What is Spear Phishing: Defined, Explained, and Explored

Spear phishing attack related to covid19 pandemic

When Linkedin and Facebook downplayed any threats from data scraping on these sites, they were right. There was no threat in it for them, but the danger was for you and me. An attacker can effortlessly weaponize this data to create a sophisticated spear-phishing attack. Read on to know what is spear phishing, and how to keep you protected.

Spear Phishing is a highly focussed attack where the attacker engages the victim using electronic communication (Email, Text Message, a call), pretending to be a trusted entity with the end goal of extracting sensitive information, fund transfer, or installing malware.

Spear phishing typically uses a combination of email spoofing, dynamic URLs, and drive-by downloads to bypass traditional defenses.

Difference between Phishing and Spear Phishing

Though Spear Phishing is a kind of phishing attack, there is a big difference between Phishing and Spear Phishing.

A Phishing attack is an attack where a Cybercriminal pretends to be a reputable source and targets many individuals using emails (or messages) to reveal sensitive information or deploy malware.

While phishing attacks are more like “spray and pray,” Spear Phishing is more like a professional, seasoned hunter researching in-depth about its prey, analyzing the behavior patterns, likes, dislikes, when it’s the most vulnerable, and finding the best way to attack it. That makes it hundreds of times more likely to succeed.

Social web platforms like Linkedin, Facebook, and Twitter provide the attacker in-depth personal and professional insights, the potential target’s role, personal and professional network, hobbies, interests, and more.

Seldom attackers use data scraping to collect and research the information. Please refer to our earlier blog post if you would like to know more about data scarping.

A report from security firm Slashnext highlighted that only 15% of phishing attacks in 2020 used email communication and the rest used a different attack vector.

Phishing and spearphishing slashnext

As per the FBI internet crime report for 2020, more than 19,369 victims of BEC/EAC attacks in 2020 cost $1,866,642,107 to organizations and individuals in the USA. Also worth mentioning is that it’s a lot many times compared to $54,241,075 lost in Phishing/Vishing/Smishing and Pharming attacks

Type of Spear Phishing attacks

Spear Phishing attacks can broadly be divided into following three types: 

1. Whaling attack

Spear phishing attacks targeting high-profile individuals are known as Whaling or Whale phishing. Whaling attacks aim at C-level individuals.

Whaling attacks have a higher success rate since individuals on higher profiles work under pressure to make decisions quickly. Coupled with the sense of urgency in the communication and pretending from a trusted individual makes them fall straight into the trap.

2. Business Email Compromise (BEC) or CEO Fraud attack

BEC attack is where an attacker spoofs an email or text from a higher management executive such as a CEO and leverages it to request a fund transfer or sensitive information. Successful BEC attacks may result in a massive malware attack, data loss, or financial loss for the organization.

3. Clone Phishing attack

In a Clone Phishing attack, attackers resend the copy of previous legitimate communication (Email or text message) by replacing the link or attachment with a malicious one. The message is typically spoofed and claims it’s just a resend.   

Also, when a victim succumbs to the cloned Email, the attacker forwards the same forged Email to the contacts from the victim’s inbox. That makes it the most dangerous of all the Spear Phishing attacks.

How do Spear Phishing attacks work?

A Spear Phishing attack typically follows the following steps

1. Attacker identifies the target

Attackers first decide their end goal; if it’s stealing the data or fund transfer, start working on the reconnaissance to identify the low-hanging fruits. Linkedin is beneficial for any attacker for this work.

Next, they will try to get their hands on the target’s email address. To do that, hackers typically use scripts to harvest email addresses and phone numbers from search engines. Once they have these details, they start the second phase of the attack.

2. Plans to evade Anti-spam and Anti-virus

To successfully bypass the existing email defense, the attacker will now research to identify the antispam and antimalware systems used by the organization. Finding this information is not as difficult as one may think. The attacker can easily get the details by searching for recent job postings for Systems/Security Administrator, which will have details of the current security solutions.

Attackers may use organization websites, Linkedin, or any job sites for this research.

Once the antispam/antivirus details are known, the attacker will create a testbed to simulate the environment and test different variations until he finds the recipe of the right attack.

3. Opens a backchannel to receive the communication

To receive the information from the organizations, the attacker will use payloads like ‘reverse_https,’ which is very hard to detect for security solutions like IPS/IDS or firewalls.

4. Attacker drafts and wordsmith the communication

If the target users are not well educated and highly skilled in identifying the attack, it’s easy for them to fall prey.
The attacker in this step will research the target user and find out whom they frequently communicate with? Based on the research, the attacker will create the Email for the target user embedding the URLs or attachments.

5. An email/text message is triggered

The attacker has a few options here. Either he can create a temp mail server and send it through, but the recipient server may likely block it due to a bad reputation.

A more sophisticated way of doing it will be to register a new domain, host an email server that may come free with the domain hosting, and change the Whois information to ensure that the Email received looks like a legitimate email by the destination server.

6. Wait for the victim to fall for the bait

If the attacker’s target is to get a wire transfer in an attacker’s account, the attacker will wait for it to happen.

If the end goal is to launch a more sophisticated attack, once the target follows the instruction and clicks on a link or opens the attachment, a downloader malware or Trojan horse such as Dridex or Trickbot can get installed.

A Trojan horse is a software or malicious code which mislead the users of its intent by pretending to be helpful software.

This Malware/Trojan is used to install a keylogger or something more dangerous like ransomware throughout the target organization.

How to identify a Spear Phishing attack?

A spear-phishing attack may exhibit one or more of the following characteristics, which you can use to educating your employees

  • The Email or message indicates a sense of unrequired urgency
  • The mail or message includes a request to download a file or provide sensitive information that is typically not shared via email/messages
  • Any files or invoices attached to the Email which usually should not be
  • The email content is unusual or out of character for the sender.
  • The email address does not match the domain name of the company which the sender claims to be
  • Any differences in the email format compared to earlier communication with the person or company
  • Any links in the Email that seems to take you to a suspicious website

How to defend from Spear Phishing attacks

Unfortunately, there is no single solution or any silver bullet that can block Spear Phishing attacks; however, by following the tips below, you can significantly reduce the risk of a successful Spear Phishing attack:

1. Use modern Anti-phishing solutions

Consider a solution that can detect and block spear-phishing attacks like Business Email Compromise. Machine learning and AI-based solutions can pick anomalies indicating a Spear Phishing attacks.

Also, routinely update/upgrade and audit the antispam/anti-phishing to ensure that the required features are enabled and working as expected.

2. Robust Standard Operating Procedures

Build robust standard operating procedures for fund transfer to external accounts and dealing with sensitive data/financial information.

3. Use anti-spoofing and DMARC

Use features like Anti-spoofing and DMARC to reduce the likelihood of a spoofed mail passing through.

4. Train your employees

Conduct training sessions with regular mock automated phishing drills. Security awareness training will enable individuals to pick the signs of a spear-phishing attack and take appropriate actions.

5. Do not overshare information

Educate employees about the threats of oversharing their personal information on social media networks like Linkedin, Twitter, or Facebook. The less the bad guys know, the better.

About Ramya Srinivasan

Malware Researcher, Threat Analyst, Blogger, Thinker and Lead Author at SecurityFocal.

Check Also

women found stalkerware inn mobile

All about Stalkerware: Protection, detection, and removal

Use of softwares to spy is not uncommon, but, in the last few years some …