[BreachExchange] Understanding Why Spear Phish Are Highly Effective

[Audrey McNeil]

https://securityboulevard.com/2018/07/understanding-why-
spear-phish-are-highly-effective/


In the Oscar-winning movie The Sting, Harry Gondorff (played by Paul
Newman) explains to his apprentice Johnny Hooker (Robert Redford) that the
con that they set up must be so convincing that their mark, Doyle Lonnegan
(Robert Shaw) won’t even realize that he’s been taken.

Today, Gondorff and Hooker might not have needed to use a past-posting
scheme to con Lonnegan. Instead they might have used a spear phishing email
to bilk him of his money. It would not have made such a fun movie, but it
might have been a more effective con.

They might have pored over Lonnegan’s presence, including Facebook,
LinkedIn, or other online profiles. They will have used Google, or an
online service like Spokeo to learn more about his work. They will have
built a little chart key relationships – including the victim’s family and
closest circle of friends (from tagged photos they find online), colleagues
(from news articles, social media posts, and Linked-In), managers (from
Linked-In and other web sources), and the key players in Lonnegan’s
professional network (from corporate websites and other online reports).
Then they would be ready to spring their trap.

Understanding Spear Phishing or Targeted Phishing Attacks

A spear phish is a particularly damaging kind of email attack. Unlike a
traditional phishing attack (which is bulk mailed to a large audience of
potential victims) a spear phish is a one-of-a-kind email that has been
built specifically to achieve a simple purpose. It is built to attack,
beguile, and exploit its intended victim. It is the product of hours of
research by the con artists.

These are especially convincing scams, because it will be clear that the
criminals have access to some personal information about the victim. That
personal nature of the communication gives the email legitimacy – it is
designed to influence the recipient to lower their guard and do something
they usually wouldn’t do. Unfortunately, spear phish often succeed.

A spear phish is not a bulk email. It is a carefully created email that is
literally customized for each target. The attacking email will appear to
come from a colleague, a friend, or a superior. It will address the victim
by name or even nickname, in a familiar context. It may refer to a specific
project or work initiative, or something else that gives it legitimacy for
the victim. Heed these signs:

The Wrong Kind of Personalized Experience

Spear phishing emails are almost always personal. The greeting will often
be familiar, “Eliza” rather “Dear Mrs. Doolittle” or “Dear Eliza”. Often
the email will invoke a familiar name as the sender. “It’s Hugh, Hugh
Pickering here.” Since the mail is clearly to you, and appears to be from
someone familiar, you are much more likely to engage with the email as a
trusted document. The personal touches have given the attack credibility,
and lull you into a lower state of vigilance.

From: Your Contact List

A modern criminal will usually send their spear phish from an email address
that closely resembles a familiar email address. They might misspell the
company name, or add a dot to the name that you might overlook. In any
event, they will try to make the email look legitimate. In some cases, the
criminals have compromised a corporate email account, so that they can
actually send their spear phish from a real internal location.

Informed Social Engineering

The bad guys will stop at nothing to make their email seem credible. If
they can find the information, they will include a reference to an actual
work initiative or project that you (or they) are working on. This
information might have been sourced from public news stories, or from other
online postings. “Eliza — Henry and I have just finished our new
“Beginner’s Guide to Iberian Meteorology”, would you mind giving it a quick
read to make sure we haven’t left out anything important? Thanks. I’ll call
you this afternoon to get your feedback. /Hugh.

A Reasonable Request

Often, the spear phish is designed to prime you to take a small action – to
open an attached document, or to click on a link. A link might take you to
a site that automatically downloads malware, or a Trojan onto your machine.
The attached file– a spreadsheet, document, graphics file, or PDF, might
contain malware that will infect your system. Sometimes the action is more
explicit – faxing a confidential report, or even wiring funds to a
“partner”. Regardless, the spear phisher is leveraging your trust or your
eagerness to do a good job, to entice you to cooperate.

Using Your Trust as a Weapon

Social Engineering is Effective

The spear phishing email will always from someone you know, someone you
trust, or someone with authority over you. It may come from a friend
outside of work, a colleague, someone you used to work with, or a manager
or boss. It will ask you to do something that you might not normally do,
but because of the trust you have in the presumed sender, or the authority
that they have, you do it. And by taking the requested action, you
inadvertently provide the criminals with deeper access into your machine,
your network, or your organization. In some cases, convincing spear phish
have directed employees to transfer funds from company accounts to third
party accounts, or convinced employees to email confidential information,
even trade secrets to third parties posing as corporate executives.

Take Five Simple Steps to Reduce Your Risk

1. When an email asks you to click on any link, or open any attachment,
make sure that you have confidence in the communication.

2. Regardless of how you might feel, before you click on the link or open
the attachment, review the email carefully, taking note of the sender, and
the sender’s domain.

3. Ask yourself, “how likely is it that xxxxxxx would have asked me to do
this?

4. At the slightest suspicion, contact the sender via phone or text to
validate the message. Do not contact them by replying to the email you
received, because it is likely that they will reply and simply say that all
is well

5. Make sure your virus scanning and email scanning programs are up to
date. An up-to-date scanning program will look for common kinds of malware,
or review the security certificates of any web site that you might
encounter. That way, IF you click (and you shouldn’t) you are more likely
to be protected from harm.

Remember – it is far better to be cautious then to run the risk of falling
prey to malware, ransomware, or worse. A modern spear phish will seem
legitimate. Don’t get caught.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180720/2eb5f51e/attachment.html>