How spear phishing is done: The anatomy of an attack

By: Dr. Swapan Purkait, Director, Nettech

We have all heard about Phishing, a social engineering process of enticing people into visiting fraudulent websites and persuading them to enter their personal information on the same. At this point you will say, “I know, I know, I am not suppose to click on any hyperlinks, suppose to check for https on the URL and never to submit any credit card or financial login information such as, user ID and password in any email form”. Good, you know what phishing is, but who said I want your user ID and password. I am not looking for your money. I am more interested on your corporate “family jewels”the information which will be beneficial to competitors or harmful to your company if disclosed. The best part is I am not going to steal it, you or one of your company employee will email the same to me. Welcome to the world of spear phishing.

The term spear phishing comes from the ancient method of spearing fish from rivers and streams using sharpened sticks. Spear phishing differs and is more serious than a simple phishing attack in that it is targeted either at a specific group, or worse, at an individual.

You must be smiling, thinking that your email spam filters or your anti-virus solutions are very effective at removing the barrage of regular phishing attacks that you get every day. Unfortunately they will be ineffective against my spear phishing attack, as I will be working on the principal of “aim small, miss small”.  You still think I am kidding, fair enough let me tell you, how I am going to do it. Do try and stop me.

How I am going to do it:

The first thing you need to realize is that Spear Phishing has been around for a very long time, and it is nothing more than Social Engineering (SE) via electronic means. Now when I say electronic means don’t assume it will be only an email-based threat, it can be carried out over any electronic media, from cell phones, text messages, chat boxes, social media sites, blogs, or comments posted in an online articles that target a very specific audience. In other words, spear phishing can be very simple or it can be extremely complex and multi-faceted, depending on whom I am targeting in your organisational structure.

The means can be different, but the goal remains the same, I want something, that you have may be in physical form or in your computer system. I am aware that I will not be able to enter your office or access your computer system in person. I am going exploit the weakness embodied in human behaviour, the willingness to help, to trust or simply follow an a order given by the manager.

Step #1 Information gathering:

The spear phishing works on familiarity, the target should trust me. To start with I will collect all information that I need to know about you and my target victim. For example, let’s say my target is going to be your personal secretary or a colleague who is working with you on a high-profile project. Where will I get all those information? Have you ever tried to search yourself in Google. Try simply Googling your full name in parentheses and see what results comes up, also check the ‘images’ results. Everything I need to know, will be there usually. All those lovely posting in social media will also add to my benefit. Your last foreign tour, last official party, last team picnic or the last book you read, it’s all there.

Step #2 The attack:

If I use the email route, I am going to “spoof” your email address by forging the email header information and the email text signature so it appears to be coming from you. While addressing your colleague or your secretary I will not use the salutation as “Dear Sir/Madam”, instead personalize the same, will use his or her name for ex. “Hello Swapan” or only “Swapan”. To make the email more trustworthy, I will start with a reference to the last party or the meeting or your last tour or may be an up-coming event. Once the tone is set, I will ask for an important document to be emailed to me on a priority basis giving some urgent excuse.

Because the email seems to come from you, containing information which is true about you. And because of the urgent nature of the business, your secretary or your colleague will be tempted to act before thinking and end up sending that confidential document on the email to me.

The Defence:

So how to defend yourself and your organization against spear phishing?  The first step is to understand that it can happen to you, to acknowledge that there are many motivated parties out there, who are willing to try this attack on you. Next will be to ask yourself what motives someone might have to attack your organization.  What information would be beneficial to competitors or harmful to your company if disclosed?  Once you have identified the data that is likely to be targeted and requires the greatest protection you need to create an information security policy addressing how to label/handle/communicate that data to the authorised user. Once the policy is in place you have to educate your users.  Focus upon the basics, how someone may structure the attack, how an email address or phone number can be easily spoofed, how someone can use social engineering and use the information available on corporate website or social media, how hyperlinks can take you to a wrong destination. Please note the most educated end user in the world can still fall prey to spear phishing attacks if they are not aware of how to change their normal behaviour patterns while handling sensitive information. 

And always remember: Don’t give up too much personal information online, because you never know who might use it against you. Or how.

Hope you will be prepared before I attack !!

Some of the well known Spear Phishing attacks

2011

RSA SecurID attack

The spear phishing attacks targeting RSA, the security division of EMC Corp., took place over a two-day period and targeted to only four individuals within RSA. Attackers were successful in getting at least one employee to retrieve it from their junk mail folder and open the Excel file titled “2011 Recruitment plan.xls.” Eventually, attackers gained access to critical systems.

2015

Google Drive attack

It was targeted to specific Google drive users with an email stating “I’ve shared a secure document with you via Goggle drive” and a click to view button at the bottom. Clicking the ‘click to view’ button takes the victim to a phishing website which looks like a legitimate Google login screen. This scam proved successful as they appeared to be from individuals or businesses you know and trust.

1 comment

  1. sumit

    Good article sir. I remember that in the class you did something of this sort and even our antiviruses did not give any alerts regarding to that.

Leave a Reply

Your email address will not be published. Required fields are marked *