What is Spear Phishing?
Spear phishing is when a specific company or individual is targeted by hackers with a highly tailored phishing attack. Unlike the more scattershot, spammy phishing attacks used by some attackers, the level of research and preparation involved in a spear-phishing attack is far higher. In fact, that preparation is often useless outside of the specific domain or company that has been selected. That's the investment that spear phishers are willing to make. Because it works.
Primary targets depend on the ultimate goal but often involve members of IT, HR, finance, or those who would be considered senior management or above. Anyone with power over others, or power over computing systems, can be leveraged. Tertiary targets can often lead to success as well of course, as inside access is the biggest hurdle. Even an intern's login might result in escalation, depending on what systems they have access to and who else within the company will be fooled by seemingly legitimate E-mails from that individual.
One variant of spear phishing is called 'whaling'. This is an attack that goes beyond targeting a company, or whoever the most vulnerable member of an organization might be. Instead, whaling specifically targets C-level executives, board members, senior vice presidents, and the like. Trying to gain leverage over, or assume the identity of, someone in power can often yield much more dramatic results than a normal spear-phishing attack.
How Does Spear Phishing Work?
The full process of a successful spear-phishing or whaling attack depends on the end goal. A hacker has to ask themselves: What is spear phishing going to accomplish in this scenario? This helps narrow down targeting and determines how the social engineering side of the attack will be crafted.
But in general, spear-phishing follows a number of common steps:
- Research: As boring as it might seem, quite a bit of the effort spent on a spear-phishing attack is done using Google. Research is conducted on the target company's websites, social media, and even via inquiries on their own customer service pages. They are all used to gather as much information about the corporate structure and culture as possible.
External resources are next, covering job boards, career review sites, media write-ups, recent news articles, charity activity, government applications (bids, grants, etc.), and anything else that sits in the public domain. This should complete the general profile of the target company or individual.
Then the reconnaissance gets far more specific. Org charts, vendor partnerships, software suites, firewall and server information, IP address ranges, registered domains on an international scale, insurance information, preferred delivery companies, paper, and e-waste recycling services, links to home addresses, bank, and escrow services, and associated IT procurement companies. These things may require some digging, some personal reconnaissance, some social engineering, and yes… even some dumpster diving depending on locality. - E-mail Enumeration: After the first step is completed and a full profile of the company or individual has been worked up, it's time to harvest E-mail addresses.
The process of gathering the E-mail addresses of potential spear-phishing targets is rapid and systematic, although whaling and individual targeting narrow the field by quite a bit. At first, searches are conducted for just the addresses themselves without the associated passwords. This is done with a script that automatically hits all of the major search engines, hack lists such as Have I Been Pwned, and known E-mail address databases.
After the results have been scrubbed and key individuals identified as accurately as possible, specific E-mail address prefixes are cross-referenced with password lists from known breaches. Though this is only particularly effective and worthwhile with more unique names (imagine how many Bob Smiths have been compromised over the years), every once in a while the attackers will score an easy hit from someone lazy enough to use the same password for years across multiple services… including their work E-mail. You'd be surprised at how many people do this... More than two-thirds of Americans use the same password for multiple accounts, and 13% of them use the same password for ALL of their accounts. If there's a hit on the password, several steps can be skipped (depending on the goal of the attack). - Target Identification: Next is a deep dive into the identity, role, and lifestyle of each targeted E-mail address. This will help select the right primary target from a list of potentials, as well as craft a specific approach to the social engineering side of the operation. This starts with cross-referencing the name to any kind of available org chart. Then another public record search, including social media. Finally, whatever level of surveillance and investigation seems appropriate. For whaling, this can include paid informants, private investigation, or even trash and recycling raids depending on just how valuable the result of the hack is estimated to be.
If there's any spending involved in any of these stages (which is quite likely in this stage and the next two as well), it needs to be weighed against the 'expected value'(EV) of the attack. For example, if the estimated success rate is 10%, and the estimated ransom is $1,000,000, the mean EV of each spear-phishing venture is $100,000. Spending on research and other resources (Cloud, hardware, software licenses, etc.) comes out of that $100k, as does a flat percentage for bankrolling future activities, and then the remainder is split amongst the group. EV is how a hacker or hacking collective knows what their budget should be to make their time spent worthwhile. - Firewall, Spam, and Antivirus Evasion: Part of the research that hackers undertake in their spear-phishing attempts is getting around protective measures. A single antivirus or a spam filter can ruin weeks of effort, and there's no point in trying to blackmail someone if a firewall's outbound filters completely nullify the data extraction attempt.
