Spear phishing attacks have steadily increased over the past few years. Although, according to Infosec Institute's statistics, the number of these instances at the beginning of 2015 had paled in comparison with the levels seen in previous years, this does not make spear phishing any less of a threat. Infosec found that spear phishing was a particularly formidable issue last year, and hackers are continuing this trend into 2015.
But what exactly is spear phishing and what does a typical attack include? Today, we'll take an in-depth look into this type of malicious activity, how an attack works and how users can protect themselves.
Spear phishing defined
According to a Trend Micro white paper, "Spear-phishing Email: Most Favored APT Attack Bait," spear phishing can be defined as "highly targeted phishing aimed at specific individuals or groups within an organization." In this way, hackers take more simplistic phishing attacks to the next level, where they have a particular target in mind. Because the cybercriminal knows ahead of time who their victim will be, they can go to extra lengths to personalize and customize the messaging and strategies used in the attack to boost the chances of infection. For instance, Trend Micro noted that oftentimes, spear phishing attacks will include a victim's name and position within the company as opposed to more generic titles and greetings seen in traditional phishing campaigns.
For example, instead of sending a phishing message to attract the attention of anyone within an organization, hackers will include the name of the CEO, as well as his position. This further encourages the target to open the email and download the malicious payload, particularly when the victim has had security training and may know the signs of common phishing messages.
"APT campaigns frequently make use of spear phishing tactics because these are essential to get high-ranking targets to open phishing emails," the TrendLabs APT Research Team noted in the Trend Micro white paper. "These targets may either be sufficiently aware of security best practices to avoid ordinarily phishing emails or may not have the time to read generic-sounding messages."
Spear phishing: What's included in the attack?
According to Trend Micro, a typical spear phishing attack includes an email and an attachment.
The email includes information specific to the target, including his name and rank within the company. This boosts the chances that the victim will carry out all the actions necessary for infection, including opening the email and the included attachment.
The email will also have a legitimate-appearing link or file attachment. These can be a variety of different file types, but Trend Micro researchers found that 70 percent of all attacks feature a .XLS, .PDF, .DOC, .DOCX or .HWP files.
"The file, often a vulnerability exploit, installs a malware in a compromised computer," the white paper stated. "The malware then accesses a malicious command-and-control (C&C) server to await instructions from a remote user. At the same time, it usually drops a decoy document that will open when the malware or exploit runs to hide malicious activity."
Because executable files can look suspicious to some users – especially those who have had security training in the past – hackers will disguise these with fraudulent icons and include unnecessary spaces in the file name to camouflage the .EXE file name extension.
The vast majority of spear phishing attacks utilize this approach – Trend Micro monitoring showed that 94 percent of emails include malicious file attachments. The remainder leverage other strategies like encouraging victims to click malicious links to download malware and exploits.
Who are the victims?
Trend Micro researchers found that spear phishing is more popular in certain industries than in others. Because like many other attacks hackers are after sensitive information that can be used in other attacks, or fraudulent purposes or sold in underground marketplaces, certain market sectors are more attractive than others.
The most attacks have taken place within the government sector, with activist organizations ranking second. The heavy equipment, aviation, finance and aerospace industries have also seen a higher instance of attacks than other areas. On the opposite end of the spectrum is the academic research, biomedical research, conglomerate, engineering and industrial sectors, seeing only 1 attack each in recent years.
Because file attachments via email have become common in certain sectors, this also increases the chances of infection.
"People normally share files (e.g., reports, business documents and resumes) in the corporate or government setting via email," the white paper noted. "This may be due to the fact that downloading off the Internet in such a setting is frowned upon. That is why a higher number of spear phishing emails with attachments is sent to targets in the corporate or government sector."
On the other hand, alternative infection methods including the use of a malicious link as opposed to an email attachment is seen more often in activist groups and international noncorporate or nongovernmental organizations. In these circles, clicking a link included in an email is less suspicious.
A favorite for targeted attacks
Trend Micro noted that spear phishing tactics have become a favorite for targeted attacks because victims are more often duped into opening these types of emails.
"Spear phishing email attachments are difficult to spot from normal document attachments passed on from user to user each day in a corporate environment, increasing the likelihood of successful computer infection," the white paper stated. "Our findings highlight how spear phishing aids APT attacks because of the vast amount of information available at the touch of our fingertips."
Protecting against spear phishing
Although spear phishing messages can be challenging to recognize in the flood of corporate emails, and are designed to specifically take advantage of this, there are things companies can do to lessen their chances of infection.
In addition to keeping an eye out for suspicious looking messages, links and attachments, it's also important to consider the sender. Company employees and executives should not open emails or download attachments from any unfamiliar sender. This could be a telling sign of cybercriminal activity.
It's also critical to keep track of what data is accessible from different platforms.
"Organizations should strive to improve their existing defenses and take into careful consideration what types of and how much information they make available online," the white paper stated.
Businesses should also have the right protection systems in place to help mitigate these types of threats. Trend Micro's Hosted Email Security, part of our Smart Protection Complete solution, can help your business guard against spear phishing attacks. This no-maintenance system includes security measures to specifically prevent spam, phishing and malware. To find out more, contact us today.