Spear phishing uses social engineering tactics to get users to open and engage with e-mails that contain infected attachments or links to malicious websites.
Unlike regular mass phishing e-mails, which are broad in scope and not targeted to specific organizations or individuals, spear-phishing messages are carefully crafted and customized to look as if they come from a trusted sender on a relevant subject. Spear-phishing scams often take advantage of a variety of methods to deliver malware that bypasses traditional defenses, such spam and reputation filters.
Spear-phishing techniques are used by attackers to breach an organization in order to gain access to valuable corporate data and are often used in conjunction with advanced persistent threats (APTs) as an entry point into the network. These convincing e-mail messages also may contain one-time URLs, which are taken down almost immediately after a user’s system gets infected, making detection and forensics extremely challenging. Additionally, the malware delivered via a spear-phishing campaign can evade traditional signature-based detection methods and remain latent, doing harm later.
History of Spear Phishing
While phishing has been around since 1996, spear phishing came into its own as a favored cyber-attack mechanism around 2010. Statistics show that in 2010 and 2011, spam volume fell from 300 billion messages per day to 40 billion, and returns for mass phishing attempts decreased from $1.1 billion to $500 million. During the same timeframe, spear-phishing attacks increased three-fold. It is estimated that while only 3% of e-mails are opened, spear-phishing messages have a 70% open rate because people trust the perceived sender. According to Allan Paller of the SANS Institute, 95% of network attacks are the direct result of successful spear phishing. The Verizon 2014 Data Breach Investigation Report notes that nearly one in five users will click on a link within a phishing e-mail. The success of spear phishing means it’s here to stay.
How Spear-Phishing Attacks Work
Research and reconnaissance is the first stage. Cybercriminals study social media sites, external websites, and blogs to identify and collect personal information on likely targets. Usually, the targeted population is very small.
Next, attackers craft and distribute e-mails that appear legitimate and look like they might be from a trusted source (for example, colleagues, acquaintances, professional organizations.)
The recipient is tricked into opening an infected attachment or clicking on a malicious URL. These well-designed e-mails use various methods to deliver malware to the recipient’s system: zero-day browser or desktop application vulnerabilities, drive-by downloads, and URLs that change or are here today and gone tomorrow.
Attackers access the network and eventually obtain corporate data by planting a back door, installing spyware or keyloggers, or hijacking the computer and connecting it to a botnet for distributed denial-of-service (DDoS) attacks.
Notable Headline-Generating Spear-Phishing Attacks
Anthem Blue Cross (2015)
This prominent health insurance company experienced one of history’s largest breaches, which involved Social Security numbers and other personal data of 80 million members. Investigators believe that credentials of a handful of technology workers were obtained via a spear-phishing campaign. Only hours after the breach was publicized, a wave of opportunistic spear-phishing e-mails, made to look like official notifications from Anthem, targeted current and past customers.
Two different spear-phishing e-mails were sent to only four individuals at the security company’s parent company, EMC. One of the employees was tricked into opening the attachment, which leveraged a vulnerability in Adobe Flash and created a back door so that attackers could access the network and steal valuable product information.