On 12 January 2016 a cyber attack was launched that affected 80,000 customers of a Ukrainian electric utility provider (Prykarpattyaoblenergo). This was the first time we could fully document and confirm that a power outage was caused by hackers from a remote location. These hackers don’t always have the best equipment or resources. In exchange they have an attitude and talent that confronts safeguards with a single principle in mind: The weakest link in a security system is the human that uses it.
An investigation of the above attack came up with the conclusion that it was a spear phishing incident. While this topic was discussed briefly in a previous article, I suspect that this is an opportune moment to expand on the subject and offer as much crucial information as possible about this kind of attack.
What Is Spear Phishing?
The magic in spear phishing involves collecting information about an individual (date of birth, name, other relevant information) before performing the attack. The attack itself will incorporate that information to convince the individual that the sender is a legitimate entity that “knows” the victim. Spear phishing is dangerous because it uses the rapport between an individual and an organization to accomplish its purpose which usually involves getting crucial and useful information (often of a financial nature, but not always, as is the case with identity theft) about the victim.
The FBI’s website uses the hypothetical example of hackers imitating a telecommunications firm and sending its customers a link to a phony page where they would input their birthdates and social security numbers. This is a textbook example of what I described above. Usually, victims of spear phishing often are connected in some way. They are usually customers of the same firm, co-workers, or classmates.
Difference Between Spear Phishing and Plain Old Phishing
The typical, traditional style of phishing involves sending emails at random to a long list of people. The hackers hope to get a few replies, but most people will not fall victim to this attack. Because of the sophistication behind spear phishing, it’s much more effective and more likely to produce victims even among people who should know better than to trust such emails. Some spear phishing attacks even use official addresses of the companies they are mimicking (a practice known as spoofing), making them extremely dangerous.
Smart hackers, instead of looking at a major database leak (like the one Target suffered in March 2014) as a list of random emails they can fire at for kicks and giggles, see that list as an opportunity to use the information gathered to victimize customers by using their trust in the company as bait. Perverse? Yes. Mischievous? Absolutely. Elegant? Oh, yes!
How to Arm Yourself Against It
To fight spear phishing, prevention is key. You need to operate under the principle that no company will ask you for personal information through an email message. Never call a company’s phone number using the one provided in the email since that could be owned and operated by the hackers rather than the corporate entity. You should always search for the company’s official phone number and give them a call if you receive a potential phishing email.
If the email came from a friend or family member, call them back rather than replying via email. The address could be spoofed.
Any other tips to prevent people from falling victim to spear phishing? Tell us about them in a comment!