Phishing has been a hot topic in IT security for some time – and it remains a major problem nowadays. For example, Google reported in April 2020 that around 18 million phishing emails related to COVID-19 were blocked every day – and that in addition to 240 million spam emails about Corona per day. While “normal” phishing has long been a popular tool of cyber criminals, the newer, more sophisticated form of phishing has been added for some time: the so-called “spear phishing”. How exactly spear phishing works and how you can protect yourself from it are some of the questions that will be answered in this article.
Spear phishing is the practice of sending fraudulent emails aimed at specific individuals or organizations in order to gain unauthorized access to confidential information. Analogous to the English word origin (spear fishing = spear fishing), no bait is randomly thrown at a wide range of victims in spear phishing. Instead, unlike regular fraudulent e-mails, these are extremely targeted attacks that target a specific victim and penetrate their defense – like a spear.
Reading tip: Avoid cyber panic attacks – IT security is not enough
Although these attacks are not quite as widespread as less specific, common phishing attacks due to their greater complexity and overhead costs, the trend is clearly upwards: According to a study by Proofpoint, 88 percent of the companies surveyed worldwide reported that they were launched by at least one Spear phishing attack in 2019.
Spear phishing campaigns are started by a wide variety of groups. It could be a competing company or it could be cyber criminals who identified the victim as particularly lucrative. In addition, cyber criminals can also act on behalf of a direct competitor, for example, who benefits from the fact that a company can no longer offer certain services, or that sensitive information such as patents or new products, programming code or just contracts and business data leak. A customer list can also be worth gold and therefore the cost of such a campaign. Of course, such campaigns can also be started by governments or states or their secret services or special authorities in order to carry out espionage.
Reading tip: Cybercrime as a service – a hack in the darknet is so cheap
As already indicated, it depends on what kind of company or institution the victim is. Ultimately, the client determines the value of the information, or the cybercriminal group defines the value of copied data via the ransom money to be collected. It is important to know that the amounts sometimes do not have to be that high, as the affected employee or his / her head of department may try to conceal the incident. So it doesn’t always have to be in the millions, because if copied data may have an unknown value, this can be quickly determined through blackmail or an offer in relevant marketplaces. A data set that is bought back from a victim quickly and unbureaucratically seems to be valuable, so that a follow-up blackmail may take place. We are also happy to sell data to the highest bidder.
A network of computers that have been infected with malware can be controlled by cyber criminals without their users being aware of it. In the cyber underground, (pseudo) hackers can acquire access to computers that have already been infected – often in a network. The infrastructure of a botnet can be “rented” from around 100 dollars per month, a complete, finished system costs around 7,000 dollars.
- Browser exploit packs
In combination with a botnet framework, BEPs allow their buyers to spread ransomware or malware on a large scale. Like any advanced malware, BEPs have built-in modules for obfuscation, optimization and administration of criminal activities. A complete BEP package costs between $ 3,000 and $ 7,000 underground.
- Phishing toolkits
Criminal hackers who want to attack a certain group or simply completely normal users can purchase ready-made SMTP servers, scam websites or high-quality mailing lists in the CaaS environment – and at a low price: between $ 15 and $ 40 due. The combination with “weapons-grade documents” is also popular – that is, files that at first glance look like Word documents or Powerpoint presentations, but contain malicious code that exploits known and unknown vulnerabilities in Office to put malware on the user’s computer to install. This can be ransomware or remote access toolkits – depending on the purposes of the computer criminals. The cost of such an office exploit is between $ 2,000 and $ 5,000.
The family of blackmail malware is one of the most popular hacking tools currently in the cyber underground. This type of malware can be developed at very different levels of complexity and cause devastating follow-up costs. According to research by Trend Micro, a customizable crypto locker file is available from around $ 50. However, many ransomware providers usually collect an additional “commission”, the amount of which is based on the damage caused – this is usually around ten percent.
Spear phishing emails are very similar to phishing emails, they consist of a subject line that triggers an emotion in the victim. Compared to the regular phishing e-mails, spear phishing e-mails are personalized. The attackers spend a lot of time on what is known as social engineering in advance.
