Spear Phishing is becoming one of the most proliferating email-borne threats.
In short it is an enhanced version of phishing that takes aim at specific employees of a targeted organization. The motivation is usually financial with the most common attacks coming in the form of wire transfers or requests to divert direct deposits or vendor payments into fraudulent accounts. Spear phishing is methodical and often focused on a single recipient.
To show how spear phishing process works, let’s explore an attack on a hypothetical widget company called Widget Co., which has 500 employees in different cities. Hackers are interested in getting access to Widget Co’s database of employee records. They can harvest the employees’ confidential information, such as Social Security numbers and direct-deposit bank accounts, and sell them on the black market to identity thieves.
The image above shows a typical progression of a spear phishing attack. The attacker’s first step is to research Widget Co. to get a sense of how they can best mount a successful spear phishing attack. After cataloguing the executives in the “Our Team” section of the Widget Co. website, the attackers create a cross-reference of social graphs, using Facebook and LinkedIn accounts to build lists of who knows whom inside Widget Co. Then, by piecing together the social information, the attackers are ready to go spear phishing.
The attackers find an HR employee at Widget Co. named John Smith. Posing as Mr. Smith, the hackers target Smith’s Facebook friend and colleague, Jeff Jones, an HR manager at Widget Co. To build trust in the faked email address, the hacker posing as Mr. Smith sends his “friend,” Mr. Jones, a note asking about the family vacation he is currently on (according to pictures posted to Facebook). If Mr. Jones responds, the hacker is off to a good start. He’s successfully impersonating another Widget Co. employee and is starting to build trust in the faked email with his target. Mr. Jones replies and says he is enjoying his time away with his family. The two continue to banter about Mr. Jones’ family vacation as well as things going on in the office, including the names people that have been researched and associated with the social circle.
How can the attacker get away with this? Doesn’t Mr. Smith have a unique, domain specific email through Widget Co.?
Yes, he does. However, due to Widget Co.’s “Bring Your Own Device” (BYOD) policy, employees are able to use personal mobile devices to send messages to one another. In this case, the attacker knows from LinkedIn that Mr. Smith’s personal email address is johnsmith1@gmail com. The attacker creates a Gmail account for johnsmith.1@gmail com. Mr. Jones doesn’t notice the difference, and the stage is set for the real attack.
The hackers know from LinkedIn that Jane Doe is a new employee working with Mr. Jones. The hacker posing as Mr. Smith sends to Mr. Jones a pdf file of “new employee paperwork” that actually contains key logging malware. If Mr. Jones opens the file, his device is instantly infected, his credentials vacuumed up, and the network is breached.
Alternatively, the fake Mr. Smith could send a note that says, “Hey, Jeff — I’m on the golf course, but I need to call the bank and make sure Jane Doe’s retirement plan is all set up. I can’t remember the login for the employee database system — can you help me out?” If Mr. Jones shares his login for the database, the hacker is inside. Either way, the phisher can collect Mr. Smith’s login credentials — a free pass to invade the Widget Co.’s private networks. Any confidential employee data is at risk of being improperly accessed.
In this case, we used an HR example, but it could just as easily have been in corporate finance, marketing and sales, IT, or any other department. Most employees have more than enough personal information about them in the public realm to allow their identity to be utilized to swindle another employee and compromise your network.