What is Spear Phishing? Defending Against Targeted Email Attacks

  • 08 December 2019

With legacy tools trapping more scatter-gun approaches to stealing data and money from organizations, spear phishing has become increasingly popular amongst the cybercriminal community. Part of the appeal is that it is extremely difficult to detect.

What is spear phishing?

  • Spear phishing

    Spear phishing is an advanced email attack that is targeted at one or a few individuals.

What is the difference between phishing and spear phishing?

On the face of it, phishing and spear phishing attacks may seem similar, however there are many differences. Phishing emails are sent in bulk and are relatively easy to execute by those with nefarious intent. Phishing attempts are generally after things like credit card data or login credentials and are usually a one-and-done attack.

On the other hand, spear phishing is significantly lower in volume and much more targeted. A spear phishing attack is usually targeted at a specific individual within the organization and is highly personalized. What makes a spear phishing attack so effective is that it’s more difficult to spot that the email is malicious as it often convincingly impersonates a trusted source known to the target.

Spear phishing is an attack that isn’t as difficult to pull off as you might assume. The research required for an effective attack isn’t much of a barrier either due to the abundance of data that is available online.

It is no exaggeration to say that spear phishing is the number one security threat facing businesses today. While every spear phishing attack is unique by its very nature, we will discuss some of the characteristics that can be seen in a spear phishing attack: the target, the intent, impersonation and the payload.

The target

Spear phishing attacks often target staff with access to financial resources, critical internal systems, or sensitive information. Spear phishing attacks commonly target specific employees or groups that have access to money, sensitive systems or important people within the organization. In addition to selecting their target by the department, attackers will also select a target by their job title.

New hires are also a frequent target for attackers as they tend to be a bit more eager to please their superiors than colleagues who have been employed for some time. There is an abundance of valuable data available online for criminals to exploit to identify the best targets, from LinkedIn career updates to new employee details on company websites. Finally, new hires tend to have a lack of understanding about what normal email communication looks like within the company, meaning they have less knowledge of how internal email address should look and less insight into who the organization usually communicates with.

Once they have identified their target, the attacker can easily undertake further research to find out who the target regularly communicates with. Here, social media sites such as Facebook and Twitter can provide valuable information about roles, responsibilities and professional relationship structures within an organization. With this information, the attacker can create a credible narrative and personalize the email they send. This makes the victim far more likely to fall for impersonation.

The intent

The intent of the spear phishing email usually falls within three specific areas.

  1. Extract sensitive information
  2. Install malware onto the network
  3. Wire money to accounts that belong to the attackers

Criminals are on the hunt for sensitive information, like login credentials, medical records or bank codes, because any information – regardless of its type – has a value on the dark web. To get this data, attackers can use different tactics. They may try to deploy malware in the form of ransomware or keyloggers in order to invoke widespread havoc. Or attackers may use spyware, which is designed to sit, undetected, in the background and mine valuable data. Alternatively, attackers can take a more direct approach: request a wire transfer in a well-crafted email impersonating a familiar colleague, supplier or customer. 

Attackers can also build relationships with their victims long before making any requests for money or information. Or, they may send a very simple, casual email — “are you in the office?” — which can easily initiate an email exchange. Only after that do they strike with a follow up email include requests for the target to wire money, send confidential information, or click on a payload. Generally, the email will contain deliberate language to establish context and intent within both the subject header and body copy, to create a feeling of urgency that helps trick the target.

The impersonation

There is always an element of impersonation in a spear phishing attack. Whether it is impersonating an authoritative figure within the organization (for example a CEO or CFO), someone external (such as from a trusted supplier or valued client), or a business unlikely to cause suspicion (such as Microsoft or PayPal). The spectrum of impersonation tactics is broad, ranging from display name and domain manipulations to the specific language used within the body of the email.

Furthermore, the very fact that modern organizations generally deal with so many counterparties offers limitless possibilities to impersonate vendors or suppliers (external impersonations), making them very hard to detect.