So the attackers will create a testbed (mostly using Cloud resources rather than hardware computing solutions, whenever they can get away with it) with the exact versions of the security suite that they'll need to beat. This way they can send test messages, sample attachments, and mocked-up transactions to see what gets through and what gets blocked.
The most common way to evade a firewall's egress filtering is to use HTTPS and just stream the results out as encrypted web traffic. Really, any method that will hinder deep packet inspection will do the trick, assuming the right ports are open. Preparation, advanced automation, and clever scripting are the keys to success here. - Craft the Right Social Engineering Strategy: This is where all of the research pays off: Knowing the target inside and out, getting a domain (or getting access to a domain) that will provide maximum believability when sending that first E-mail, tapping into their routines and emotions… all of these things are important to a successful spear-phishing attack.
Getting the victim to 'patch' their software or 'change their password' are typical techniques. This means that the less security-aware (or generally aware) they are, the better. In fact, the less they care about the company, the better. Because it's quite reasonable to simply hover over a link and see where the true destination is, and then question why that link isn't internal. And it's equally reasonable to question why IT would send out an update as an attachment rather than push out a patch like they normally do.
The target should therefore be unreasonable, badly trained, and either overly emotional or emotionless. Someone who will look before they leap because they're either incredibly optimistic and naive or incredibly bitter and they just don't care anymore. But really, anyone who will click that link for any reason will do. - Extract the Data and Exploit the Victim: The final step is to execute the plan and start plotting out the next one. Spear phishing is 99% preparation and automation. Once the research has been put in and the attack crafted, there's very little hands-on work left to do unless it is fruitful. So the attackers will either start looking at plans B, C, and D within the same organization or start research on their next victim.
If their spear-phishing or whaling expedition is a success, they can start to figure out how to extract the maximum amount of money from the data breach. That might be blackmail, insurance, open market sale, or targeted resale.
They might also be incentivized to stay quiet about the attack if they weren't immediately detected. Promiscuous network exploration might lead to even more (or even more valuable) data caches. Internal servers might not be as hardened as client-facing ones, allowing permission escalation. Then the hackers can assess their next move, confident that they already have something of value as they poke around for more.
What is Spear Phishing's Impact?
Successful spear phishing attacks have led to millions in ransom and/or blackmail. Trade secrets, pending patents, secret negotiations, future ad campaigns that unveil entirely new products… the secrecy of all of these things can be assigned a dollar value.
But beyond that, a successful hack can shake up corporate culture. Particularly if employees discover they're being victimized or lied to in some manner. At a minimum, the person who took the bait might be fired. However, an unusually harsh or greedy move on the part of the executives can cause a backlash if it reaches the light of day. Internal employee rebellion, press involvement, and even government sanctions could be the result.
Most companies will weigh all of these factors, and then simply cut a check if they can afford to do so. Part of target selection is assessing company health and financial means. Pulling off an excellent hack is only a first step. Getting the money into the right account is the endgame.
Measures Against Spear Phishing
The best way to avoid spear phishing and whaling is to engage in rigorous security training and to practice a measure of anonymity outside of work. Being careful what you share on social media is also key. Having as few ties as possible between a work E-mail address and a personal one is a huge boon. If possible, have separate devices for personal and professional use. By removing that link between home life and work life, spear-phishing research becomes far less effective.
At an enterprise level, some form of protection on laptops, company mobile phones, and other mobile devices is critical. Combine virus and malware protection suites that can work alongside a managed corporate VPN.
In Conclusion
Spear phishing is a real threat in 2021, particularly when social media is being used more heavily than ever and work-from-home blurs the lines between the professional environment and a user's personal space. They'll often use the exact same hardware and software for both activities, as a matter of fact.
So it's more important than ever to take every precaution to avoid becoming profiled. A hacker will use any edge they can find, and exploit any piece of personal information that they can dig up, as long as there's a potential victory (and paycheck) in their future. It's better to be safe than sorry.
Of course, being informed will also help you sidestep security risks. Read more here: Online Privacy Pitfalls that Put You at Risk of Data Breaches.