Spear phishing is a targeted email attack purporting to be from a trusted sender.
In spear phishing attacks, attackers often use information gleaned from research to put the recipient at ease. The ultimate aim is to either infect devices with malware by convincing the recipient to click a link or download an attachment, or to trick the recipient into taking some other action that will benefit the attacker, usually handing over information or money.
Spear phishing messages are often crafted with care using pernicious social engineering techniques and are difficult to defend against with mere technical means.
“What’s important to note about spear phishing is that the individual being spear phished isn’t often the real target,” J.R. Cunningham, CSO at Nuspire, a Michigan based MSSP. “Rather, their corporate environment is most likely the attacker’s ultimate end goal.”
Phishing, spear phishing, and whaling are all types of email attacks, with phishing being a broader category of cyberattack that encompasses just about any use of email or other electronic messaging to trick people, and spear phishing and whaling being just two of a handful of different types of phishing attacks.
Most phishing attacks take the form of generic messages sent automatically to thousands of recipients. They’re written to be somewhat tempting—the attachment might have a name like “salary report,” or the link might be a fake lottery winning site—but no attempt is made to match the message content to any particular person who might be receiving it. The name derives from “fishing” (with the “ph” being part of the tradition of whimsical hacker spelling), and the analogy is of an angler throwing out a baited hook (the phishing email) and hoping some victim will swim along and bite.
Spear phishing, as the name implies, involves attempting to catch a specific fish. A spear phishing email includes information specific to the recipient to convince them to take the action the attacker wants them to take. This starts with the recipient’s name and may include information about their job or personal life that the attackers can glean from various sources.
Another phrase you might hear in this context is whaling, which is a specific kind of spear phishing, specifically one that goes after really big fish. “Whaling is a type of spear phishing focused on public figures, top executives, or other big targets, hence the somewhat unflattering name,” says Jacob Ansari, Security Advocate and Emerging Cyber Trends Analyst for Schellman. “All spear phishing is targeted, but sometimes focused on less prominent targets with an important function: someone in IT or finance who has an essential function granting user access or approving invoices, for example.”
How attackers get the personal information they need in order to craft a spear phishing email is a critical spear phishing technique, as the entire process of the attack depends on the messages being believable to the recipient.
There are several ways an attacker can pull this off. One involves compromising an email or messaging system through other means—via ordinary phishing, for instance, or through a vulnerability in the email infrastructure. But that’s just the first step in the process. “Someone’s email within the targeted organization is compromised, and the attacker sits in the network for a while to monitor and track interesting conversations,” explains Ori Arbel, CTO of CYREBRO, a Tel Aviv-based security operations platform provider. “When the time is right, they email the target using a believable context with insider information, such as bringing up past conversations or referencing specific amounts for a previous money transfer.”
If they can’t hack their way into the communications system, an attacker could also turn to open source intelligence (OSINT), scouring social media or corporate communications to form a picture of their target. Jorge Rey, cybersecurity and compliance principal at Kaufman Rossin, a New York-based advisory firm, explains a common attack vector he’s seen. “When people make a change to their LinkedIn and identify that they’ve joined Kaufman Rossin, in a matter of hours or even minutes they’ll get an email from our CEO—not from his Kaufman Rossin email, but something at gmail.com—asking them to buy gift cards and things like that.” Of course, this email isn’t coming from the CEO at all, but rather an attacker who’s hoping to catch a new employee off guard. “All of these bots are monitoring LinkedIn, monitoring everything through scripts, and sending information hoping someone will fall for it,” he explains.
If attackers can glean personal information from your online presence, they’ll try to use that to their advantage as well. Nuspire’s Cunningham gives an example of a security-savvy client who nevertheless almost got snared by spear phishing. “They got an email supposedly from their insurance company informing them they had an update on their auto insurance claim and clicked on the link, only to realize right away it was a phishing attack,” he says. “As it turns out, this individual had recently been in a car accident and had published pictures of the wreck on social media, along with a comment that their insurance provider (whom they named) was very quick to respond to the claim. This gave the attacker information about the victim’s insurance provider, which was used to craft the spear phish.”
Scammers focus on new employees because they have yet to find their footing in a new corporate environment. Probably the main sign of a spear phishing email (assuming the attacker has gotten all your personal information correct) is that it will ask you to do something unusual or outside corporate channels. After all, that’s the only way to part you from your (or your company’s) money. New employees might have a hard time realizing requests are out of the ordinary, but to the extent that you can, you should listen to your gut.
“An email was sent to multiple people in a company I worked for from an unknown sender who was imitating the CEO,” says Wojciech Syrkiewicz-Trepiak, security engineer at spacelift.io, a Redwood City, Calif.-based infrastructure-as-code management platform provider. “They passed all security mechanisms, as they used a real email address. However, the email address domain was Gmail (not the company domain), and they were asking us to do tasks urgently, i.e., bypassing any and all company policies and pressuring the recipient into making a mistake.”
The urgency here is another red flag. Yes, in a professional environment we often get legitimate requests to act quickly; but when someone tries to make you rush, that’s a sign they’re not giving you a chance to stop and think. “My personal experience comes with the spear phishing campaign of scamming gift cards,” says Massimo Marini, senior analyst of security and compliance at Virginia-based consultancy Kuma LLC. “This scam requires the target to go buy gift cards under the supposed direction of their supervisor. The target purchases the gift cards, and then through follow-up email, gives the code to the attacker. I’ve seen this happen to an executive assistant who felt rushed by her ‘boss’ to quickly buy the cards for a secret gift. That event was stopped at the last minute when she happened to speak to her actual boss, who of course knew nothing about it.”
If you’re curious what spear phishing emails might look like, we’ve got a couple of real-world examples for you. The first comes from William Mendez, managing director of operations at New York-based consultancy CyZen. “This is an email targeting an accounting firm,” he says. “The attackers are referencing a technology ‘CCH,’ which is commonly used by such firms.”
“This email is timed during tax season (usually the busiest time of the year for accounting firms), which implies users are busy and will not pay attention to received emails,” he explains. “The email also uses fear by stating that the victim’s access will be terminated unless they take some sort of action. In this case, the action is clicking on a link, which most likely will direct the user to a site where the attacker can collect usernames and passwords or other sensitive information.”
Tyler Moffitt, a senior security analyst at Ontario-based consultancy OpenText Security Solutions, presents another example, which looks like a Twitter security alert.
This message tries to pull the classic move of making you think you’re securing your account and tricking you into giving up your password in the process. “The individual here, who is a journalist, was specifically targeted, likely for their coverage on Ukraine/Russia happenings,” Moffitt explains. (The location of the supposed login adds to the verisimilitude.) “The message informs the user that their account was accessed in Russia and they should reset their password using the link. That link leads to a fake password reset where it will just collect the current credentials and then steal the account.”
When you get a message like this, you should be very careful to make sure the webpage you end up on is the real domain where you think you’re going. In this case, you’ll note that it’s trying to send the victim to “twitter-supported.com,” which is not a real domain that Twitter uses.