Generally, Phishing attacks involve sending mass E-Mails out; in other words, there is not one targeted individual or organization.  Whatever contact information the Cyber attacker can get their hands on is used.  But in the recent past, there appears to be a new trend developing where hundreds of targeted emails are sent to an organization and tailored specifically for those recipients. All the attacker needs are one person in that organization to open and click on the link or attachment to be successful.  This tactic is known as “Spear Phishing”.  It can be defined specifically as follows:

“It is a phishing method that targets specific individuals or groups within an organization. It is a potent variant of phishing, a malicious tactic which uses emails, social media, instant messaging, and other platforms to get users to divulge personal information or perform actions that cause network compromise, data loss, or financial loss.”

(SOURCE:  https://www.trendmicro.com/vinfo/us/security/definition/spear-phishing).

Thus, in these instances, the Cyber attacker has already done their research ahead of time and knows who or what they want to specifically target.  In a way, this is similar to that of Business E-Mail Compromise (BEC) attack, in which the C-Level executive is primarily targeted to transfer funds.

 

Why Is Spear Phishing So Successful?

So how is that the Cyber attacker is so successful when launching these kinds of campaigns?  First, they are consistently sharpening and refining their skills in conducting the research needed in order to launch a laser-focused attack.  Second, the Cyber attacker does not rely upon the fancy technology in order to execute a Spear Phishing campaign.  Rather, they rely upon the old old-fashioned techniques of Social Engineering in which to thrust their attacks forward. 

The Cyber attacker demonstrates a considerable amount of patience.  For instance, they spend an enormous time researching their primary target.  They are in no rush to get this task accomplished.  The more accurate the information that they have, the greater the statistical probability that their well-crafted E-Mail will make it through the Spam Filters. 

They often rely upon Social Media sites that the individual or even the organization uses.  They try to glean as much contact information as possible.  Also, the use of Internet-based background searches is a commonly used tool as well.

 

What Is the Spear Phisher After?

So, what is the Cyber attacker exactly looking for when launching a Spear Phishing campaign?

There are three main items of interest:

Money, Money, Money and lots of it:

While other Phishing based campaigns focus on getting any kind of personal information and data, the Cyber attacker, in this case, wants just one thing: Your cash.  As a result, they tend to target the following:

  • Credit card companies;
  • Insurance organizations;
  • Credit Unions;
  • PayPal;
  • Amazon.

In their Spear Phishing E-Mail, the Cyber attacker does not traditionally attach a .DOC or .XLS file.  Rather, they will instead attach a .HTML file, or include the relevant HTML data in the body of the message.  If the victim either downloads this particular attachment or clicks on the link, then he or she will be taken to a very authentic looking but spoofed website in which they enter in their password.  From this point, the Cyber attacker then hijacks it and logs into whatever online financial account they know that the victim possesses and steals as much money as they possibly can.  According to the FBI, over 7,000 financial related institutions have been targeted since 2015, which has resulted in a loss of well over $612 Million.

They wait for particular times of the year to launch their attacks:

It is important to note that Spear Phishing attacks do not just occur at any time of the year.  Rather, they occur at special points in time, where there is a lot of activity happening.  A typical example of this is tax season.  To launch their Spear phishing campaign, the Cyber attacker will covertly pose themselves as some sort of tax-related entity (primarily that of the IRS) requesting the tax preparer to send over sensitive information of their clients (primarily the Social Security numbers).  This request will often come in the form of an E-Mail message, with the sending address being typically one of the followings:

These types of E-Mail messages often contain a VBA script that is malicious in nature, and worst yet, it will automatically execute itself once opened.  Another example of when a Spear Phishing attack will typically occur is at during a catastrophic event, such as a natural disaster.  For instance, in these types of scenarios, the Cyber attacker will send out an E-Mail from the Red Cross asking for donations or other kinds of financial assistance.  Very often, when the victim clicks on that link, they will be taken once again to a very authentic looking, but a  spoofed website.  But rather than asking them to login into a website so that their login information can be captured, the victim is asked to donate money.  From there. it then gets deposited into a phony bank account that is set up by the Cyber attacker.

The theft of corporate data:

Another prime interest of the Cyber attacker is that of stealing of sensitive data in this regard.  This typically includes contact information of customers, such as names, phone numbers, E-Mail addresses and the like.  Once this is collected, the Cyber attacker then has enough information at hand in order to conduct further and deeper research into their intended victims.  Also, at stake here is the information that is pertinent to the IT infrastructure of the business or corporation, so that a Ransomware attack can be launched, targeting the organization’s workstations, servers, and wireless devices.

Conclusions

In our next blog, we will examine how you can mitigate the effects of a Phishing Attack.