Spear Phishing: How Non-Nerds Hack

While not as “sexy” as sophisticated strikes like Stuxnet, less skilled hackers can be highly effective.

Harry Kazianis

Over the last decade or so, many pundits have crafted an interesting portrait when it comes to the important issue of cyber war and espionage. There is lots of talk of potential targets, doomsday scenarios, and national security information being stolen that could have dire consequences for the party being "hacked." With recent talk of Chinese hackers stealing vast sums of data from U.S. targets and American officials increasingly vocal in their criticism, U.S.-Sino relations could suffer from such activities. Yet, there is very little talk about how such attacks could be carried out.

Interestingly enough, launching an unsophisticated cyber strike on a potential target does not require a PhD from MIT or even decades of experience coding malware or viruses.

One popular method that I am sure many have experienced is the concept of a "spear phishing" attack. Such an attack is straightforward and presumably easier than a direct attack against a computer network that would require greater knowledge, sophistication, or risk.  The basic idea is this: the hackers author emails that look extremely similar to a group or organization you are a part of and ask you to divulge personal information, click on something, or download a file. One recent report noted that the U.S. State Department received 27,000 spear phishing emails in 2012, up an amazing 42 percent from 2011. The same report also noted the White House was subject to a spear phishing attack against one of its unclassified networks.

A 2012 report from TrendMicro provides some interesting perspective:

"Coined as a direct analogue to spearfishing,  spear phishing makes the use of information about a target to make attacks more specific and ‘personal’ to the target. Spear-phishing emails, for instance, may refer to their targets by their specific name, rank, or position instead of using generic titles as in broader phishing campaigns.

Enjoying this article? Click here to subscribe for full access. Just $5 a month.

Advanced Persistent Threat (APT) campaigns frequently make use of spear-phishing  tactics because these are essential to get high-ranking  targets to open phishing emails. These targets may either be sufficiently aware of security best practices to avoid  ordinary phishing emails or may not have the time to read generic-sounding messages. Spear phishing significantly raises the chances that targets will read a message that will allow attackers to compromise their networks. In many cases, spear-phishing emails use attachments made to appear as legitimate documents because sharing via email is a common practice among large enterprises and government organizations—the usual targets of APT campaigns."

I myself have received many of these types of emails that attempt to deceive the end user into opening their malicious files or hyperlinks. Many are poorly done and end up in spam boxes around the globe. However, some are very crafty.  In one email, which I came very close to opening, the message was spoofed to look like an exact copy of a budget request from my then employer. The email address was exactly the same, the file attachment name almost exactly the same, and the type of file was what we used at the time for budget documents. I literally had my cursor over the document and was about to open it when I paused: it was sent three weeks too early. Upon further investigation, I discovered the original IP address of where the email was sent from was Argentina, and not from my employer. Nice try hacker.

Considering the nature of such a threat, there is a lot organizations can do protect themselves from such attacks. Depending on how the organization functions, some that could be targets of such strikes should limit some forms of information that a-would be spear phisher could use to craft his or her attack. Email addresses of high profile corporate employees or government officials should some cases not be freely available on the internet. If necessary, important officials who must have their email posted for marketing or PR reasons could utilize a separate email address for the general public, while utilizing another that is given privately and harder to track down. Organizations must also ensure that the latest software patches are applied quickly after they are available. Hackers many times will craft their tools based on vulnerabilities that have been recently announced, knowing many organizations take weeks or months to patch their software, if they do at all. One may also utilize the latest anti-virus programs that update themselves automatically everyday.

But in the end, the best defense of all might just be common sense. If you receive an email from someone you don't know asking you for personal information, delete it. If your employer is asking you in an email to reset your password by clicking on a certain link, give them a call –make sure it’s legitimate.

Also, keep in mind such attacks are not limited to email. They can come through social media networks as well and attempt to hijack your social media account. One could also consider limiting the amount of personal or employment information they post to social media. All of this might help to dull the spear of such hackers, making their personal attempts at gaining access to the most private of information a failure.