One Phish, Two Phish, Red Phish…Spear Phish?

Who doesn’t love a good fishing trip? Just imagine it – you, some cold ones, your boat sailing along in the middle of the placid silver-blue lake. But wait! What’s that grabbing hold of your line, tugging as if it’s the master and you’re the one getting caught? Well guess what? When it comes to phishing, you’re the one being reeled in.

Phishing, which is any attempt to collect sensitive information via misleading and or malicious emails or websites, isn’t a new phenomenon – it’s a threat that’s been making rounds and evolving since the mid 1990’s. Starting out life back in the heyday of AOL, the technique was developed by a bunch of technically-inclined criminals who recognized the unique opportunities they were presented with by the emergence of this flashy new invention: The internet. (Disclaimer: The internet wasn’t actually all that “new” by 1995, but around that time frame is when it became popular among even non-techies.)

Nor are crime and/or scamming people new inventions; But paired with the power of the internet, and that’s one heck of a powerful punch. A certain group of hackers known collectively as “warez” were exploring the idea of creating randomized credit card numbers to be used to open AOL accounts. Eventually, AOL caught on to the rouse, suspending all users with whom they could associate the fraudulent credit cards. Sensing it was time to go bold, the group created an AOL hacking tool called AOHell, which allowed hackers to pose as legitimate AOL representatives over instant message. The representative would then tell the potential victim that AOL needed to verify the account, in an attempt to coax password and credentials out of them.

As the internet evolved, so did the tactics, and moreover so have the stakes. Today, when we talk about the current phishing epidemic, it’s true that we may be talking about the troves of badly spelled, almost funny emails that go straight to your Spam folder. Surely, you’re far too savvy to fall for emails from stores and/or people that clearly don’t exist. You’re on guard when it comes to clicking links (because we have told you Oh. So. Many. Times!). You hopefully even have some sort of understanding that phishing attempts can come via your favorite social media platforms, like those Facebook posts kindly requesting that you fill out surveys in exchange for free stuff.

In this model, many, maybe millions, of emails are sent at a time to email addresses that the hackers have scraped with specialized tools. The return is low, because thankfully, most people know how to spot these baddies a mile away. But the investment is equally low, and even if a minute proportion of potential victims fall for the rouse, the hacker turns a nice little profit.

Spear Phishing

All good and well.

But phishing can get much, much worse, and much more personal. This is called spear phishing.

Think of phishing like a tuna fisher’s net; many fish may swim into the net, but more wriggle their slippery way out than those who meet their untimely end on a dinner plate next to a main of mac n’ cheese. Spear phishing, on the other hand, is like a harpoon, one long and deadly instrument, zeroed in on one unfortunate target.

When it comes to spear phishing, personalization is the name of the game. The less generic, more tailor-made the ploy, the higher the chances are that the attack will succeed. Spear phishing a much higher stakes game than regular ‘ol phishing.

Whereas phishing requires little more than someone with less than stellar skills to write a few email scripts and an address scraping tool, a huge amount of effort can go into creating a convincing spear phishing attack. Attackers might spend months crafting their ploy; First, they’ll scope out corporate social media accounts, company websites and blogs, studying them to learn the intricate workings of the company hierarchy. They will learn who works in which department, who the influencers are, and the company values. They might even learn which third party companies they deal with and the type of vendors that would typically solicit them.

Armed with this information, they craft highly convincing emails that appear as if they have come from a trusted source, like another company looking to do business with them, or the company bank or something along those lines. This was the method used by the hackers who infiltrated famed security giant RSA in 2011, JPMorgan Chase in 2014 and perhaps most notably of all, the DNC in 2016.

DNC Hack

The hacking of John Podesta’s DNC email account reads something like a comedy of errors. Naturally, the campaign was facing a constant barrage of phishing emails. They knew which ones to watch out for until an utterly-well crafted one came, throwing his poor aide for a loop. The email warned of the many attempts to access Podesta’s account and instructed him to change his password immediately using the link in the email. The spooked aide sent the email to the campaign IT staff to inquire about its validity. The IT personnel told her it was “legitimate” and to “change his password immediately”. What he meant was that it was IL-legitimate and he should reset his password directly with Google. That’s not what the aide heard though; The aide took it to mean that he should reset the password with the link in the email, leading to the exposure of over 60000 emails.

This isn’t the first time nation state entities have used spear phishing techniques and it’s far from the last — because, as we see so clearly, spear phishing is incredibly effective and efficient.

Phishing can get Pretty Savvy, Too!

But before you go off and assume that spear phishing = really dangerous, really cunning and phishing = not so bad, not so intelligent, think again.

Just last week, a new phishing campaign was spotted and this one has all the brains and brawn of a well-executed, sharp spear.

Like the Podesta debacle, this email hoax that’s hitting inboxes as we write, seems to come from none other than Google. It all starts when you get an email from a friend. The email has an attached file, and the email’s subject and the attached file’s name are the same names of an email and attachment you once sent, making it seem as if your friend is replaying to your email.

Little do you know that your friend also got a similar email, that used the subject line and attachment name that he or she had recently sent. They took the bait and opened the attachment. That’s when the malware began its crooked job of collecting email addresses, email subjects and attachment names from the victim’s sent emails.

Back to you, you’re thinking this email is from your bud, so you open the attachment, which, in turn, opens a new web page, a picture-perfect copy of the Gmail login page. The crafty hackers have even worked out the URL so that it perfectly mimics Gmail’s URL. They do this by inserting the real Gmail URL into a different URL and applying lots and lots of padding around the URL, so all that you see is the Gmail part of it, obscuring the rest of the evilness.

When you click the link, it gives hackers access to your account and everything therein. Then it sends that same email with subject lines that have been lifted straight out of your “sent” folder to all your contacts. The impressive tactics are so well designed and executed that even savvy tech-types have been falling for the ploy.

To steer clear of the smart variety of phishing/spear phishing attempts, there are a few things you can do:

  • Employ multi-factor authentication: This will keep hackers from accessing your data even if they have bypassed the password.
  • Think like a hacker: With every questionable email, think “is there a chance this can be malicious?” Any time you answer yes, hit “delete”.
  • Learn their methods: Education is the number one way to keep safe from getting reeled in, so read as much as you can and learn what’s out there and what’s happening at the moment in terms of phishing techniques.
  • Silence social media: One of the best tools hackers have with which to collect data on you are your social media profiles. Once they know where you live, what you do for a living and other details, they have all they need to create a perfect attack email.
  • Check out URLs and look for padlocks: True, this tip wouldn’t have kept you from getting hit with the Gmail tactic above, but in most cases, the URL and the HTTPS and padlock will indicate if a website that you’re on is legitimate or not.
  • Implement a reliable security program: A solid security program like RCS will keep nasty malware off your computer and out of your devices.
  • Keep away from shady links: There you go, we said it again. Maybe this time people will listen.

The phishing/spear phishing epidemic isn’t going away anytime soon. The more you know about their tactics, the better prepared you’ll be to stand up to them.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s