Spear-phishing is the practice of targeting specific individuals with fraudulent emails, texts and phone calls in order to steal login credentials or other sensitive information. Spear-phishing is appealing to attackers because once they’ve stolen the credentials of a targeted legitimate user, they can enter a network undetected, dwell inside unhindered and move laterally at their leisure.
Spear-phishing attacks top the list of initial attack vectors and are a particular concern for businesses.
2021 CrowdStrike Global Threat Report
Download the 2021 Global Threat Report to uncover trends in attackers’ ever-evolving tactics, techniques, and procedures that our teams observed this past year.Download Now
Although the thinking behind a spear-phishing attack is sophisticated, the tools don’t have to be. In fact, these types of attacks can operate with nothing more than basic email accounts acquired through ordinary providers.
That said, there are now better ways to launch these personalized attacks, such as automated personalization services sold through the dark web that connect attackers with people who use web scrapers to glean information from potential targets’ social media.
Spear-Phishing vs. Phishing vs. Whaling
The difference between phishing, spear-phishing and whaling attacks is on the scale of personalization. Phishing is the least personalized, whaling is the most, and spear-phishing lies between.
What is Phishing?
Everyone with an inbox is familiar with phishing attacks. The infamous Nigerian prince scam is the first phishing attack that achieved broad public awareness, but since then, phishing attacks have become more sophisticated. A modern phishing attack is likely to look like a legitimate email from a well-known business or a bank, and it will only be deemed malicious by an alert user who mouses over the sender address to see if it is correct before clicking a link or downloading an attachment.
Phishing attacks are a numbers game: Instead of targeting one individual, they target many people in the hope of catching a few.
Attacks are not personalized, and a key identifier of a phishing email is that it does not use the recipient’s name. Phishing attacks are conducted not only by email but also by text, phone and messaging apps.
What is Spear-Phishing?
While phishing attacks target anyone who might click, spear-phishing attacks try to fool people who work at particular businesses or in particular industries in order to gain access to the real target: the business itself.
Spear-phishing attacks are at least as personalized as a typical corporate marketing campaign. For example, a spear-phishing attack may initially target mid-level managers who work at financial companies in a specific geographical region and whose job title includes the word “finance.”
A great deal of research may occur before a spear-phishing attack is launched, but the effort is worthwhile to an attacker because the payoff could be significant. That payoff isn’t necessarily monetary — spear-phishing attacks are frequently sponsored by nation-states.
To execute a spear-phishing attack, attackers may use a blend of email spoofing, dynamic URLs and drive-by downloads to bypass security controls. Advanced spear-phishing attacks may exploit zero-day vulnerabilities in browsers, applications or plug-ins. The spear-phishing attack may be an early stage in a multi-stage advanced persistent threat (APT) attack that will execute binary downloads, outbound malware communications and data exfiltration in future stages.
What is Whaling?
Whaling attacks target one person, typically a highly placed executive, in order to steal money or gain sensitive information. Attackers go to great lengths to learn about the executive, such as stalking their social media or using a spear-phishing attack to gain enough access to the network to “eavesdrop” on the executive’s email communications.
Whaling attacks are used to conduct business email compromise (BEC) attacks, in which the ultimate goal is wire fraud. In these attacks, an executive with financial approval authority may receive an email from a C-level executive asking them to urgently transfer a large amount of money to cover a vendor payment or similar obligation. The email may have a sense of urgency, such as, “I’m at the airport heading out for vacation, can you rush this?” And the supposed sender of the email may indeed have left for vacation, so the message would seem legitimate to the targeted executive.
How a Spear-Phishing Attack Works
Attackers determine their ultimate goal. It may be identity theft, theft of sensitive data or intellectual property, blackmail or sabotage — or it may be to build a foundation for a more sophisticated future attack.
Attackers research their targets. They use publicly accessible information, such as LinkedIn, corporate websites and commercial lead-generation services, to learn the names and roles of people in their targeted organization who may be useful to them.
Attackers may have conducted a prior attack to enter the network and monitor email traffic. In that attack, they may have been seeking to identify which individuals in the organization have access to the sensitive data they want to steal, or who has a business relationship with someone whose credentials they desire.
Attackers may also learn about the daily functions of the role or the business to gain an understanding of what types of messages the targeted individual receives on an ordinary day so the attacker can create a spear-phishing message that will slip by unnoticed.
Attackers craft an email that appears to be legitimate at a casual glance. A closer look would reveal that an uppercase O in the sender’s address is actually a zero, or a lowercase L is an uppercase I. This is called “email spoofing.”
The email will contain a malicious link or attachment. If a link is clicked, it will lead the targeted user to a webpage — such as an HR, benefits or financial portal — that appears to be authentic. When the user tries to log in, their credentials are sent to the attacker.
If the email includes an attachment, it may be housed on a legitimate file-sharing service, such as Dropbox or Google Drive, to avoid being blocked by the targeted company’s spam filters.
Now the attackers reap the rewards of their efforts. This might be implanting malware in the network, delivering an APT attack, stealing sensitive data or intellectual property, or simply causing chaos.
Cyber Front Lines Report
Get a unique front-line view and greater insight into the cyber battle these seasoned security experts are waging against today’s most sophisticated adversaries.Download Now
Attackers who use social engineering are adaptable, constantly changing their tactics to increase their chances of success. When they see an opportunity, they exploit it — and COVID-19 is a prime example of attackers using current events to exploit people’s emotions.
The CrowdStrike® Intelligence team observed a number of nation-state attackers using COVID-19 lures to operate spear-phishing campaigns:
- VELVET CHOLLIMA, a state-sponsored North Korean (DPRK) group, used COVID-19-themed messages to deliver Baby Shark malware against South Korea-based organizations.
- Russia-affiliated PRIMITIVE BEAR used COVID-19-themed messages to target Ukrainian officials. These messages contained two malicious attachments: one of them executed a macro that was retrieved from the internet by the second document when the first file was opened by the victim.
- Iran-affiliated CHARMING KITTEN was suspected of targeting Western organizations involved in COVID-19 response efforts, including a prominent international health organization and at least one major pharmaceutical company, with the goal of credential collection. The spear-phishing emails containing misleading links that directed victims to adversary-controlled login pages.
Security awareness training is fundamental, especially when many users are working from home. But even the best-trained and most security-conscious employees will occasionally click on a malicious link, either because they were in a hurry or it was very convincing.
Organizations should regularly conduct proactive investigations to find emails with content known to be used by attackers, such as subject lines referring to password changes. In addition, organizations should:
- Ensure that remote services, VPNs and multifactor authentication (MFA) solutions are fully patched and properly configured and integrated.
- Use machine learning in conjunction with anomaly detection algorithms to detect patterns associated with attacks.
- Implement protection against unknown threats such as zero-day vulnerabilities.
- Search for indications of malicious activity involving DMARC (Domain-based Message Authentication Reporting and Conformance), DKIM (Domain Keys Identified Mail) and SPF (Sender Policy Framework) failures.
- Scan properties of received messages, including the Attachment Detail property, for malware-related attachment types (such as HTA, EXE and PDF) and automatically send them to be analyzed for additional malware indicators.