Impersonating a display name is easy for even those with little technical knowledge and can be done quickly within almost all major email clients. Display name impersonation involves attackers setting a authentic-looking display names on their email account in order to mislead recipients. This approach has proven to be especially effective on mobile phones, as the email address of the sender is generally hidden when a user is accessing their inbox through a smartphone.

Impersonating a display name is easy for even those with little technical knowledge and can be done quickly within almost all major email clients. Display name impersonation involves attackers setting a authentic-looking display names on their email account in order to mislead recipients. This approach has proven to be especially effective on mobile phones, as the email address of the sender is generally hidden when a user is accessing their inbox through a smartphone.

Domain impersonations are another popular technique, in which attackers spoof or impersonate an organization’s domain in order to appear legitimate. They look to circumvent security filters by impersonating recognized, trusted domains whether at the root (i.e. [email protected]), top-level (i.e. [email protected]) or subdomain (i.e. [email protected]). Such complex domain manipulations are very hard for both humans and rule-based security solutions to detect. For instance, a commonly used rule is to calculate the number of different characters between 2 domains: “If the difference is smaller than 2, block the email.” Attackers have learned to use a complex domain manipulation to evade such a rule.

The payload

A payload is a malicious link or attachment contained in an email. Examples of payloads include: attachments that deploy malware or ransomware when opened; or embedded links that drive to fake login sites that farm credentials. It is important to note that not all spear phishing emails contain a payload.

Historically, attackers have leveraged payloads in phishing attacks. Because of this, certain email security solutions have been developed in order to detect them. These solutions analyze and sandbox attachments, inspect links as well as look at the website that the links are pointing to in order to see if they’re malicious.

As these security solutions become more popular, attackers have learned to execute attacks without links or attachments and instead are utilizing coercive language and social engineering to ask the target to share confidential data or wire money.

In this case, since there isn’t a URL or attachment to analyze, it a lot easier for such a malicious email to get through legacy email security solutions. This means that organizations relying on those tools remain vulnerable.

Why is spear phishing still a problem today?

Today, employees are the most important data processors in any company. The reality is that just one employee misstep can have serious consequences for an organization. With the information they manage to obtain, fraudsters can reveal commercially sensitive information and steal large amounts of money from organizations.

Employees likely receive more security awareness training than in the past, but their workloads have become greater and more complex. They are busier than ever and expected to maintain the same pace of delivery. Because of this, people can make mistakes and be deceived. No amount of training will change this.

While training is well intentioned, it simply isn’t enough to prevent increasingly sophisticated spear phishing attacks. Companies can’t rely on people spotting every attack. While SEGs can block malware and bulk phishing attacks, they cannot stop spear phishing emails that don’t include a payload.

Email is the main communication channel for enterprises today, however the openness of email makes it easy for attackers to exploit. Data continues to be lost and systems continue to be compromised via email, with spear phishing increasingly being the attack vector of choice. Recent headline-grabbing attacks include: volunteers for Hillary Clinton’s presidential campaign were targeted as part of one attack; City officials in Ocala, Florida were tricked into sending over $742K to what they thought was a construction company; Australia National University was targeted by a spear phishing email that led to attackers silently monitoring the university’s activity as well as stealing the credentials of staff and students.

How can machine learning help stop spear phishing attacks?

The common root of all spear phishing attacks is impersonation—an attacker is pretending to be someone the target trusts. Companies therefore need to identify impersonations on email in order to protect their users, and importantly, their data and systems. But detecting impersonation is not easy. To do so, you need to understand human relationships and human behavior.

Machine learning (ML) is the perfect tool to do this. By learning from historical email data, Tessian’s ML algorithms can understand a company’s users relationships and the context behind each email. This allows them to detect a wide range of impersonations, from obvious payload-based attacks to subtle social-engineered ones.

To learn more about how Tessian Defender prevents spear phishing attacks for organizations like Arm, talk to an expert today.