How Hackers Go Phishing
How sophisticated does an attackers’ intelligence gathering have to be for a Spear Phishing attack?
Not very much! This type of attack normally includes the sender addressing the target by name and asking them “to act immediately to verify or update personal information such as bank account numbers, user names/passwords, credit card account numbers – even your Social Security Number”1
The attacker (i.e. Spear Phisher) in reality does not have to go through very sophisticated steps to gain such pieces of sensitive information from many people. A number of careless steps on the part of the target can yield some juicy bits of information. As an example, Joe Attacker has become friends with Jane Victim on Facebook, who does not even know Joe. On her page, she happens to have certain information (not terribly sensitive, but enough to get Joe started), including where she works and where she went shopping (i.e. Macy’s) last week. Joe then meticulously crafts an email to her work address; knowing all people’s e-mail addresses at her company use FirsInitial.LastName@Companyname.com. He is fairly sure that he will get to her. He addresses the e-mail to her specifically, and uses an email domain he created with “Macys” as part of it, asking her to verify her department store credit card information.
As we’ll see, normally for a successful Social Engineering attack to take place, a high degree of sophistication is not needed. In most cases all that is needed is for the target to see a recognized brand or system he or she identifies with and a sense of urgency, such as a revocation of account status or monetary penalties in order for him or her to comply with the attacker’s requests.
Jane received an e-mail with a title/subject-line that read: “URGENT Account Verification Needed after Your Last Purchase at Macy’s!”. Jane considered herself fairly savvy with detecting online fraud and knew to look for mistakes in emails for things like Spam or Phishing. She didn’t see any anomalies such as spelling errors, and did see an official-looking Macy’s logo. The email address had a sub-domain before the Macys.com, which she actually dismissed as operational procedure.
Had she paid closer attention to the e-mail address and the URL link to the website where she was asked to provide her credit card details, social security # and other PII, Jane wouldn’t have fallen prey to the account fraud and identity theft we see happened here. When entering such information always check to make sure there is a lock graphic in the web browser bar which indicates a secure connection. Jane should have gone directly to the Macys.com page and logged in to see if there were any irregularities with her account. Do not click over links in an email without investigating the URL.
Spear Phishing not necessarily be sophisticated in its identity gathering techniques. It can be a thorough method of targeting individuals, once certain details are gathered about them. Many individuals are careless in what they post out in social media and who they grant that access to. Attackers are constantly vigilant for these careless occurrences. They gauge if you are careless enough to make that information available in the first place, what’s is going to stop you in future from providing more information given a believable communication such as a targeted Spear Phishing e-mail.
Jane is a common occurrence – more common than it should be. Spear Phishing is often not detected or obstructed. User awareness is the best defense, where people become aware to not provide sensitive PII (i.e. credit card #’s, social security #’s, addresses, salary information, DOB’s) when prompted via an email communication, with a sense of urgency strictly commanded. Always check a click if it is in the body of an email. When you are entering personal information make sure the connection is secure. Trust your gut if something seems phishing it most likely a phishing attack!
1 “Spear Phishing: the real danger behind the Epsilon data breach”: http://blogs.computerworld.com/18093/spear_phishing_the_real_danger_behind_the_epsilon_data_breach
Andres Tabares, CISM, CRISC, CISSP is a Data Security Professional with Aujas (www.aujas.com), a Global Information Risk Management consulting firm that focuses on Data Protection and Safeguarding against Social Engineering attacks, including Spear Phishing. He can be contacted at Andres.Tabares@Aujas.com.