The Rise of Spearphishing

December 16, 2014

Google, the Pentagon, the White House, RSA, HBGary Federal, The New York Times.

That’s a list of organizations you’d expect to have top-notch IT security, right?

Perhaps they do. But malicious hackers have infiltrated all of these high profile entities. Some breaches were perpetrated by organized, state-sponsored threat actors, such as China’s APT1 – a cyber espionage unit responsible for stealing hundreds of terabytes of data from numerous US organizations. Other breaches, like that of HBGary Federal, were conducted by the decentralized loose hacker collective called Anonymous.

So, what common link exists between a government-sponsored cyber warfare unit and a scattered, international group of hacktivists? The answer is their preferred method of attack.

Enter: spearphishing.

Spearphishing is a subset of phishing. Phishing is, by no means, a new tactic. First seen back in the mid-90’s, spearphishing involves fraudulently portraying oneself as a trusted entity and directly communicating with a victim, seeking sensitive information. For example, an attacker may craft an email that appears to be from PayPal and send it to thousands of intended victims, requesting they click a link in order to login and reset their password. The link directs the victim to a PayPal look-a-like site, where their password is recorded when they attempt to login.

Spearphishing takes a more refined approach. In this scenario, the attacker has a particular victim in mind. The attacker may research this victim extensively, learning as much as possible about the victim’s personal life. Leveraging this information, the attacker performs a phish as described above, but personalizes the attack to enhance credibility and authenticity.

91% of targeted attacks begin with spearphishing, according to Trend Micro.

Despite this, we speculate that the majority of individuals in the United States haven’t even heard of spearphishing, much less how to defend themselves from it. With the prevalence of this attack method, we can no longer afford to remain ignorant.

Part two of this segment will outline ways to minimize risk – stay tuned!