Spear Phishing is an email targeted at a specific individual or department within an organization that appears to be from a trusted source. It's actually cybercriminals attempting to steal confidential information.
A whopping 91% of cyber attacks and the resulting data breach begin with a spear phishing email, according to research from security software firm Trend Micro. This conclusively shows that users really are the weak link in IT security.
How It's Done
You may be wondering what it takes to send this type of attack. This is not trivial, and can only be done by someone trained in advanced hacking techniques. We will first take a look at the steps required to send an attack, and then we’ll look at steps to mitigate this threat. For the (simplified) attack steps we are freely borrowing from a great blog post by Brandon McCann, a well-known pentester.
We will try to keep this as non-technical as possible, but there will be a few terms you may have to look up. Here are the 6 steps:
1. Identify Email Addresses There are two ways hackers send phishing campaigns: the first is ‘spray-and-pray’ which is a shotgun approach. Get as many email addresses from the organization they can, and send them all an email that they might click on. The second approach is to decide what data you are after, then figure out who has access to that data, and specifically target those people. That is the spear phishing approach, and for instance, LinkedIn is extremely useful during this targeting step. There are several ways to get your hands on the email addresses of an organization. The one favored by the bad guys is using scripts to harvest email addresses from the large search engines. You’d be surprised how many emails can be captured this way and how big a given organization's spear-phishing attack surface is. Once the bad guys have the email addresses of the few people they are targeting, it's on to step two. |
2. Antivirus Evasion For an attack to arrive in the inbox of a target, the email needs to get past the antivirus software that the target uses. A quick search on the IT job sites for open system admin positions at the target's organization provides an astounding amount of information. They will often list exactly what antivirus and which version they use. Otherwise, DNS cache snooping and even social media give many other ways to find out. Once the AV is known, it's installed on a test bed to make sure the email comes through ok. Metasploit can help with this, it is an open source computer security project which provides information about security vulnerabilities and aids in penetration testing. |
3. Egress Filtering Hackers can't get the information out of the organization they are attacking unless the payload sent with the attack allows traffic to exit the organization. A popular payload is called ‘reverse_https’ because it creates an encrypted tunnel back to the metasploit server, which makes it very hard for security software like intrusion detection or firewalls to detect anything. For those products, exiting phishing data all looks like normal https traffic. |
4. Spear Phishing Scenario There are many articles written about this by now, and it’s the essence of social engineering users. If they haven’t had high-quality security awareness training they are easy targets for spear phishers. The attacker does research on their targets, finds out who they regularly communicate with, and sends a personalized email to the target that uses one or more of the 22 Social Engineering Red Flags to make the target click on a link or open an attachment. Just imagine you get an email from the email address of your significant other that has in the subject line: Honey, I had a little accident with the car, and in the body: I took some pictures with my smartphone, do you think this is going to be very expensive?” |
5. Sending The Emails One option is to raise a temporary mail server and blast away, but that mail server will not have a reputation score which will block a lot of email from getting in. A better solution is going to GoDaddy, purchasing a valid domain name, using the free email service that comes with the domain and set it up, so that an MX record is automatically created by GoDaddy. Also, it's easy to change the GoDaddy Whois information to match any targeted domain. All that helps mail getting through, which can be sent with any email client, or with a script. |
6. Harvesting Treasure Let’s assume a target clicked on the link, and the bad guys were able to place a keylogger on their machine. Now it’s a matter of waiting for the hourly burst of keyboard data back to their server, and monitoring for the credentials they are after. Once they have those, it’s a matter of getting into the workstation, getting all network password hashes, cracking them and getting elevated to administrator access to the whole network. |