1

w h i t e p a p e r

A Guide toSpear Phishing

2

Techniques and tactics used by cybercriminals to reel in the big corporate phish

Phishing remains a tried-and-true attack vector for threat actors and a dangerous and insidious threat to businesses. According to the 2021 Verizon Data Breach Report, phishing rates are on the rise, “being present in 36% of breaches, up from 25% last year.” In particular, spear phishing continues to be a challenge for organizations, as threat actors increasingly target specific enterprises and the people that work for them.

While there are many themes and deceptions used in spear phishing attacks, this paper will explore the primary types of attacks used by threat actors to achieve criminal goals. Understanding how these spear phishing attacks work, what the attack process and execution phase look like, and finally, defining the vulnerabilities and mitigations of each stage are essential to defending any targeted enterprise.

This whitepaper is intended as an educational tool to support an understanding of what spear phishing is in today’s world.

According to the FBI, phishing continues to be the most common type of cybercrime. Recent research by cybersecurity professionals suggests that 75% of all organizations globally experience some type of phishing attack, with 65% experiencing business email compromise (BEC) attacks and 35% experiencing spear phishing.

3

Spear Phishing Attack TypesPrimary Spear Phishing Attack Types:

• Credential harvesting

• Malicious link compromise

• Malicious attachment compromise

• Business email compromise

3

a t t a c k t y p e o n e

Credential harvesting begins with convincing emails that social engineer users into believing they need to click on a link and login to a known entity with their enterprise credentials.

Credential harvesting efforts often involve emails pretending to be from a legitimate system such as Exchange, an HR system, or even an Active Directory core credential authenticator.

Once users click on what they think is a link to a legitimate site, they’re taken to a cloned website owned by the attacker, with a page that requires them to enter the credentials. Once the user has entered

their credentials, the attacker is now in possession of the user’s name and password. Typically, the cloned site will return an error to the user and close or display a message that indicates the site has crashed. In the most sophisticated attacks, the site will log the user into the genuine system to make the attack look legitimate.

With credentials in hand, the attacker can now use them to exfiltrate data, collect more information for further compromise, send messages to social engineer another user, and engage in countless other malicious activities.

Credential Harvesting

Threat actors create malicious URLs with the purpose of persuading the intended victim to provide credential information. Malicious URLs are also used in phishing and spear phishing attacks to promote scams or deliver malware.

Most standard network and email security tools will catch large phishing campaigns using malicious links by flagging the sheer volume of blast emails coming from the criminal, however, sometimes smaller targeted attacks slip through undetected.

In a spear phishing attack involving malicious link compromise, the threat actor sends an email to

the user from a legitimate-looking email address. The email contains content that gives the user an appropriate or genuine reason to click an attached link.

When clicked, the nefarious link sends the user to an unsafe site that installs malicious code without requiring user interaction. Alternatively, the initial link is safe, but the destination website contains code to redirect the user to the actual intended website, which contains the malicious payload. The payload could be a variety of malware types, such as adware, ransomware, trojans, or malware that enables system compromise and lateral movement between the victim’s business networks.

a t t a c k t y p e t w o

Malicious Link Compromise

4

a t t a c k t y p e f o u r

Business email compromise involves the spoofing the email address of a high-profile person (usually an executive) and then using the spoofed email address to send a fake email to someone else in the company.

BEC most often involves an email requesting payment on a fake invoice or a large sum of money in a wire transfer, or it may ask the recipient to share sensitive employee information, such as W2 forms, social security numbers, and birth dates.

According to the FBI, BEC scams cost victims $26 billion during the three-year period between 2016 and 2019. In the 2020 Internet Crime Report, the FBI notes that BEC continues to be the most costly crime affecting businesses, with losses estimated at $1.8 billion.

In the government, attackers can use the same type of scam to steal from agencies and possibly divert funds from legitimate contractors to threat actors. They can also use it to obtain sensitive information

about contracts and agency policies and procedures, or they may use BEC further down a kill chain during an APT attack.

