Anatomy of a Spear Phishing attack

Competent IT network admins have upped their security game. They’re constantly on the lookout for news on vulnerabilities, implementing necessary vendor patches and updates with gusto, and even scanning their own systems for open doorways and weaknesses.

This is all good and necessary stuff.

The upshot is that perimeter defences are strong, there’s a diminishing attack surface and criminals are finding it increasingly difficult to locate low-hanging fruit.

THE FLIP SIDE

As with the famous Maginot Line, criminals are going around the wall and targeting the ‘meatware’ or ‘human OS’.

Every single day, grim news headlines confirm the above assertion. Given this, you’d think the following quotes were recent, but they were, in fact, written in a fabulous paper entitled MetaPhish as far back as 2009:

The remote exploit paradigm is shifting from the open port to the browser and email client.

[…]

Spear fishing, file formats and anonymity are the areas that attackers have been most recently focused in.

These are old tricks, but the hardening perimeter, coupled with the explosion in open-source data, has brought these tactics back in vogue.

As a result, I wanted to write a basic primer on spear phishing, which I hope may be of use to some.

WHAT IS SPEAR PHISHING?

Technically, spear phishing is a ‘client-side attack’. More simply, it’s an email tailored to a specific target that looks like legitimate business.

WHY SPEAR PHISH?

The email itself may contain a document embedded with malware. Alternatively, it might have instructions to perform an action such as visit a website. The website may itself inject malware into the browser, or request user credentials through spoofing, or simply grab enough information to create a ‘system profile’. Have a quick look at BrowserSpy to see the information available from your own browser.

PHISHY TALE

Yesterday morning I registered an experimental domain and deliberately did not opt for my details to be private. By the evening I had received the following email (some details removed):

Subject: Domain Notification for databreach.club : This is your Final Notice of Domain

Attention: Important Notice , DOMAIN SERVICE NOTICE
Domain Name: databreach.club

ATT: Stuart Winter-Tear
databreach.club
Response Requested By
5 – Nov. – 2015

PART I: REVIEW NOTICE

Attn: Stuart Winter-Tear

As a courtesy to domain name holders, we are sending you this notification for your business Domain name search engine registration. This letter is to inform you that it’s time to send in your registration.

Failure to complete your Domain name search engine registration by the expiration date may result in cancellation of this offer making it difficult for your customers to locate you on the web.

Privatization allows the consumer a choice when registering. Search engine registration includes domain name search engine submission. Do not discard, this notice is not an invoice it is a courtesy reminder to register your domain name search engine listing so your customers can locate you on the web.

This Notice for: databreach.club will expire at 11:59PM EST, 5 – Nov. – 2015 Act now!

Select Package:
Website Link Removed

Payment by Credit/Debit Card

Select the term using the link above by 5 – Nov. – 2015
http://databreach.club/

This, ladies and gentlemen, is a spear phish. It very nicely illustrates a few psychological pressure points that spear phishing takes advantage of, which I will highlight below:

“This is your Final Notice”

Right from the get-go the criticality level of this email is established in my mind. I’m also quite concerned as it looks like I’ve missed a previous “Notice”.

“Attention: Important Notice”

The importance level of this email has now been set.

“Domain Name: databreach.club”

It’s the correct domain indicating this email is indeed relevant to me.

“ATT: Stuart Winter-Tear”

Correct name also; must be legit and specific to me personally.

“As a courtesy”

They’re doing me the service/favour. Sounds decent and generous.

“This letter is to inform you that it’s time to send in your registration.”

Sounding official now and time-pressure is being ramped up, also an indication to soften me up to part with personal information.

“Failure to complete your Domain name search engine registration by the expiration date may result in cancellation of this offer making it difficult for your customers to locate you on the web.”

Woah – if I don’t comply quickly (time pressure again) there’s going to be an adverse impact on me and I’ll lose customers. This could potentially hit me in the pocket!

“Search engine registration includes domain name search engine submission.”

They’re going to perform some sort of important-sounding service for me.

“Do not discard, this notice is not an invoice it is a courtesy reminder to register your domain name search engine listing so your customers can locate you on the web.”

Really mixed messages here. An instruction not to “discard” this important sounding “notice” but no pressure, as this is not a request for money (“invoice”) but just a generous and selfless “courtesy” and “reminder” that will benefit me.

“This Notice for: databreach.club will expire at 11:59PM EST, 5 – Nov. – 2015 Act now!”

Time pressure cranked up to maximum. No need to think – just ACT NOW before it’s too late.

All of the above is called ‘amygdala hijacking’ or, more simply, emotional manipulation. This is classic spear phishing.

I didn’t click the link and hand over my credit/debit card details as it raised all the right suspicious flags for me. Instead, I quickly Googled the link and swiftly confirmed my suspicions of fraud.

Sadly, some would have fallen for this simply through a lack of training and awareness.

The Metaphish paper says this about spear phishing:

“major vector of realistic threat is being missed and not tested”

I think this is true. There are plenty of open-source phishing platforms that we can leverage to test and train our employees. I’m happy to guide you to these, just let me know on Twitter.

I’d also encourage you to read Raphael Mudge’s Email Delivery – What Pen Testers Should Know blog post