Phishing is one of the most common attack vectors hackers use to initially infiltrate a user’s system. Phishing is an attempt to obtain user credentials, financial data, or other sensitive information by emulating a legitimate email communication. Phishing emails can also be used to trick a user into clicking on a malicious attachment or link that is embedded into an email. Spear phishing, on the other hand, is a targeted phishing campaign where hackers first research their target individual or company to increase their chance of success. By doing this, hackers attempt to appear more trustworthy as a legitimate business entity thus making the target less suspicious. Spear phishing presents a much greater threat than phishing in general as the targets are often high-level executives of large corporations.
Spear Phishing Examples
We have all heard about how the Democratic National Committee (DNC) fell victim to a cyberattack where their email systems were breached during the U.S. presidential race. What most people don’t know is the DNC email system was breached through spear phishing emails.
In the DNC hack, there were two separate attacks that enabled the hacking group to release confidential data. The first hack, which began in the summer of 2015, sent spear phishing emails to more than 1,000 addresses. The emails used a common phishing technique where malicious attachments were embedded into the emails. Someone in the DNC received and opened one of the attachments which enabled the hacking group to do the following:
- Install malware on the victim’s system
- Establish persistence
- Escalate privileges
- Steal emails from several DNC accounts
- Export emails to the attacker’s server via an encrypted connection
The second attack began in the spring of 2016 and also used a spear phishing campaign. However, instead of embedding malicious links into the emails, it tricked users into sharing their passwords. The emails asked recipients to reset their passwords and provided a link to do so. Clicking on the link brought victims to a fake webmail domain where they entered their credentials which then gave the hackers the keys to their email. This attack is a perfect example of how a simple, deceitful email and web page can lead to a breach.
W-2 Spear Phishing Attacks
Between late 2015 and early 2016, more than 55 companies fell victim to a highly-tailored spear phishing campaign. This campaign was responsible for stealing and compromising the W-2 U.S. tax records of every employee working for these companies in 2015. This spear phishing campaign targeted individuals working directly below the CEO. The emails ‘urgently asked for the W-2s of all employees working under them.’ By impersonating the CEO of these companies, hackers experienced a ton of success as no one wants to disappoint or keep their CEO waiting on a request. The timing of the attacks was spot on as well. The 55+ companies that fell victim to the attack were breached between January and April 2016 which, as well all know, is tax season. So, the request for W-2s on all employees wasn’t as outlandish as some other phishing campaigns can be.
Why would the hackers want the information from W-2s? These documents have a wide range of sensitive information that can be used for various forms of identity theft. Remember, your W-2 has your social security number and address on it. There are also two other possibilities that hackers could do with your W-2s. The more likely of the two is the hackers would sell this data on dark-web forums, allowing other cybercriminals to do as they please with this information. The less-likely option is the hackers could attempt to file your taxes before you, and collect on your tax refund.
Spear Phishing Campaign Targets NGOs and Think Tanks
Nearly six hours after President Trump was announced as the winner of the presidential election, the same group who was responsible for the DNC hack launched another spear phishing campaign. The primary targets of this attack, however, appeared to be non-governmental organizations (NGOs) and policy think tanks in the U.S. The same Russian hacking group, ‘the Dukes,’ sent out emails from Gmail accounts and possibly a compromised email account from Harvard University’s Faculty of Arts and Science. The phishing emails used ‘PowerDuke’ which is a new backdoor malware that gives attackers remote access to compromised systems.
The emails were disguised as messages from several entities including the Center for New American Security (CNAS), Transparency International, the Council on Foreign Relations, the International Institute for Strategic Studies (IISS), and the Eurasia Group. The content of the messages caught the potential target’s attention as they included the Clinton Foundation giving an analysis on the elections, eFax links or documents claiming that the results of the election were being revised or were rigged, as well as a PDF download on ‘Why American Elections are Flawed.' Below is an example of an eFax document that was included in the spear phishing campaign.
Opening a file like the one embedded into the email will launch ‘PowerDuke’ into action. Once the malware is installed, the backdoor contacts the command and control network. This allows the hackers to carry out a large range of commands including the uploading and downloading of files, remote wiping of files and accessing details about the infected machine, its user, and the network it runs on.
Phishing by the Numbers
Don’t think phishing and spear phishing are very common? Think again! Here are some 2016 statistics on phishing attacks.
- 85% of organizations suffered a phishing attack in 2016
- 30% of phishing emails get opened – hackers are able to send out thousands of emails at a time!
- Phishing campaigns are the #1 delivery method for distributing malware
- There was a 250% surge in phishing campaigns between 2015 and 2016
- Between March and December of 2016, 9 out of 10 phishing emails contained ransomware.
- $1.6 million: the average cost of a spear phishing attack.
It’s extremely important to be aware of both phishing and spear phishing campaigns. An attack costing $1.6 million could cripple almost any small or medium sized business!