Spear-phishing is the practice of targeting specific individuals with fraudulent emails, texts and phone calls in order to steal login credentials or other sensitive information. Spear-phishing is appealing to attackers because once they’ve stolen the credentials of a targeted legitimate user, they can enter a network undetected, dwell inside unhindered and move laterally at their leisure.
Spear-phishing attacks top the list of initial attack vectors and are a particular concern for businesses.
2021 CrowdStrike Global Threat Report
Download the 2021 Global Threat Report to uncover trends in attackers’ ever-evolving tactics, techniques, and procedures that our teams observed this past year.Download Now
Although the thinking behind a spear-phishing attack is sophisticated, the tools don’t have to be. In fact, these types of cyberattacks can operate with nothing more than basic email accounts acquired through ordinary providers.
That said, there are now better ways to launch these personalized attacks, such as automated personalization services sold through the dark web that connect attackers with people who use web scrapers to glean information from potential targets’ social media.
Spear-phishing vs Phishing vs Whaling
All social engineering attacks are based on deception. A target is persuaded to take an action, such as clicking on a bad link. There are two differences between phishing, spear phishing, and whaling: who is targeted and how hard the adversary has to work to launch the attack.
A phishing attack targets anyone who clicks on a bad link or downloads a malicious attachment — their seniority, role, etc., are not key to the deception.
A spear phishing attack targets a demographic, such as employees at a certain company or finance analysts in a specific industry.
A whaling attack uses business email compromise (BEC) techniques to lure a senior individual, such as a particular C-level executive, to take the desired action.
How a Spear-Phishing Attack Works
Attackers determine their ultimate goal. It may be identity theft, theft of sensitive data or intellectual property, blackmail or sabotage — or it may be to build a foundation for a more sophisticated future attack.
Attackers research their targets. They use publicly accessible information, such as LinkedIn, corporate websites and commercial lead-generation services, to learn the names and roles of people in their targeted organization who may be useful to them.
Attackers may have conducted a prior attack to enter the network and monitor email traffic. In that attack, they may have been seeking to identify which individuals in the organization have access to the sensitive data they want to steal, or who has a business relationship with someone whose credentials they desire.
Attackers may also learn about the daily functions of the role or the business to gain an understanding of what types of messages the targeted individual receives on an ordinary day so the attacker can create a spear-phishing message that will slip by unnoticed.
Attackers craft an email that appears to be legitimate at a casual glance. A closer look would reveal that an uppercase O in the sender’s address is actually a zero, or a lowercase L is an uppercase I. This is called “email spoofing.”
The email will contain a malicious link or attachment. If a link is clicked, it will lead the targeted user to a webpage — such as an HR, benefits or financial portal — that appears to be authentic. When the user tries to log in, their credentials are sent to the attacker.
If the email includes an attachment, it may be housed on a legitimate file-sharing service, such as Dropbox or Google Drive, to avoid being blocked by the targeted company’s spam filters.
Now the attackers reap the rewards of their efforts. This might be implanting malware in the network, delivering an APT attack, stealing sensitive data or intellectual property, or simply causing chaos.
Cyber Front Lines Report
Get a unique front-line view and greater insight into the cyber battle these seasoned security experts are waging against today’s most sophisticated adversaries.Download Now
Attackers who use social engineering are adaptable, constantly changing their tactics to increase their chances of success. When they see an opportunity, they exploit it — and COVID-19 is a prime example of attackers using current events to exploit people’s emotions.
The CrowdStrike® Intelligence team observed a number of nation-state attackers using COVID-19 lures to operate spear-phishing campaigns:
- VELVET CHOLLIMA, a state-sponsored North Korean (DPRK) group, used COVID-19-themed messages to deliver Baby Shark malware against South Korea-based organizations.
- Russia-affiliated PRIMITIVE BEAR used COVID-19-themed messages to target Ukrainian officials. These messages contained two malicious attachments: one of them executed a macro that was retrieved from the internet by the second document when the first file was opened by the victim.
- Iran-affiliated CHARMING KITTEN was suspected of targeting Western organizations involved in COVID-19 response efforts, including a prominent international health organization and at least one major pharmaceutical company, with the goal of credential collection. The spear-phishing emails containing misleading links that directed victims to adversary-controlled login pages.
Security awareness training is fundamental, especially when many users are working from home. But even the best-trained and most security-conscious employees will occasionally click on a malicious link, either because they were in a hurry or it was very convincing.
Organizations should regularly conduct proactive investigations to find emails with content known to be used by attackers, such as subject lines referring to password changes. In addition, organizations should:
- Ensure that remote services, VPNs and multifactor authentication (MFA) solutions are fully patched and properly configured and integrated.
- Use machine learning in conjunction with anomaly detection algorithms to detect patterns associated with attacks.
- Implement protection against unknown threats such as zero-day vulnerabilities.
- Search for indications of malicious activity involving DMARC (Domain-based Message Authentication Reporting and Conformance), DKIM (Domain Keys Identified Mail) and SPF (Sender Policy Framework) failures.
- Scan properties of received messages, including the Attachment Detail property, for malware-related attachment types (such as HTA, EXE and PDF) and automatically send them to be analyzed for additional malware indicators.