The Rise of Spearphishing

16 Dec
Photo: Google/Connie Zhou

Google Data Center. Photo: Google/Connie Zhou

Google, the Pentagon, the White House, RSA, HBGary Federal, the New York Times.

That’s a list of organizations you’d expect to have top-notch IT security, right?

Perhaps they do. But malicious hackers have infiltrated all of these high profile entities. Some breaches were perpetrated by organized, state-sponsored threat actors, such as China’s APT1 – a cyber espionage unit responsible for stealing hundreds of terabytes of data from numerous US organizations. Other breaches, like that of HBGary Federal, were conducted by the decentralized loose hacker collective called Anonymous.

So, what common link exists between a government-sponsored cyber warfare unit and a scattered, international group of hacktivists? The answer is their preferred method of attack.

Enter: spearphishing.

Spearphishing is a subset of phishing. Phishing is, by no means, a new tactic. First seen back in the mid-90’s, spearphishing involves fraudulently portraying oneself as a trusted entity and directly communicating with a victim, seeking sensitive information. For example, an attacker may craft an email that appears to be from PayPal and send it to thousands of intended victims, requesting they click a link in order to login and reset their password. The link directs the victim to a PayPal look-a-like site, where their password is recorded when they attempt to login.

Spearphishing takes a more refined approach. In this scenario, the attacker has a particular victim in mind. The attacker may research this victim extensively, learning as much as possible about the victim’s personal life. Leveraging this information, the attacker performs a phish as described above, but personalizes the attack to enhance credibility and authenticity.

91% of targeted attacks begin with spearphishing, according to Trend Micro.

Despite this, we speculate that the majority of individuals in the United States haven’t even heard of spearphishing, much less how to defend themselves from it. With the prevalence of this attack method, we can no longer afford to remain ignorant.

Part two of this segment will outline ways to minimize risk – stay tuned!


Jeff Serini

Jeffery Serini, IT Security Consultant at OST

Jeffery Serini’s IT security obsession dates back to his teenage years, when he began pen-testing on their home computer. Serini is presently an IT Security Consultant at OST. After joining the Security Team in 2011 under W. Scott Montgomery, he has performed over 250 Security Assessments and consulted with a wide variety of clients, including those in the financial, manufacturing, healthcare, gaming sectors and more. Leveraging a unique approach, the OST Security Team is capable of providing a practical and relevant assessment designed to help administrators and executives alike understand their InfoSec posture.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: