishing isn’t just limited to email, however. A phisher could register a chat name like “Skype Support” on Skype and contact you via Skype messages, saying that your account was compromised and they need your password or credit card number to verify your identity. This has also been done in online games, where scammers impersonate game administrators and send messages asking for your password, which they would use to steal your account. Phishing could also happen over the phone. In the past, you may have received phone calls claiming to be from Microsoft and saying you have a virus you must pay to remove.
Phishers generally cast a very wide net. A Bank of America phishing email may be sent to millions of people, even people who don’t have Bank of America accounts. Because of this, phishing is often fairly easy to spot. If you don’t have a relationship with Bank of America and get an email claiming to be from them, it should be very clear that the email is a scam. Phishers depend on the fact that, if they contact enough people, someone will eventually fall for their scam. This is the same reason we still have spam emails – someone out there must be falling for them or they wouldn’t be profitable.
Take a look at the anatomy of a phishing email for more information.
How Spear Phishing Is Different
If traditional phishing is the act of casting a wide net in hopes of catching something, spear phishing is the act of carefully targeting a specific individual or organization and tailoring the attack to them personally.
While most phishing emails aren’t very specific, a spear-phishing attack uses personal information to make the scam seem real. For example, rather than reading “Dear Sir, please to click this link for fabulous wealth and riches” the email may say “Hi Bob, please read this business plan we drafted at Tuesday’s meeting and let us know what you think.” The email may appear to come from someone you know (possibly with a forged email address, but possibly with a real email address after the person was compromised in a phishing attack) rather than someone you don’t know. The request is more carefully crafted and looks like it could be legitimate. The email could refer to someone you know, a purchase you’ve made, or another piece of personal information.
Spear-phishing attacks on high-value targets can be combined with a zero-day exploit for maximum damage. For example, a scammer could email an individual at a particular business saying “Hi Bob, would you please take a look at this business report? Jane said you would give us some feedback.” with a legitimate-looking email address. The link could go to a web page with embedded Java or Flash content that takes advantage of the zero-day to compromise the computer. (Java is particularly dangerous, as most people have outdated and vulnerable Java plug-ins installed.) Once the computer is compromised, the attacker could access their corporate network or use their email address to launch targeted spear-phishing attacks against other individuals in the organization.
A scammer could also attach a dangerous file that’s disguised to look like a harmless file. For example, a spear-phishing email may have a PDF file that’s actually an .exe file attached.
Who Really Needs to Worry
Spear-phishing attacks are being used against large corporations and governments to access their internal networks. We don’t know about every corporation or government that has been compromised by successful spear-phishing attacks. Organizations often don’t disclose the exact type of attack that compromised them. They don’t even like to admit they’ve been hacked at all.
A quick search reveals that organizations including the White House, Facebook, Apple, the US Department of Defense, The New York Times, the Wall Street Journal, and Twitter have all likely been compromised by spear-phishing attacks. Those are just a few of the organizations we know have been compromised – the extent of the problem is likely much greater.
If an attacker really wants to compromise a high-value target, a spear-phishing attack – perhaps combined with a new zero-day exploit purchased on the black market – is often a very effective way to do so. Spear-phishing attacks are often mentioned as the cause when a high-value target is breached.
Protecting Yourself From Spear Phishing
As an individual, you’re less likely to be the target of such a sophisticated attack than governments and massive corporations are. However, attackers may still attempt to use spear-phishing tactics against you by incorporating personal information into phishing emails. It’s important to realize that phishing attacks are becoming more sophisticated.
When it comes to phishing, you should be vigilant. Keep your software up-to-date so you’re better protected against bring compromised if you click links in emails. Be extra cautious when opening files attached to emails. Beware of unusual requests for personal information, even ones that seem as if they could be legitimate. Don’t re-use passwords on different websites, just in case your password does get out.
Phishing attacks often try to do things that legitimate businesses would never do. Your bank will never email you and ask for your password, a business you’ve purchased goods from will never email you and ask for your credit card number, and you’ll never get an instant message from a legitimate organization asking you for your password or other sensitive information. Don’t click links in emails and give out sensitive personal information, no matter how convincing the phishing email and phishing site is.
Like all forms of phishing, spear-phishing is a form of social engineering attack that is particularly hard to defend against. All it takes is one person making a mistake and the attackers will have established a toehold in your network.
Image Credit: Florida Fish and Wildlife on Flickr