It utilises customised campaigns often involving several vectors of attack including, but not limited to, online research, telephone calls, and email.
An attack that is custom-made with information solely intended for the victim increases the odds of that attack being successful.
Cyber criminals may seek out information for spear phishing attacks on social networking sites like Facebook. An unprotected Facebook page can supply a wealth of personal details that may be used against victims.
In fact, the majority of account security questions can be gleaned from looking at a person’s social networking profile – the name of a pet, parents’ names, schools attended and more.
Remember, too, that some public-facing Facebook conversations can provide a wealth of information that allows cyber criminals to appear familiar to their targets.
Another common method of gleaning details about a target is to simply ask for it over the phone. Sometimes this will be a direct call, other times an attacker will target customer support or receptionists and ask for information about the company’s president or financial officer.
Most victims admit that what they once perceived was harmless information sharing (i.e., name, email address) was used as an important piece in the cyber criminal’s puzzle to customise the payload.
Once cyber criminals have collected information they will use personal details to craft a unique message so that not even spam filters catch the mal intent. Common email themes include: purchase receipts, shipping notifications, or even a fake court summons.
In the end, no matter the ruse, the victims will be directed to a link or an attachment for the details of their unexpected purchase or criminal claim. This is where the malicious payload or malware resides.
Email attachments are often made to look like harmless documents even though they are really executable files wearing Microsoft Word or Adobe PDF icons. Once a file is executed the real damage begins.
If this is a custom piece of malware it will likely utilise new exploits that even the security professionals have yet to see (also known as zero day threats). Once these exploits are successful they will establish access to the victim’s machine by a remote system which can then download any number of further payloads.
This can include keylogging software that monitors keystrokes looking for bank log in information, password stealers, or even like in the recent CryptoLocker attacks, lock the target computer and demand a ransom from the victim in order to get their company data back.
Spear phishing is a highly effective attack because it works with human emotion to trick its victims into reacting before thinking. It’s very important to avoid any sort of email that you may not be expecting and if it’s threatening or if it involves a purchase that was not made (hopefully), check with the company directly instead of clicking on that link.
Fred Touchette is a senior security analyst at AppRiver.
Share this story