Spear phishing: a targeted, dangerous and growing threat

Cybercriminals are always hard at work devising new and clever strategies to scam their victims. Their methods are increasingly subversive and sophisticated, while the techniques to stop them tend to be more reactive. Spear phishing is a recent type of threat that businesses are faced with today. It’s a form of attack that is much more difficult to detect than traditional malware or spam and targets, in a very specific manner, certain individuals within an organization.


Spear phising numbers

Global spam levels have reached a historic low, accounting for about 50% of the total volume of email traffic according to recent statistics by Symantec. However, less spam does not mean less danger. Originally, spam was mostly unsollicited emails sent to try to sell products. Today, email-borne threats can potentially infect a network, encrypt a workstation’s data or defraud individuals and organizations. Traditional phishing campaigns which generally target thousands of people at a time in order to fraud the unfortunate few who will fall for the trap by entering their credentials, have now been taken to a whole new level. This form of threat is known as spear phishing. More detailed and more carefully crafted, these messages are very specifically targeted and, if successful, can potentially be terribly costly. According to several estimations, the average cost associated with a successful spear phishing campaign can reach 1.8 million US dollars, with more than half of the targeted businesses being SMBs with 1 to 250 employees (Symantec, December 2015).

What is spear phishing exactly?

Spear phishing could be qualified as “Phishing 2.0”. It’s a highly specialized threat which targets an organization’s top executives, people who are authorized to perform large money transfers or who have access to confidential information. These email messages are carefully written and often devoid of any suspicious content (like dangerous links or attachments), which makes them very difficult to detect.  A successful spear phishing campaign depends on three key factors: the message must appear to be coming from a known and reputable source, the information within the message must support it’s validity and last but not least, the request must make sense to the recipient.

How do they do it?

Cybercriminals use many tricks to increase their success rate. Using honed social engineering skills and information that is easily accessible via the Internet, they can quickly understand how a company is structured and correctly identify key decision makers. Should they gain access to a mailbox (through spyware for example), then they can learn a lot about the communication flow within the company, current operating procedures, billing, how bank deposits, current or upcoming transactions, and upcoming money transfers are handled, etc.

Using this information, they can send emails to specific employees from a domain that is almost identical to the company’s domain. Only one letter or two will vary (this technique is known as “typo-squatting”). Spammers then pretend to be the CEO or CFO, insist on the urgent nature of the message, and leverage employees’ desire to quickly fulfill requests that come from high up. This is how spear phishing campaigns often successfully get targeted individuals to bypass their standard safety checks.

Is IT security the answer?

To this day, email remains the number one vehicle for the transmission of threats such as spear phishing. This creates a window of opportunity for cybercriminals since no matter how good IT security systems are, humans often represent the weakest security link within an organization. That’s why, in addition to protecting its infrastructures according to the highest standards, using a robust and accurate email security solution and a well calibrated firewall, it is very important to properly educate users on the potential dangers of their own actions. The best form of protection against spear phishing for an organization is implementing a policy prohibiting important money transfers on the basis of a simple email exchange.

Employee training sessions on phishing, spear phishing, typo-squatting and general email hygiene practices are an important piece of the puzzle when in comes to preventing high risk email fraud.

Examples of spear phishing campaigns

Here is a typical spear phishing scenario: a fraudster goes to the Contact page of a company’s website where contact information for certain employees can easily be found. Using other information available online to make his message more authentic, the fraudster writes an email to one of the company’s employees impersonating someone who would logically be asking for confidential information or authorizing the transfer of large sums of money. For example, this could be a network administrator or the head of the finance department. The email asks the employee to go to a (fake) webpage where he will enter information the fraudster can use to his advantage. If a money transfer does not take place immediately, other confidential information could be obtained which could allow the fraudster to gain access to the network or to private communications within the company, therefore compromising its overall security.

Another much more direct scenario could potentially resemble the anonymized example below. (Note: This is a real email which was blocked by ZEROSPAM.) In the email, the employee receives a message from the president asking him to make a payment in the company’s name.

Spearphishing example

Notice the language and the formal appearance of the email, the absence of suspicious links, the use of a third party as a contact and finally, the confidentiality requested by the sender. It’s not surprising that this type of message can appear legitimate and trigger a response. This is why the implementation of simple validation procedures plays an important role in strategies used to protect against spear phishing.

Spear phishing is now a major concern

Spear phishing has become a growing concern in today’s corporate world. A Vanson Bourne January 2015 survey sponsored by Cloudmark with 300 participating companies confirms this. Close to two thirds of the participants identify spear phishing as the main security threat to their company (20%) or within the three most important (42%). In total, 71% of the participants confirm having implemented a new solution in order to control and stop spear phishing. 44% of surveyed companies also acknowledged that their employees are the main security vulnerability when it comes to this kind of attack and 56% report having used employee training on the subject. 79% had even simulated spear phishing attacks in order to test their employee’s reactions.

The ZEROSPAM approach: anti-spear phishing measures and personalized analyses

After analyzing several spear phishing message samples, ZEROSPAM has implemented a series of basic measures to block the vast majority of these attacks. These rules are based on the correspondence between the declared sender’s email address and the real sender’s address, the reply-to address, the validity of the sender’s domain, SPF checks and the presence of words related to money transfers or to transmitting confidential information outside of the company.

Our team of experts also work closely with our large corporate clients on an on-going basis in order to refine these rules and adapt them to new campaigns. Very few providers are willing to such a detailed and personalized approach with clients. When it comes to attacks that are as dangerous and as targeted as spear phishing, this is simply priceless.