Spear Phishing – Why you should “Fear the Spear”

SPEAR PHISHING, WHALING, BUSINESS EMAIL COMPROMISE AND CEO FRAUD IS ON THE RISE AND COSTING COMPANIES BILLIONS

Have you heard of the acronym: FUD? It stands for ‘Fear, Uncertainty & Doubt.’ Unfortunately, the Information Security industry has a bit of a bad rep for selling their services off the back of FUD:

“Don’t want the drastic effect loss of finances and company reputation that can come if you suffer a breach or hack? Then buy our super product without delay!”

We don’t like selling on FUD, but…

We do our best to steer clear of selling via FUD but sometimes a threat is such a clear & present danger that we really need to make you aware of it – Spear Phishing is one of them.

What is a Spear Phishing email attack?

Firstly, lets clear up what we mean when we talk about Spear Phishing. When you receive an email full of generic terminology and lacking in personalisation this generally means you are likely one of the thousands, millions or even billions of recipients. In other words, an ‘Untargeted Phishing Campaign” these are the results of a throw enough mud at a wall and some will stick methodology, an unsophisticated attempt to get users to click on a malicious attachment or link. Untargeted Phishing is still a threat but is becoming increasingly less so when compared to Spear Phishing and this is largely because attackers have realised that the rewards can be much higher when they use social engineering to specifically target individuals with tailored emails. Sometimes sophisticated targeting of high-level execs is called Whaling and sometimes it’s called CEO Fraud and sometimes Spear Phishing is called Business Email Compromise (BEC). Sadly, all these different, yet related terms only go to increase the FUD so let’s just refer to all targeted malicious emails as Spear Phishing and be done with it.

Why is Spear Phishing becoming more of a threat?

Spear Phishing enjoys such a high hit rate because the basic premise is that it tricks the recipient into believing the email is from someone they know, usually someone in a position of authority to them. Therefore, logic dictates that the more information the attacker has on the supposed sender of the email the more likely the recipient is to be fooled. Successful attacks yielding high pay-outs are often the result of multiple emails utilising multiple attack vectors, each one ultimately giving the attacker more information until they are ready for the final payday.

A common method involves the attacker firstly using the numerous datasets of breached credentials available on the dark web to infiltrate the senders’ email account. Once they have these credentials, they will utilise them against the sender’s email account (often, but not always O365) – relying on the fact that so many people reuse the same old password across multiple accounts.

Once they have gained access to the account, they won’t necessarily go for the attack straight away, instead they will hide unnoticed, monitoring email correspondence between various parties, gaining an insight into how the sender communicates and where the payday could come from. Once ready the attacker will come out of hiding, they may well have already set up a forwarding rule so that relevant emails (from a 3rd party supplier for example) all go to an anonymous Gmail account, unseen to the account owner. They will then compose the money grab email, using authentic email signatures, mentioning ongoing familiar accounts, complete with company terminology and usually asking the recipient to transfer (often eye wateringly) large amounts of funds in a hurry to a soon to disappear / untraceable bank accounts.

Beware of the call for urgency

The ‘in a hurry’ part is a tried and trusted trick of the spear phishing and wider social engineering community by the way. Invoke a sense of urgency and employees in their haste to do their superiors bidding are less likely to stop and take heed.

Link this to freely available information they can glean off the internet on the sender (LinkedIn, Facebook and other social media/news outlets) and you can begin to see why Spear Phishing is so attractive to cyber criminals.

There are numerous accounts of attackers who go on social media, read to see if the sender is on holiday and then use this info for their benefit.

The use of OSINT (Open Source Intelligence) works for both recipient and sender. For example:

  1. Attacker goes to the company LinkedIn page and sees that Sharon Smith is the Finance Director
  2. Attacker then sees that David Brown in the Assistant Finance Manager
  3. Attacker compiles email from Sharon Smith to David Brown asking him to transfer £xxx to xxx account.

These above scenarios represent some of the most prevalent and successful spear phishing attacks but are by no means the only methods. For example, sometimes the attacker will gain credentials via a ‘pre spear phishing’ spear phish – where they will send a bogus email that sends the recipient to a fake web page in order to harvest their credentials. Sometimes the attacker won’t actually take over the authentic account, instead they may spoof the account so that it gives the appearance of authenticity.

How to defend against a Spear Phishing attack

There’s plenty of technical solutions, utilising Dmarc is a good starting point as is (preferably not SMS based) 2 Factor or Multi-Factor Authentication (2FA / MFA). But the problem is that to one degree or another they become useless if the users themselves are able to be compromised.

So, in conjunction with solid technical solutions the answer is sound email policies and procedures back up with and part of an Information Security Awareness Programme

Show users your policies and procedures and educate them as to why they are so important. Set up a policy that does not allow for funds being sent without a failsafe in place. Help them learn the tell-tale signs of Spear Phishing emails, have a modern and strict password policy in place and tell them why 12 characters + passwords, unique to every account, are so critical. Demonstrate that they don’t have to remember countless, pointlessly complex passwords.

Do all this and you have suddenly made your workplace much more secure against a cyber-attack.
Need help doing it? Risk Crew offers a robust security awareness programme, eRiskology™, that creates a cyber-secure culture, empowering staff to identify and prevent incoming attacks.

Learn More About eRiskology™

Risk Crew