Spear phishing has gained wide acceptance across the security industry as the majority source of cyber-attacks. How do adversaries develop spear phishing emails? Attackers target specific organizations that offer information of strategic or economic value. Once a target organization has been identified, attackers will use social media and publicly available information to research employees of that organization to target with a spear phishing email.
Spear phishing typically targets lower and mid-level employees -- like Troy in the infograhic we developed at PhishMe, a security awareness training company -- instead of high-level executives or IT operators. The massive amount of information available on social networks gives attackers plenty of fodder to craft highly personalized emails, as is illustrated in Troy's story.
Spear phishing campaigns like this one can be used to execute drive-by attacks with a malicious link, drop malware on to the network with an email attachment, or gather login credentials through old-fashioned social engineering. Attackers can exploit zero-day vulnerabilities to bypass anti-virus measures and drop malware on to the target network, but they may also avoid malware altogether.
These emails will attempt to exploit emotions (such as greed, fear, or curiosity), spoof reputable organizations (like a recipient's bank), or reference current events to appeal to recipients. The sheer volume of emails being sent every day often allows spear phishing emails to slip past spam filters and into employee inboxes.
Like Troy, most recipients will open and read a spear phishing email within hours -- if not minutes -- of receiving it, allowing attackers to gain a foothold quickly in the target network and begin their operations. With cybercrime costing organizations an average increasing from $8.9 million to $11.6 million from 2012 to 2013, organizations can expect adversaries to continue carrying out cyber-attacks by targeting users through spear phishing.
How are you educating users about the dangers of spear phishing. Let's chat about it on the comments.