Phishing and Spear Phishing

Alessandro Mirani

If you have had an email account for some time, phishing is one of the social engineering strategies you have surely already been exposed to. Phishing is called that technique of constructing emails containing malicious links and/or files in legitimate guise, i.e., containing images, references, fonts, and text that would lead one to believe they are legitimate.

A widely used technique that requires constant updating of defense mechanisms, despite being one of the best known and most dated attack strategies.

From phishing to spear phishing, a brief history of a phenomenon

There is no precise coinage date for the term but, suffice it to say, we can say with certainty that by 1995 it was already an explored phenomenon. If it doesn’t seem too long ago to you, suffice it to say that in the same year NSFNET (the infrastructure behind the internet in that had replaced ARPANET) was being decommissioned, making way for what would later become modern private ISP networks. It would therefore be ironic as well as accurate to call phishing an evil as old as the Internet, which has undergone various evolutions over the years, including spear phishing.

A hallmark of phishing has long been the large-scale component. The term itself, reminiscent of fishing, intuitively suggests the underlying logic: lure one victim among many available by using a bait that is palatable to all of them. Spear phishing has as its principle the opposite logic: employ a more sophisticated bait that has less applicability but increases the likelihood of luring the individual.

Instead of focusing on the probability that, of the many, someone will fall for the trap, the focus is on the sophistication of the attack.

This mutation, so to speak, of phishing does not just happen to come later in the history of cybercrime. The literacy of the average Internet user has increased; this means that many more people today are educated to discern a phony email from an authentic one. On the other hand, malicious actors have also become more educated. The means available to create phishing emails from scratch have multiplied (some are even available online for free), the resources used to create credible emails both graphically and in terms of content have become less expensive or totally free.

Replicating or modifying an image to embellish an email in the 1990s required a professional computer; today it is doable from any smartphone. Today we have online translators, email templates, temporary link generators, forums, and many other sources of information and useful tools for recreating a fake email.

Thus, the means available for spear phishing are innumerable, but how are these means employed? In the next section, all the components of a spear phishing attack

How spear phishing is performed

Spear phishing employs simple methods that can be replicated by anyone. Specifically 3 elements are needed to prepare a phishing email:

Accounts and truthful mails: it goes without saying that without an account it is not possible to send an email. However, having just any account is not enough. The account name and associated domain must reflect the qualities of verisimilitude mentioned above and must lead the victim to believe that the communication received is reliable. Not only the e-mail from which the communication is sent, but the font, the images, and the presentation of the content are all elements that require little effort today but greatly affect the effectiveness of a spear phishing e-mail

A pretext: this is the central crux of spear phishing. Finding a pretext that convinces the victim of the propagated narrative is the most challenging but also significant element of spear phishing. If you notice through social media that someone is attending an event for example, a good pretext would be a notification of a change in start time. Information about activities at work and in your personal life are particularly useful in constructing a credible scenario that requires you to read an urgent communication

Exploit tools: A convincing email with a solid pretext is useless without the exploit, i.e., the cyber tool employed to exfiltrate information or damage the victim’s infrastructure. It often consists of a link that redirects to pages where credentials are requested (which are recorded and used later), or files containing malware that are activated once the downloaded content is opened, or a combination of the two.

Note that the strategies employed in step three employ technical means to harm the victim. However, if your attacker’s goal was simply to obtain confidential information, a response, on your part, to the email would already consist of a security breach. It is therefore essential that you recognize a phishing e-mail as soon as it arises. In the next section I will give you some tips on how to do this.

How to defend against spear phishing

Here is an example of a spear phishing email I received a few weeks after making an online purchase.

The email contained in addition to this image a few lines about my order that were likely (I suspect that a little-known page I used to buy a gift leaked my email). The sender and subject of the email were as follows:

Here are the alarm bells that should go off following such an email:

  1. The parcel I had requested had already been delivered-a trivial item that, however, always requires a second of hesitation and calm to become apparent. The package I had requested was not pending, regardless of the good faith or otherwise of the sender this email was not expected; when I receive an email that I do not expect, regardless of the content, I reread it at least three times because the probability that it is phishing is very high
  2. Sender and subject: the sender has a domain name that, as legitimate as it may seem (the username [email protected] does not bode well), does not match either the name displayed (Pickup Service) or the subject of the email. Such an email would not be sent from an account that deals with promotions in the same company. In addition, “Fwd:” i.e., forward (forwarding) appears in the subject line. A delivery stall notification should be direct (especially since this email purports to appear as automatically generated) and therefore should not result from a forward. Perhaps it was put there to give me the idea that this email was passed by others before me (and thus suggest a legitimate context), or perhaps it was left in the subject line by mistake; regardless it is a suspect element.
  3. Link: By moving the mouse over the link (without clicking) a small window appears showing where exactly the link directs
  1. This link sends to a page that I am not familiar with and that looks pretty suspicious.
  2. General Appearance: There is no logical connection between the information within the image and the text (the tracking numbers are different) as well as between the shipper name in the image and the email account

This email is, in essence, clearly fake.

Below are some tips that summarize the logical processes and best practices to avoid falling victim to a spear phishing email:

  • Limits the amount of personal information shared on social media and other Web sites that remains exposed to search engines and outside visitors.
  • Carefully read emails you do not expect to receive, and if you suspect that the email you received came by mistake, even if you believe it to be bona fide, apply maximum skepticism to the content.
  • Do not click on links in emails. Always move your cursor over the link to see that the URL sends to a legitimate page.
  • Elements such as haste, urgency, and danger are sentiments that are exploited under simple pretexts: mistakes on deliveries, delays on payments, and compromising videos of which you are a protagonist. If you receive such communications, before even verifying their veracity check the trustworthiness of the sender

The easiest and most effective way to handle a spear phishing email, is to mark it as phishing or SPAM, using the appropriate button that all email reader apps now offer, and move the email to the trash. Don’t waste time reading the content and don’t risk responding or clicking on any item.

Spear Phishing beyond email

As mentioned earlier, phishing and spear phishing are evolving techniques. After all, the history of scams did not begin in the 1980s and will not stop in the next half century. The techniques and defenses that are shown in this article, can be repurposed on other media; anything that includes a communication service, a social network, an app, a chat between video gamers, is a viable channel that can be exploited by malicious attackers. If you were approached on the street by a stranger, you would have no doubt that you should be wary. Apply the same logic to whatever platform you visit and you will notice that simple skepticism is a defense you already learned years ago; you just need to train your muscles a bit.

Leave a Comment