In short it is an enhanced version of phishing that takes aim at specific employees of a targeted organization. The motivation is usually financial with the most common attacks coming in the form of wire transfers or requests to divert direct deposits or vendor payments into fraudulent accounts. Spear phishing is methodical and often focused on a single recipient.
To show how spear phishing process works, let’s explore an attack on a hypothetical widget company called Widget Co., which has 500 employees in different cities. Hackers are interested in getting access to Widget Co’s database of employee records. They can harvest the employees’ confidential information, such as Social Security numbers and direct-deposit bank accounts, and sell them on the black market to identity thieves.
The attackers find an HR employee at Widget Co. named John Smith. Posing as Mr. Smith, the hackers target Smith’s Facebook friend and colleague, Jeff Jones, an HR manager at Widget Co. To build trust in the faked email address, the hacker posing as Mr. Smith sends his “friend,” Mr. Jones, a note asking about the family vacation he is currently on (according to pictures posted to Facebook). If Mr. Jones responds, the hacker is off to a good start. He’s successfully impersonating another Widget Co. employee and is starting to build trust in the faked email with his target. Mr. Jones replies and says he is enjoying his time away with his family. The two continue to banter about Mr. Jones’ family vacation as well as things going on in the office, including the names people that have been researched and associated with the social circle.
Yes, he does. However, due to Widget Co.’s “Bring Your Own Device” (BYOD) policy, employees are able to use personal mobile devices to send messages to one another. In this case, the attacker knows from LinkedIn that Mr. Smith’s personal email address is johnsmith1@gmail com. The attacker creates a Gmail account for johnsmith.1@gmail com. Mr. Jones doesn’t notice the difference, and the stage is set for the real attack.
The hackers know from LinkedIn that Jane Doe is a new employee working with Mr. Jones. The hacker posing as Mr. Smith sends to Mr. Jones a pdf file of “new employee paperwork” that actually contains key logging malware. If Mr. Jones opens the file, his device is instantly infected, his credentials vacuumed up, and the network is breached.
Alternatively, the fake Mr. Smith could send a note that says, “Hey, Jeff — I’m on the golf course, but I need to call the bank and make sure Jane Doe’s retirement plan is all set up. I can’t remember the login for the employee database system — can you help me out?” If Mr. Jones shares his login for the database, the hacker is inside. Either way, the phisher can collect Mr. Smith’s login credentials — a free pass to invade the Widget Co.’s private networks. Any confidential employee data is at risk of being improperly accessed.