Reading tip: Security Awareness – Detect and prevent social engineering attacks
The attackers collect as much information about the company as possible and, similar to profilers, begin to create profiles of various employees in order to find the employee who will get them to their destination as quickly as possible and as securely as necessary. His preferences, family, friends and also business partners are analyzed in order to make the e-mail as efficient as possible. Then the attackers try to win the trust of the employee. The email must therefore already contain a topic that the victim finds interesting or puts in an emotional mood. The context of the e-mail must be structured logically and the link to the infected website must be embedded in such a way that the recipient does not question the link, but rather executes it impulsively. In addition to embedding a link, an attachment can also be infected. MS Office files from Excel, Word or Powerpoint are particularly suitable, but image files or PDFs are also popular.
There are a number of security measures that companies can take to protect themselves from spear phishing or their employees and their e-mail accounts. It is usually advisable to combine organizational and technical measures.
Security Awareness Training: The first and sometimes most important line of defense of an organizati
on are the employees themselves. Since phishing attacks can only work if they are made possible by careless behavior on the part of employees, this is of course also the case when it comes to preventing phishing.
Endpoint security solutions: Another option for protection against spear phishing is software that protects the respective devices in the network. Antivirus programs and endpoint security solutions can help automatically block malware hidden in attachments and links.
A spear phishing email can be forwarded to an incident response team for further analysis in a number of different ways. Under certain circumstances, a message is automatically intercepted by the system due to suspicious indicators and does not end up at the recipient in the first place, but immediately on the screen of the security specialist – this is the optimal case, since the risk of an actual infection with malware is zero.
Since spear phishing attacks are a lot more sophisticated than regular phishing, these messages appear very legitimate and are often not intercepted by the system. This brings us to the next possibility: The e-mail actually lands at the intended recipient. Now it depends on the individual who discovers the message in their mailbox. If it is a cautious employee who, in the best case scenario, has been trained on the topic of security awareness, he may be able to identify the message as suspicious and forward it to the organization’s IT security team. Finally, there is the case that is most likely to pose a serious threat: users who actually fell for the phishing attempt and clicked on an infected attachment or link.
The analysis usually begins either as part of the incident response process or in the Security Operations Center (SOC) by viewing a threat with the help of a security solution, which then sends the message to the SOC for further analysis.
The analysis is always the same: an expert examines the email. Then comes the decision-making process: is it really a phishing email, or is it a false positive? The email is checked for indicators of compromise (IoCs) such as any attachments. Sandboxing tools, to which the attachment is sent for verification, are used, among other things. Other tools are also used to investigate the message. The goal is always to make a decision about it: is it spear phishing or not? If it is really a confirmed attack, IoCs such as URLs, e-mail addresses and IP addresses are fed into a sensor grid in order to prevent further attacks.
For many companies, a simple yes / no as an analysis result is not enough. They call for a more advanced analysis of spear phishing incidents from which further information can be obtained. Interesting points include: Is it a single email to one person, or is the entire company part of a larger campaign. Such campaigns can take place across national and company borders.
Victimology examines who belongs to the victim group. Is it just affecting a single person, the team, the entire company, or is this attack part of a campaign that affects multiple organizations in the industry?
When it comes to the targeted approach of spear phishing, a threat intelligence-based approach can help. Spear phishing emails contain a wealth of hidden clues – so-called IoCs (Indicators of Compromise) – with which the attackers’ methods can be tracked and understood. By extracting and analyzing this information, analysts can better understand what to look for in order to identify other users who may have succumbed to the trick. With this evidence, data analysts can make associations between multiple spear phishing messages, for example, to determine whether the attack is a larger campaign that might be ongoing. Identifying malware samples across different fraud campaigns and assigning them to attacker profiles and their intentions improves the responsiveness of security professionals.
Reading tip: Threat Intelligence – an important building block for IT security
However, the challenge with Threat Intelligence is the correct handling of the immense amount of data and information. This can be remedied by a threat intelligence platform that automatically correlates and evaluates the evaluation of various sources of information for threats – so-called threat intelligence feeds. A threat database is created using these threat feeds from providers such as Google and MITER fed information on current threats. This threat intelligence provides information about attacker groups, what they are doing, what tools they are using, how the tools are defined and what the attackers’ goals are. Finally, there are ways to defend against these attacks. (bw / fm)