A Brief History of Spear Phishing
Learn the best practices for developing a security awareness training program that is engaging. Engaging awareness programs have been shown to change more users’ behavior and are seen as an asset for your organization instead of annoyance.
A term we hear often these days is spear phishing – an advanced form of social engineering that is more effective than traditional phishing scams, as it is tailored to a specific target. Spam text messages and unsolicited e-mail or posts have evolved from mass mailings sent to a wide audience into a new and harmful form with a more targeted approach (hence the “spear”), with phishers pointing precisely at victims.
In fact, spear phishing is a method used by malicious hackers to gain valuable information and access to a network by targeting particular individuals within an organization. Messages are customized thanks to a thorough operation of intelligence perpetrated by the phishers that collect information from corporate websites and social networks on their target. They can then construct and send legitimate-looking e-mails impersonating realistic senders (a coworker, boss, family member or a familiar organization) and trick people into believing the message they receive is legitimate. Through customization, hackers are able to deliver messages that can lure executives and employees in general into clicking on a bogus URL or into giving away sensitive data.
Users are now well versed in recognizing normal phishing attempts. The majority of people will not send account information or click on links in messages that promise a large inheritance or deposits coming from overseas countries. They may, however, be more willing to click on e-mails received by known senders (a boss, and HR official…) referring to a common friend or containing their own account number as an identifier. In addition, they might also be willing to download seemingly work-related files referring to last quarter sales or reorganization plans that appear to be sent by legitimate sources or a particular company department.
According to Trend Micro Incorporated, “monitoring revealed that 94% of targeted emails use malicious file attachments while the rest use alternative methods like installing malware by luring victims to click malicious links and to download malicious files, or else using webmail exploits.” Attachments are routinely shared within a company network and between coworkers, so it is easier to trick individuals into downloading files than actually into clicking on links. Spam filters also might be deceived into allowing the attachment through, but may be more sensitive to e-mails with links.
In general, then, phishers “combine tactics such as sender impersonation, personalization of the intended victim, enticement and access-control bypass techniques such as email filters, antivirus, and IDS/IPS evasion,” explains Todd Salmon, Director of the Security Assessment Practice for FishNet Security.
History of Spear Phishing
While phishing has been around since the 90s, its most targeted version, spear phishing, is a much more recent phenomenon. The first notable cases of spear phishing attacks were recognized around the year 2010. Studies show that in this period, mass phishing attacks declined. The number of spam messages went from 300 billion messages per day to 40 billion between 2010 and 2011. Within the same period, spear phishing grew by 300% and for a good reason: a spear phishing campaign is calculated to provide ten times the ROI compared to mass phishing attempts. Spear phishing emails are opened by targets in 70 percent of cases, compared to three percent normal rate for mass spam emails.
Spear phishing made the news in 2011 when an attack at RSA, the security division of EMC, was discovered. The strike was targeted to only four individuals within the company. As FireEye Inc. explains in a white paper, one of them downloaded the Excel spreadsheet that was carefully crafted by the hackers with a Trojan horse that allowed access into the corporate network thanks to a zero-day flaw in Adobe Flash. The spear phishing attack was the means to begin the aggression, then, followed an APT movement that allowed malicious hackers to steal administrators’ credentials and have access to information on Secure-ID customers including Lockheed Martin and Northrop Grumman.
In 2013, however, it became clear that spear phishing had actually been around a bit longer. The Kaspersky Lab discovered that a cyber-espionage-style incident had used phishing as the vector targeting various diplomatic, governmental and scientific research organizations for at least five years. Classified information, credential and intelligence were stolen through the “Red October” campaign, an attack perpetrated thanks to a malware called “Rocra” containing malicious extensions and backdoor Trojans. Victims were infected by a Trojan infiltrated through a targeted spear phishing attack, disclosed Kaspersky Lab’s team of experts.
A more recent episode involved Anthem, the second-largest health insurer in the United States. Malicious hackers gained access to the personal data (SSN, birth dates, e-mail and physical address information) of health care customers and used them to launch a spear phishing campaign that targeted people by constructing legitimate looking e-mails containing the info stolen.
Exploit tactics have also changed through time. Spear phishing is now coming through new channels, including “VOIP, SMS, instant messaging, social networking sites […],” says Jason Hong, a student from Carnegie Mellon University in a research paper.
As for what is in store, no one knows for sure; however, SMEs suggest spear-phishing will come to be the weapon of choice not only for general cybercrime but also for cyber terrorism. The fear is that spear phishing might become, in the near future, a useful tool for terrorists who might be able to use these techniques to gain access to important defense information.
According to TrendLabs’s APT Research Team report, Spear-Phishing Email-Most Favored APT Attack Bait declares that cyber strikes are a major concern as 91% of targeted attacks use spear-phishing emails. The most targeted industries are government agencies and activist groups. This is probably due, according to Micro Trend observations, to the abundance of information and contact data available on these organizations’ official websites.