A government scenario might involve a nation-state actor who researches information on contracts newly awarded by an agency. The threat actor identifies the Contracting Officer (CO) and the name of the company awarded the contract. The attacker then crafts a well-designed email with a convincing pretext to either divert the project’s payment or gather further information about the project from the agency employee. If the agency transfers funds, the attacker will quickly pull the money out of the account created solely for this purpose. If acquiring information is the attacker’s goal, the attacker typically would use the information to further a longer-term Advanced Persistent Threat (APT) against the agency. The CO may not know for some time that the agency has been defrauded of funds or faces a significant longer-term security risk.

Business Email Compromise (BEC)

a t t a c k t y p e t h r e e

The malicious attachment compromise technique involves sending the intended victim an email containing an attachment with malicious code embedded in it. When the victim opens the attachment, the code executes and delivers the dangerous payload. As with malicious links, most network and email security tools will prevent phishing attacks involving malicious attachments. However, with spear phishing attacks, threat actors are often intent upon reaching their target, so they will create unique files tailored to the victim and undetectable by many security systems.

For example, the attached file’s MD5 hash may have been altered and will not be part of a threat intelligence update. If the attackers are highly sophisticated (e.g.,

nation-state threat actors), the malicious file may also contain code to avoid sandbox testing and other legacy email security tools.

This type of spear phishing method often also utilizes files that require user-specific action to decrypt them, thereby avoiding detection by most network security technologies. For example, if the file contains embedded macros, the user may see a pop-up window requesting the user allow macros. Like malicious links, the payload could be a variety of malware types or enable system compromise and lateral movement between the victim’s business networks.

Malicious Attachment Compromise

BEC Attack Costs Car Parts Supplier $37 Million

In 2019, the Toyota Boshoku Corporation (a supplier of auto parts) suffered a $37-million-dollar BEC

attack. In this instance, cybercriminals used BEC to convince an executive in the financial department to

make a wire transfer.

5

Spear Phishing Attack Workflow and Vulnerabilities To illustrate a spear phishing attacker’s workflow, we have broken the workflow into four phases. Each phase has specific vulnerabilities that enable the malicious actor to achieve the attacker’s objectives.

These four phases are:

1• Malicious actor decides to target agency.

• Threat actor engages in information gathering and sharing using open-source information and other resources.

Pre-Attack Phase

2

• Threat actor creates imposter email using Domain-based Message Authentication, Reporting and Conformance (DMARC) or another look-alike domain.

• Email spoof appears to be from legitimate source to convince victim.

• Email may contain malicious link or attachment.

• Email link/attachment security inspection failure occurs.

Initial Attack Phase

4

• Endpoint protection (EPP) fails to protect business systems and networks by not stopping installation of malicious code and by not detecting the compromise.

• User credential/system abuse time-to-discovery failure occurs as employee credentials are used to move around the enterprise.

Post-Attack Phase

3

• User awareness failure occurs when user assumes fake/spoofed email is legitimate and responds by taking action, such as clicking on malicious links or attachments, by initiating a wire transfer or providing threat actor requested information.

User Action Phase

With OSINT completed, the attacker then crafts a pretext and an imposter persona to send the spear phishing email. The attacker might utilize email spoofing, which involves using an email address that appears authentic to the recipient or “look-alike” domains that typically involves URL hijacking (also sometimes called typosquatting).

With an imposter persona, a pretext, and a fraudulent email, the attacker’s next step is to create a unique and targeted malicious link or attachment. If the attack is a BEC, the attacker establishes a method of obtaining information or money. In general, links are easier to social engineer, therefore, advanced threat actors (nation-states) often use them. By either compromising a legitimate website that is vulnerable or creating a new link with malicious content, the attacker typically will compromise the user’s device.

While several sites will help users build links (known as ‘Link Generators’ or ‘Link Builders’), the best-crafted

Initial Attack Phasemalicious emails contain short links, such as goo.gl, bitly, or TinyURL. These links will obfuscate the entirety of the hyperlink and lead the target to a malicious site. Attackers also will often register a temporary site with an Internet Assigned Numbers Authority (IANA) to create a valid domain with malware listed within the site. This type of attack is challenging to detect because the name is valid and rarely contained within a threat database. The only way to identify these domains is through advanced malware and sandboxing tools.

Since the presence of an encrypted document within an email is almost impossible to decrypt at the mail gateway, most organizations will rely on the endpoint protection to identify the threat, which, unfortunately, places this threat inside the enterprise.

