As the American political theater continues to unfold on a global stage, the phrase “spear phishing” has come up several times. A 2016 joint report from the US Department of Homeland Security.
And the FBI detailed how malicious hackers targeted a “political party,” namely the Democratic National Committee. They used spear phishing to do it. But what exactly is spear phishing?
Phishing is one of those nautical-related terms that we use in the context of malicious behavior on the Internet (see also: trolling). You’ve probably heard of him.
But here’s a summary, just in case: Phishing refers to the practice of sending messages to targets in hopes of tricking them into revealing sensitive information.
A phishing scheme could try to trick people into sharing credit card information or a social security number. Phishing attempts can be general and cast a wide net across many potential targets.
Spear phishing is a subset of phishing that relies on a more focused approach. A malicious actor will target specific groups of people, such as employees of a particular company or, as was the case with the DNC, members of a political organization. Spear phishers refine their messages to suit their targets and increase the chances of getting hit.
With phishing, you can be less specific in your language since you’re trying to cast such a wide net. With spear phishing, you want to direct your attack to your intended targets.
There is another variant of spear phishing that is even more specific called whaling. Whaling involves directly targeting high-level executives or important officials.
This attack can be customized to create the best hitting chance. Ultimately, the goal is the same as phishing or spear phishing: the attacker wants to convince the target to divulge otherwise confidential or protected information.
It happened to Mattel in 2015, when a financial executive at the toy company received a plausible-seeming payment request from a new Chinese supplier, in the amount of $3 million. The executive sent the money to China and soon after discovered that the request was false. But the money ran out long ago.
In any of these cases, the approach an attacker might use can vary from instance to instance. A common tactic is to impersonate a technical professional requesting that the target install some malicious software (malware) disguised as an update or security patch.
The malware can spy on the computer activity of the target. It could include software called a keylogger, which keeps track of every key pressed by the user. This is a way to obtain usernames and passwords from a target.
Sometimes attacks can tap into emotional responses. The messages may indicate that the target’s computer has been attacked with malware.
Or it could include an offer for a business that sounds too good to be true. Attackers often rely on how impulsively people can react when they are anxious or when someone appeals to the target’s self-interest.
The more precise the hit, the more likely the attacker will use information about the target to gain an advantage. This could involve the attacker posing as someone the target knows and trusts.
Phishing falls under a broader category of deception called social engineering. It is a set of tools that people use to trick targets into providing more information than they would otherwise consent to.
It’s not that different from the skills a magician or mentalist might use in an act, just that in the case of social engineering the goal is not to entertain the audience.
To protect yourself against spear phishing and other social engineering, it’s best to employ critical thinking. Verify that the communications you receive come from reliable sources. Never share sensitive information over open, unencrypted channels. And don’t install any update or program from an unknown source without first checking to make sure it’s legitimate.
Now that’s annoying
In February 2018, WhatsApp users were asked if they wanted a free pair of Adidas sneakers in exchange for completing a survey. The only problem? The giveaway was not associated with Adidas and users revealed their personal data in the process. Journal.