The Trends in Spear Phishing Attacks

August 10, 2018 by

Ravi Das

Introduction

As we know it today, Phishing has become one of the most commonly used tactics by the Cyber attacker to garner personal information and data. This primarily involves our physical addresses, E-Mail addresses, credit card numbers, banking and other types and kinds of financial information, Social Security numbers, etc.

Phishing involves sending an E-Mail, either with a malicious file (such as those .DOC and .XLS), or link. Once the victim has downloaded the files or clicked on the link (or perhaps even both), then the malware (most likely a Trojan Horse) then spreads itself onto the computer or wireless device of the victim.

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

Demo Now

Generally, Phishing attacks involve sending mass E-Mails out; in other words, there is not one targeted individual or organization. Whatever contact information the Cyber attacker can get their hands on is used. However, lately, there appears to be a new trend developing: a tactic known as "Spear Phishing." It can be defined specifically as follows:

"It is a phishing method that targets specific individuals or groups within an organization. It is a potent variant of phishing, a malicious tactic which uses emails, social media, instant messaging, and other platforms to get users to divulge personal information or perform actions that cause network compromise, data loss, or financial loss."

(SOURCE: https://www.trendmicro.com/vinfo/us/security/definition/spear-phishing).

Thus, in these instances, the Cyber attacker has already done their research ahead of time and knows who or what they want to target specifically. In a way, this is similar to that of Business E-Mail Compromise (BEC) attack, in which the C-Level executive is primarily targeted to transfer funds.

In this article, we examine the recent trends of Spear Phishing attacks.

The Trends

Just consider some of these alarming statistics:

• 77% of the Spear Phishing attacks are laser-focused – targeting only 10 E-Mail inboxes, and only 33% of them focused upon just one E-Mail inbox.
• 47% of Spear Phishing attacks lasted less than 24 hours. All other types of Phishing schemes lasted at least 30 days or more.
• Another tactic that the Cyber attacker uses is what is known as the "Drip Campaign." For example, 35% of the Spear Phishing attacks lasted at least 12 months or even longer.
• The Cyber attacker has become even stealthier when it comes to bypassing the E-Mail Spam filters. In these instances, 20% of Spear Phishing based E-Mails were able to get around these filters and their way into the inbox.
• 42% of IT Security professionals consider Spear Phishing to be amongst one of the top 3 Cyber-attack concerns.
• At least 30% of the Spear Phishing campaigns are deemed to be successful.
• Compared to a general Phishing campaign, Spear Phishing campaigns cost 20X per victim, and the return is 40X greater.
• A Cyber attacker will spend an enormous amount of time also trying to find a hidden "crack" or "hole" in the organization in as a stepping stone to collect the relevant information/data on their victim.

So how is that the Cyber attacker is so successful when launching these kinds of campaigns? First, they are consistently sharpening and refining their skills in conducting the research needed to launch a laser-focused attack. Second, the Cyber attacker does not rely upon the fancy technology to execute a Spear Phishing campaign. Rather, they rely upon the old the old-fashioned techniques of Social Engineering in which to thrust their attacks forward.

The Cyber attacker demonstrates a considerable amount of patience. For instance, they spend an enormous of time researching their primary target. They are in no rush to get this task accomplished. The more accurate the information that they have, the greater the statistical probability that their well-crafted E-Mail will make it through the Spam Filters.

They often rely upon Social Media sites that the individual or even the organization uses. They try to glean as much contact information as possible. Also, the use of Internet-based background searches is a commonly used tool as well. So, what is the Cyber attacker exactly looking for when launching a Spear Phishing campaign? There are three main items of interest:

While other Phishing based campaigns focus on getting any kind of personal information and data, the Cyber attacker, in this case, wants just one thing: Your cash. As a result, they tend to target the following:

In their Spear Phishing E-Mail, the Cyber attacker does not traditionally attach a .DOC or .XLS file. Rather, they will instead attach a .HTML file, or include the relevant HTML data in the body of the message. If the victim either downloads this particular attachment or clicks on the link, then he or she will be taken to a very authentic looking but spoofed website in which they enter in their password. From this point, the Cyber attacker then hijacks it and logs into whatever online financial account they know that the victim possesses and steals as much money as they possibly can. According to the FBI, over 7,000 financial related institutions have been targeted since 2015, which has resulted in a loss of well over $612 Million.