Because of the encryption method, attackers often will send one message with the encrypted content and nested malware, and then a follow-up email with the password to access the file.

p h a s e t w o

6

First, a threat actor must identify an organization to target. That decision may be influenced by a nation-state goal, news that brings attention to an organization, the industry the organization operates in (e.g., financial sector), or an action that an organization takes that offers value to the attacker. In most cases, the organization cannot predict an attacker’s intentions or avoid any actions that draw the attacker’s attention.

Pre-Attack PhaseOnce an organization has become a target, the attacker performs open-source intelligence (OSINT) gathering to prepare for an attack. This OSINT information can include identifying the types of software, hardware, or networking technology used; names and identities of important people inside an organization; and specific policies and procedures that the attacker needs to design a pretext in a spear phishing email.

p h a s e o n e

How to Identify an Email Spoof and Fraudulent DomainsValuable information regarding the legitimacy of an email can often be determined simply by viewing the email’s header. (The real email address will appear using the click and hover method). More advanced users may also use IP routing and next-hop information to identify the threat chain and traceback, however, this information is visible only if the user knows how to access this information. Additional relevant information on the threat can be ascertained by correlating the sending domain to the valid registrar of the IP. Since this type of correlation between IP, registrar, and threat matrix requires integrations with other platforms, tools are available to review this information both on the localhost machine and at the enterprise level. Security professionals, including those working at the FBI, recommend this type of evaluation in BEC best practices for identifying fraudulent or spoofed domains.

77

At this point in the attack, the security technologies have failed to detect a spoofed email address or typo-squatted address or have been unable to block a link or file. The user has received the spear phishing email with the payload intact. If the user never takes any action or flags the email as suspicious, the attack will stop there. However, spear phishing attacks remain highly successful. A well-funded APT spear phishing attack will be researched, crafted, and executed flawlessly, making it very difficult for the user to detect a problem.

In an ideal environment, users will be able to identify threats sent to them and report the attempts to a

User Action Phase

p h a s e t h r e e

A highly advanced adversary can do this without raising too may red flags on an endpoint or the network and often will be skilled at deleting logs and trails along the way.

In some cases, a nation-state adversary will reside in a network and on systems for months or years before any alarms are raised. Persistence on an endpoint across reboots and multiple systems is standard, as is an undetected compromise of sensitive credentials.

When those alarms do go off, in many cases the adversary has already achieved his main goals and has taken additional chances to infiltrate for additional purposes, such as exfiltration of large amounts of data or destruction of critical-mission systems and data.

If all defenses have failed, the bad actor will have established a persistent presence either on an endpoint or with a compromised credential. The next steps include lateral movement, command and control, and additional malicious action to achieve the attacker’s goals. These steps require the ability of the adversary to move freely on the initial endpoint or use the initial credential to find the correct system to enable the threat actor to achieve advance the threat. Ultimately, the threat actor’s end goal could undermine a mission through false information, destroy information or networks, or (to exfiltrate and ransom data (often, the most common goal).

Lateral movement consists of an adversary moving to other connected business networks and systems and using credentials and systems to achieve greater access, called elevating privileges.

Post-Attack Phase

p h a s e f o u r

security operations center for further evaluation. In this ideal environment, users will also be required to participate in advanced phishing training and compliance education to assist them in identifying threats. Unfortunately, the reality is that users are fallible. Threat actors will target the weakest point of penetration, and occasionally, a threat will pass through.

Once the user responds to the malicious spear phishing email, the attack chain will move forward through credentials link-based compromise, malicious file compromise, or release information or funds via social engineering.

8

Spear phishing is the most difficult type of attack to defend. An adversary looking to exploit users can deploy it quickly to thwart an organization or user’s defenses. But some basic steps—such as employee security awareness education combined with anti-phishing solutions, zero trust/least privilege policies, and multi-factor authentication can help alleviate many of the risks associated with a spear phishing attack.

ConclusionSecurity stakes are higher than ever. By understanding spear phishing attack types and phases, organizations can help prevent or minimize the overall impact of attacks. To learn more on how to prevent spear phishing attacks, visit our Phishing Services web page.

9

2201 Cooperative Way, Suite 225, Herndon, VA 20171guidepointsecurity.com • info@guidepointsecurity.com • (877) 889-0132

WP-dSPEARPHISHING-082020-02