According to a survey conducted by Wombat Security, 76% of companies in 2017 experienced phishing attacks. Not only that, but social engineering is the most prevalent way an organization gets breached. Think about it, you probably spend a lot of time and money shoring up your perimeter security posture. You are diligent about ensuring systems are patched and up-to-date, you are reviewing your firewall rules, and hopefully you are having regular tests and scans performed to make sure there are no weak spots on your perimeter. Even with all of that in place, all it takes is Charlie (sorry, Charlie) from accounting to click on that link for a free vacation, and (boom!) the attacker is on the inside of your network and has just bypassed all those controls. It goes without saying that you should spend some time getting familiar with the types of attacks you are going to face, and make sure you have a plan in place to help mitigate them. So for this blog, we are going to focus on the difference between phishing and spear phishing and what makes each dangerous.
In it’s most basic form, a phishing attack is when someone sends an email that is trying to trick someone into giving up sensitive information, or performing an action they otherwise might not do. The most obvious case of this is the famous Nigerian Prince who has $3,000,000 that they inherited and need you to help them transfer it. That one is really obvious at this point, and most people will likely not fall for it anymore. Nowadays these attacks can be much more sophisticated. Take for example the picture on the left. This email seems to be from Amazon and looks pretty legitimate. It tells you there is a problem with your account and if you’re not careful, you are likely to click on the link. This link will then bring you to a login page that looks an awful lot like Amazon’s login page (but really isn’t) and you will login. The attacker meanwhile is grabbing your password as you log in and redirecting you to the real Amazon so you are none the wiser.
Phishing attacks, in general, are meant to be sent to a wide audience. The attacker probably sent this exact email to hundreds or even thousands of email addresses and is hoping that someone falls for it. Statistically, a well crafted phishing attack is going to get about 12% of victims to fall for it. An attacker will take those odds to the bank. After all, it only takes one person to fall for it for someone to get past your firewall and gain access to your network. Maybe your organization uses Microsoft Office 365. Then, instead of pretending to be Amazon, I can pretend to be Microsoft, and steal their corporate credentials and use them login to the VPN. Or maybe I say an invoice is attached and the payment is due Friday, but instead attach a malicious PDF that will provide me with a backdoor to their machine.
In summary, phishing attacks are not specific to an individual and are usually sent to a large group of people in hopes that a few will fall for it. Generally, there is a success rate of 10% – 12% associated with this type of attack.
Now that you have a basic understanding of phishing, we can talk about spear phishing and the difference between the two. Spear phishing, unlike regular phishing, is targeted at a specific individual. So it is still an email that is intended to trick a user to divulge information or perform an action they otherwise wouldn’t, but in this case it is targeted specifically at that user.
So an attacker will spend some time researching the victim. It is really easy to get information about someone in today’s world of social media. Let’s go through a spear phishing example we use at Triaxiom to get a better idea. Let’s say that Acme company hired us to assess their risk of social engineering. Once the tests begin, we will go to LinkedIn and look up Acme company. We will get a better understanding of their work, and more importantly, we will view the profiles of employees and pick out a few. Looking at the employee pages gives us a good understanding of what skills they have, where they went to college, and what kind of job they might be interested in. Great! What can we do with this information?
Let’s pretend to be a corporate recruiter, as most people get 5 of those emails a week. With that idea, we will send an email to the employee posing to be a corporate recruiter who needs to fill a job, and we will attach a job description in a Word document to the email. In order to increase our chances that the employee will click on the link, we will add some personalized touches to make it look like we are really interested. These will be things like:
- Mentioning your current company name – “Even if you are perfectly happy at Acme,..”
- Making sure the job is in the place you currently live or want to live – “I have a job in Denver, CO.”
- Pretend that you know his or her friends/coworkers. -“I have been given your name by multiple people and I think you would be perfect.”
- And my favorite, the hook – “At least look at the salary I am prepared to offer you.”
All of those personal touches are created to increase the likelihood of the victim opening the document. Once the document comes up, a macro will execute that will provide remote access to their computer. From there, I have access to take pictures with their webcam, screenshot their desktop, steal files, and most importantly, pivot to the internal network. The victim, however, will have no idea any of this is happening. They will see a job description that we stole from an online posting somewhere based on their career field, and in some cases, will respond to us saying that they are interested in an interview!
As you can likely ascertain from the above example, spear phishing takes a lot more time and effort. It is personalized for each victim, which requires researching and recreating the campaign for each user. Because of that, an attacker is likely going to use this type of attack on fewer victims. On the flip side, this type of attack is much more successful. While phishing attacks are around 12% effective, a spear phish will be successful approximately 40% of the time.
The difference between phishing and spear phishing comes down to targeting victims. In a spear phishing attack, the attacker targets the individual victim. And while this approach takes longer for the attacker, they are much more likely to be successful. Hopefully that clarifies the difference between phishing and spear phishing.