It is important to note that Spear Phishing attacks do not just occur at any time of the year. Rather, they occur at special points in time, where there is a lot of activity happening, especially between the financial organization and the individual or organization during tax season. A typical example of this is tax season. To launch their Spear phishing campaign, the Cyber attacker will covertly pose themselves as some sort of tax-related entity (primarily that of the IRS) requesting the tax preparer to send over sensitive information of the victim (primarily their Social Security number). This request will often come in the form of an E-Mail message, with the sending address being typically one of the followings:

These types of E-Mail messages often contain a VBA script that is malicious in nature, and worst yet, it will automatically execute itself once opened. Another example of when a Spear Phishing attack will typically occur is at during a catastrophic event, such as a natural disaster. For example, in these types of scenarios, the Cyber attacker will send out an E-Mail from the Red Cross asking for donations or other kinds of financial assistance. Very often, when the victim clicks on that link, they will be taken once again to a very authentic looking, but spoofed website. However, rather than asking them to log in to a website so that their login information can be captured, the victim is asked to donate money. From, there it then gets deposited into a phony bank account that is set up by the Cyber attacker.

Another prime interest of the Cyber attacker is that of stealing of sensitive data in this regard. This typically includes the contact information of their customers, such as names, phone numbers, E-Mail addresses and the like. Once this is collected, the Cyber attacker then has enough information at hand to conduct further and deeper research into their intended victims. Also, at stake here is the information that is pertinent to the IT infrastructure of the business or corporation, so that a Ransomware attack can be launched, targeting the organization's workstations, servers, and wireless devices.

Recent Incidents of Spear Phishing Attacks

There are four recent Spear Phishing attacks, which have cost both the organization and the customers involved a lot of money. Here are 4 such recent attacks:

1. Ubiquiti Networks: Total loss of $46.7 Million to scammers

   This attack actually occurred on June 5th, 2017. The company was hit by a Spear Phishing attack with a disastrous financial toll. They were able to reclaim roughly $45 million of the stolen funds, and it was determined that this attack was the direct result of  "employee impersonation and fraudulent requests from an outside entity targeting the Company's finance department." (SOURCE: https://blog.barracuda.com/2017/08/25/four-big-spear-phishing-attacks-you-may-have-forgotten/). Further details can be seen here.

2. FACC: Total loss of $55 Million to scammers

   FACC manufactures the interior engine components for the major aircraft manufacturers that include Boeing and Airbus. They were hit with a Spear Phishing attack on January 19, 2016. The company lost 17% of its total stock value, and the CEO was immediately fired as a result. Outside attackers were the culprit in this incident. More details of it can be seen here.

3. The Crelan Bank: Total loss of $75.8 Million

   Also on January 2016, this major financial institution located in the Netherlands fell victim to a Spear Phishing attack. The bank claimed that it had taken further steps to protect their customers, their information, and their data. More details of this attack can be seen here.

4. Facebook and Google: Total loss of $100 Million

   Although no specific details have been revealed it is believed that these two major tech companies were hit with a Spear Phishing attack as well on March 21, 2017. Additional details can be seen here.
   

Conclusions

Overall, this article has examined the recent trends that have been shaping up in regards to Spear Phishing. Now the question is, how does an organization prevent it from happening? Since Spear Phishing can be considered as a subset or specialized form of Phishing, the same tips still apply, which are as follows:

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

Demo Now

1. Always install the latest Security patches and software updates to your servers, workstations, and wireless devices.
2. Always employ encryption to protect corporate information and data, especially when sending it to another recipient.
3. Make use of DMARC (Domain-based Message Authentication, Reporting & Conformance), Sender Policy Framework (SPF), & DomainKeys Identified Mail (DKIM) technologies. They compare the address of the incoming E-Mail message to what is stored in your database. If the two do not match up, then the E-Mail message is automatically rejected and never makes into the corporate E-Mail Server(s).
4. Deploy Two Factor Authentication (2FA) whenever and wherever possible.
5. Keep your employees on their toes with Security awareness training workshops and also test their knowledge. With the latter, you can send out a phony E-Mail to your employees to see if they will fall for it.
6. Always confirm any suspicious E-Mail with the sender. If they didn't send it, then immediately delete it!!!
   

Sources

1. https://www.trendmicro.com/vinfo/us/security/definition/spear-phishing
2. https://gdpr.report/news/2017/06/08/new-trend-report-shows-email-phishing-attacks-hook-organizations/
3. https://www.titanhq.com/blog/the-latest-trends-in-spear-phishing-why-where-and-how
4. https://www.goanywhere.com/blog/2017/06/28/7-steps-to-protect-yourself-against-corporate-spear-phishing
5. https://www.csoonline.com/article/2132618/phishing/11-tips-to-prevent-phishing.html
6. https://www.pindrop.com/blog/ceo-of-austrian-firm-facc-fired-after-email-scam/
7. http://www.brusselstimes.com/belgium/4944/belgian-bank-crelan-hit-by-a-70-million-eur-fraud
8. https://www.justice.gov/usao-sdny/pr/lithuanian-man-arrested-theft-over-100-million-fraudulent-email-compromise-scheme
9. https://blog.barracuda.com/2017/08/25/four-big-spear-phishing-attacks-you-may-have-forgotten/
10. https://krebsonsecurity.com/2015/08/tech-firm-ubiquiti-suffers-46m-cyberheist/

55