Spear Phishing: Everything You Ever Needed to Know

June 12, 2014
Mike Bailey

Spear Phishing: What Is It?

Spear phishing is a more specific type of phishing attack used by cyber criminals to gather information, like login credentials, or to infect networks and computers with malware. It is a type of social engineering attack, attempting to appear credible while typically inciting some sort of panic for the user to act quickly. Typically, spear phishing attacks appear to be from someone you know- like a supervisor or colleague. This can make them much more effective than a generic phishing email.

Spear phishing attacks are usually orchestrated via email, though they can also be done through text messages, applications, social networks, or phone calls. You have the potential to become infected as soon as you visit a malicious website, and despite advancements in phishing email filters and even malicious website warnings, many of these attacks are so new (because they've been targeted to a specific group of people) that you and your organization are still vulnerable.

Incredible Statistics About Spear Phishing:

  • 91% of cyber attacks begin with a spear phishing email.
  • 94% of targeted spear phishing emails have attachments
  • Over half of the number of spear phishing recipient email addresses were listed on the web

*Statistics according to a report from security software firm Trend Micro.

Prominent Examples of Spear Phishing

In May of 2014, Attorney General Eric Holder announced the indictment of five Chinese officials for computer crimes against American corporations. Some of the corporations cited in this indictment include: Alcoa, U.S. Steel, Westinghouse, Allegheny Technologies, United Steelworkers International Union, and Solarworld.

If we dig into the specifics of these attacks, we find some of these attacks originated from spear phishing. According to the Pittsburgh Business Times article about the U.S. Steel breach:

"That's exactly the situation faced by about 20 U.S. Steel Corp. employees who received an email in early 2010 from the then-CEO John Surma. But that email wasn't from Surma at all. It was instead the vanguard of a sophisticated cyber attack by a group of tech-savvy Chinese military officers bent on gaining access to U.S. Steel's computer systems, according to a federal indictment released Monday. At least one, and possibly several, U.S. Steel (NYSE: X) employees fell for the trap, allowing the hackers to install malware that helped them gain access to the steelmaker's system."

Additionally, Ars Technica details how Alcoa was breached using a similar spear phishing email:

"In 2008, according to the indictment, the hackers sent e-mails to 19 senior employees at aluminum-maker Alcoa in Pennsylvania. The account of the sender impersonated a member of the company's board of directors. The message included malware in an attachment "disguised as an agenda for Alcoa's annual board meeting." The attack led to the theft of more than 2,900 e-mail messages and 863 attachments, "including internal messages among Alcoa senior managers" discussing a Chinese acquisition, according to the indictment."

There are sources that also suspect the May 2014 eBay data breach began with spear phishing attacks. Considering the estimates that more than 9/10 companies are breached initially by spear phishing attacks, there are countless more breaches where spear phishing has been the initial intrusion.

Is Spear Phishing Getting Worse?

In a word, yes. Here's why:

There was a 91% increase in spearphishing attacks in 2013 (Symantec Internet Security Threat Report 2014). The threat isn't going away for a few reasons.

It's much easier than say, penetrating a company's physical security protocols. It can be done literally 24 hours a day from anywhere in the world. And more importantly, with the amount of information users expose on social networks like LinkedIn or Facebook, end users become easy targets and can have messages tailored to them.

Consider this: In just a 10 message phishing attack, there is >90% chance of users clicking (Verizon 2014 Data Breach Investigations Report). Now multiply that by the number of end users, and again for the number of times in a year it is likely to happen, and the results become truly terrifying.

How Do You Prevent Spear Phishing Attacks?

There is no solution which will have you covered 100%, but consider this from the aforementioned Verizon 2014 Data Breach Investigations Report:

"Over the years we’ve done this research, users have discovered more breaches than any other internal processor technology.it’s not all about prevention; arm them with the knowledge and skills they need to recognize and report potential incidents quickly."

You could try simulated phishing attacks on your users, so they can gain real exposure and learn to avoid spear phishing emails.

The question is: Are they effective?