Overall, spear fishing is particularly dangerous when it comes from within an organization. An employee or somebody very familiar with how an organization works or has knowledge of its organogram can easily create e-mail baits that would leave no doubts as to their legitimacy. This was particularly obvious in the case of Charles Harvey Eccleston, a former employee of the U.S. Nuclear Regulatory Commission (NRC) and of the U.S. Department of Energy terminated in 2010 and arrested in the Philippines with the accusation of attempting a spear phishing attack in January of 2015. The target of this attempt was a group of Department of Energy employees; the aim was the harvesting of sensitive information and the damage of the Department of Energy computers. Eccleston was not successful, but such an attack could have allowed him to gain access to sensitive nuclear weapon-related information that could have been easily sold to foreign nations, the US Department of Justice said.
Looking back, trends in spear phishing indicate dramatic shifts in attack strategy with attackers applying new security evasion tactics, says Websense Security Labs research. We have seen an increase in activity and in the success rate of these attacks. From phishers attempting to steal the log in credentials of users to obtain financial information, or else even penetrating their victims’ networks with malicious code. Troublesomely, “spear-phishing is one of the primary vectors of compromise and subsequent data loss,” states Websense, a firm with comprehensive security solutions. As stated in Websense Security Labs Top Phishing Findings (see infographic), it reveals, “92 percent of email spam contains a URL” pin pointing the United States as the country that continues to dominate the volume of hosted phishing URLs.
Fortunately, many computer mail users are getting better at recognizing and blocking these kinds of phishing emails. Becoming aware of spear phishing techniques has helped users to prevent acts started by cybercriminals. From learning what phishing is, can, help to reduce your risk.
Can you spot spear phishing? “Unless the users are educated (i.e., have the knowledge of various types of phishing techniques), they will be lured to the spoofed sites, say experts at Phishing.org. As well, “they should also be aware of anti-phishing techniques to protect themselves from getting phished.” There are various types of phishing scams, such as clone phishing, reverse-phishing, mass phishing, and whaling. Each is currently used today. Though the phishers’ method might be different, they have the same motive—i.e., of obtaining information from other people using spam, hoaxes, or phishing schemes.
Spear phishing attacks are not going away any time soon. Scam artists have been around for some time and will continue to be looming on the information highway and make both Web and e-mail-based threats. Spear phishing is so effective because the attackers usually invest time and effort to research their targets. Their ability to impersonate legitimate users and sites as well as masquerade themselves as a trustworthy entity may convince email users that any request of the phisher comes from a trusted sender. Do not be fooled. Once an attack is underway, it may too late to turn back, as the damage has already been done.
Yet, by investing in next-generation security solutions (e.g., anti-spam, anti-virus, firewalls, IDPS, and/or gateway sensors integrated with threat intelligence) to detect malware and zero-day exploits, there will be perhaps a chance to stop attack vectors used in spear phishing, says FireEye Inc., a US network security company. In order to reduce the likeliness of success from these types of attacks and be more resilient, it will require also proper continuous user e-mail awareness training on cyber security trends and conducting periodic anti-phishing campaigns.
Bromium. (n.d.). Spear Phishing. Retrieved from http://www.bromium.com/resources/threat-information/spear-phishing.html
FireEye, Inc. (2012). Spear Phishing Attacks – Why They are Successful and How to Stop Them. Retrieved from http://www.locked.com/sites/default/files/Spear-Phishing-Attacks-White-Paper.pdf
Hong, J. (2012). The Current State of Phishing Attacks. Retrieved from http://repository.cmu.edu/cgi/viewcontent.cgi?article=1282&context=hcii
Kaspersky Lab. (2013, January 14). Kaspersky Lab Identifies Operation “Red October,” an Advanced Cyber-Espionage Campaign Targeting Diplomatic and Government Institutions Worldwide. Retrieved from http://www.kaspersky.com/about/news/virus/2013/Kaspersky_Lab_Identifies_Operation_Red_October_an_Advanced_Cyber_Espionage_Campaign_Targeting_Diplomatic_and_Government_Institutions_Worldwide
Runald, P. (2012, October 9). What is Scaring Businesses the Most? Spear-phishing. New Websense Security Labs Research. Retrieved from https://community.websense.com/blogs/websense-insights/archive/2012/10/09/what-is-scaring-businesses-the-most-spear-phishing.aspx
Salmon, T. (n.d.). Tip of the Spear: Phishing or SpearPhishing? Retrieved from https://www.fishnetsecurity.com/6labs/blog/tip-spear-phishing-or-spearphishing
Suman, S., Srivastava, N., & Pandit, R. (2014, February). Cyber Crimes and Phishing Attacks. Retrieved from http://www.ijritcc.org/download/Cyber%20Crimes%20and%20Phishing%20Attacks.pdf
Tamir, D. (2013, July 3). FBI Warns of Increase in Spear-Phishing Attacks. Retrieved from https://securityintelligence.com/fbi-warns-increase-spear-phishing-attacks/#.VdW88WbouUl
US Department of Justice (2015, May 8). Former U.S. Nuclear Regulatory Commission Employee Charged With Attempted Spear-Phishing Cyber-Attack on Department of Energy Computers. Retrieved from http://www.justice.gov/opa/pr/former-us-nuclear-regulatory-commission-employee-charged-attempted-spear-phishing-cyber