The term spear phishing refers to phishing with a spear, aiming against a single target.
Spear phishing attacks have almost unique characteristics only shared with Whale phishing or whaling attacks.
Spear phishing characteristics are as follows:
- It is directed against one target, contrary to usual phishing attacks that are massively launched.
- Attackers know the industry, business, procedures of the victim, and the organization he belongs to.
- The message has a sense of urgency to prevent the victim from thinking clearly.
- The victim is low profile, not a wealthy individual, otherwise, it would be considered a Whale phishing attack.
Although this kind of attack isn’t new and authorities have been trying to alert the population since over a decade ago, this fraud method is increasing. Losses generated by Spear phishing are close to $12,000,000.
Intelligence agencies also reported spear phishing attacks by counterparts.
In some cases, victims decide to hide the incident because the damage to reputation may be worse than the damage inflicted by the attack itself.
How Spear Phishing Attacks are Executed?
Spear phishing is a sophisticated technique when compared to conventional phishing attacks. Yet this technique does not always require IT security or hacking knowledge to be executed.
On the contrary, such attacks are social engineering based. This means the biggest work for the aggressor is to collect useful information to produce a convincing message for the victim.
To execute those attacks, scammers use automated tools like Setoolkit, included in the Kali Linux distribution, the most popular Linux distribution for pen-testing. Another tool widely used for phishing attacks is Metasploit (which can be integrated with Setoolkit). Other pen-testing, frameworks also include social engineering to execute different types of phishing attacks like Clone phishing and Spear phishing.
Contrary to most known phishing attacks, which are randomly automated and launched, spear phishing requires a lot of activity on a unique target by the scammer.
Attackers’ main intention is to collect relevant information on the victim such as credentials, financial information, protocols, procedures, employee names, and anything useful information to justify an interaction resulting in the execution of a specific action by the victim, like a funds transfer.
The most common communication channels include email, phone, and social networks. Social networks are also used by scammers to collect information.
Commonly the attacker establishes communication with the victim by feigning a false identity or by usurping the identity of an indirect victim. In the case of attacks via email, it is common to see attackers using email addresses similar to those belonging to individuals whose identity they tried to usurp. Victims can easily identify and prevent this threat if they are aware of the techniques used by attackers.
3 Famous Phishing Attacks
Even the biggest companies and organizations may fall victims to phishing as proven by Google or Facebook. Defense institutions and companies were also phished and are included among famous phishing attacks, some of which were:
Facebook & Google ($100,000,000): It was reported in 2017 that Facebook and Google were phished for $100 million.
FACC Aerospace and defense industry ($55,000,000): The hoax email asked an employee to transfer money to an account for a fake acquisition project.
Ubiquiti Networks ($46,000,000): Cyber thieves stole $46.7 million using Spear phishing, spoofing executives to instruct unauthorized international wire transfers.
Companies mentioned above are on top of companies investing in their own security. Attacks succeeded by exploiting human vulnerabilities.
How to Get Protected Against Spear Phishing?
Companies and organizations are often the end targets of spear phishing attacks, and there is a lot they can do to prevent their employees or members from becoming Trojan horses. Protective measures include:
- Raising awareness among employees and members of the organization about the characteristics of this kind of attack.
- Keeping a properly structured permissions system restricting risky access.
- Having a two-step verification on all services and login forms.
- Enabling restrictive firewall policies.
- Ensuring security for mail servers and devices.
Companies’ Achilles heel facing this threat is the human factor. Employees and organization members are the main targeted vulnerability in this type of attack. That’s why the first recommendation before this risk is to train employees and members to identify phishing attacks. Training doesn’t require special knowledge and can be implemented by the IT department. External security consulting firms are also offer training.
Proper permissions and access administration is an additional way to afford vulnerabilities of the human factor. Well-designed permission policies may prevent success attacks from propagating to the rest of the company or organization as well.
Some organizations also implement identity validation systems to verify communications authenticity. There are many available software solutions combining protocols with AI to detect anomalies even if the attack succeeds in passing the human barrier.
Common security measures for daily threats must not be ignored since they can also prevent phishing attacks or mitigate the damage. Sysadmins must incorporate heuristic and network traffic analysis into their hardening security checklists. Firewall policies must be carefully applied and complemented with Intrusion Detection Systems (IDS).
Although these types of attacks carry great risks, prevention is really inexpensive.
Employee education and the meticulous design permissions and accesses, as well as the implementation of protocols, are accessible measures for any organization attractive to this kind of scammers.
Developments in digital security like a two-step verification forced scammers to improve their techniques, making spear phishing a trend along with similar techniques like Whale phishing.
Still, many people fall victim to all phishing techniques as companies don’t realize the real risk phishing carries. Companies like Facebook or Google were victims of a phishing scam, which generated losses of $100,000,000.
Spear phishing is often confused with Whale phishing, it is important to note the difference that lies in the type of target: spear phishing targets low-profile targets, to scale access, while whale phishing targets executives and high-profile organizations members. However, the security measures to adopt against both phishing modalities are the same.
I hope this article on Spear phishing was useful. Keep following Linux Hint for more Linux tips and tutorials.