Spear Phishing is a targeted form of phishing attack where attackers acquire useful information about the victim through research, social engineering and other means. Unlike the phishing attack, the spear phishing attack is more powerful since it is built around information gathered about a specific group or individuals. The attackers behind spear phishing are sometimes able t0 spoof an email address, creating customised email subjects and content to aid in tricking the individuals to open an attachment or click links containing malicious code to be executed in the background.
According to the Webroot Threat Report, approximately 1.5 million new websites are being created every month for the sole purpose of phishing. The Verizon Data Breach Investigation reports suggest that 30% of phishing attacks are successful, as the individuals open attachments or click links. According to SANS Institute, the success ratio of spear phishing attacks on enterprise networks is 95%.
Recent Spear Phishing Attacks
In 2017, there were some high profile phishing attacks launched by hackers. These include attacks on users’ Google services accounts, targeted campaign against the DocuSign Company that provides digital documents signature services, there were also attacks on famous video streaming website Netflix, where individuals were tricked into updating their credentials including sensitive financial data on a spoofed webpage.
In 2018, we have witnessed two major phishing attacks including phishing attacks targeting millions of email users and a spear phishing attack launched against an organization involved in Pyeongchang Olympics, January 2018. Vade Secure Security researchers identified a massive phishing campaign, targeting around 550 million email addresses in the first quarter of 2018. The target countries with high impact were USA, UK, Germany, and France.
The attackers’ aim was to steal the financial information of the individuals by organizing online quiz competitions and offering the individuals coupons and discounts for participating in the contests. The attackers used email addresses similar to popular brands of the target countries. The email content was also designed in the local languages. World events are the most favourable scenarios for attackers to launch spear phishing attacks.
The PyeongChang 2018 Olympic Games is one of those events where the organizations associated with the Olympic Games received spear phishing emails to steal sensitive data. The attackers spoofed the email address of the National Counter Terrorism Center (NCTC), South Korea to send emails to the Olympic organizations with the subject line “Organized by Ministry of Agriculture and Forestry and Pyeongchang Winter Olympics.”.
The organizations received the email as an anti-terrorism drill, asking them to find instructions within the malicious document. Attackers used different approaches to launch the attack successfully without being caught. This includes the embedded malicious code in the documents and hidden images, obfuscated Visual basic macros, and custom Powershell codes.
Lesson to be Learnt
The past spear phishing attacks and their success ratio show that individuals are unable to identify phishing emails. Hackers are picking their targets very carefully. For instance, they mostly target HR representatives, C level executives, and finance staff, knowing the fact that these individuals have more knowledge and access to financial matters of the organizations. The outcome of a successful spear phishing attack is so lucrative that the attackers may take years to prepare themselves for the attack.
Social media is still considered as the primary source of collecting information about targets. The individuals (employees) are considered as the weakest link in the organizations as they lack the abilities to identify spear phishing attacks. According to the Intel Security report, 97% people in the world are unable to distinguish between a real and spear phishing email, thus making it easier for the attackers to trick the people.
Enterprises Need to Act
As spear phishing attacks are on the rise, the enterprises need to educate their employees as well as upgrade their infrastructure to counteract. Confirming the legitimacy of emails, avoiding clicking and downloading suspicious email attachments, and not sharing sensitive information without verification are basic precautions to avoid spear phishing attacks.
With that said, organizations need to do more to stay safe. Attackers are using more advanced and sophisticated techniques to bypass the traditional email security safeguards. According to an FBI report, the documented Business Email Compromise (BEC) scams increased by 2,370% between the year 2015 and 2016, resulting in a loss of more than 5.3 billion USD. These statistics show that attackers are successful in bypassing traditional security checks.
The hackers are likely to launch more cloud-based attacks in coming years as it easy to impersonate an identity and hide the trace of the attacks by using compromised routers and VPN servers. The Gmail service faced a similar attack in 2017, where attackers managed to exploit the Google authentication protocol to launch their phishing attack. Organizations may well need to come up with more advanced solutions to identify the cloud-based spear-phishing attacks.