[Spear Phishing] Understanding Targeted Attacks and Protection Strategies

0. Introduction

Spear phishing poses a serious threat to both individuals and organizations. It is is a method of precisely targeting and attacking a particular individual or organization through email. Attackers use emails that appear to come from a trusted source, enticing the victim to open them without suspicion.

These emails contain malicious links or attachments that can steal personal or sensitive information or damage the systems. Today, we will take a closer look at how spear phishing works and how it can be prevented.

1. Definition

Spear phishing is a type of phishing attack that targets a specific individual, group or organization. These personalized scams trick victims into divulging sensitive data, downloading malware or sending money to an attacker. Unlike common phishing, it uses personal information about the victim to conduct more sophisticated and credible attacks.

2. Risks of Spear Phishing

Personal Information Leakage: Attackers can steal and misuse the target's sensitive information
Financial Loss: Companies may suffer financial damage or lose customer credibility
System Damage: Malicious code can damage systems
Reputation Damage: Companies' reputations can be damaged, potentially leading to legal liabilities

3. Case Study: Sophisticated Spear Phishing Attacks by CharmingCypress

https://mailinspector2.blogspot.com/2024/07/spear-phishing-major-threats-faced-by.html

In September and October 2023, Volexity, a cybersecurity company based in Washington, revealed that the Iranian hacker group CharmingCypress (also known as Charming Kitten, APT42, TA453) was carrying out sophisticated spear phishing attacks targeting high-ranking officials in the Middle East. CharmingCypress employed social engineering tactics to engage in prolonged email conversations before sending emails containing malicious links, aiming to collect political information from think tanks, NGOs, and journalists.

Specifically, they created fake webinar platforms to lure victims and conducted spear phishing attacks by impersonating the Rasanah International Institute for Iranian Studies (IIIS). CharmingCypress used typo-squatted domains with multiple errors to impersonate legitimate domains and created a sophisticated fake webinar portals including logos and interfaces from Riyadh-based research institutes to deceive their targets.

Volexity's investigation revealed that significant effort has been put into creating this fake webinar portal, demonstrating how sophisticated a strategy the attackers are using. This case illustrates that spear phishing attacks are becoming more sophisticated, highlighting the need for increased alertness to them.

4. Attack Mechanisms

4-1. Social Engineering Techniques

: To gain the target's trust, attackers collect personal and professional information about the target to create customized messages

Building Trust

Attackers gather information about the target's hobbies, interests, and job-related details to gain the target's trust
Based on this information, the attacker impersonates and approaches the target by pretending to be a trusted individual
ex. An attacker sends an email impersonating a colleague or a boss of the target

Creating Urgent Situations

Attackers create a urgent situation in the email to prompt the target to act quickly
ex. “Urgent: Your account has been hacked. Change your password now!"

4-2. E-mail spoofing

: Frauding the sender address to send an email as if the target came from a trusted person or institution

Forging Sender Addresses

Attackers fake the sender's address to make it appear as if the email comes from a trusted individual or organization, encouraging the target to open the email

ex. Email impersonating the company's IT department requesting security updates

Domain Spoofing

Attackers send emails using a domain similar to the real domain
A method of making the target trust the email

ex. Using a similar domain such as "examp1e.com " instead of "example.com "

4-3. Malicious links/Attachments

: Include links or attachments where malicious code is installed when the target clicks or downloads

Inserting Malicious Links

Attackers insert malicious links in the email body to lure the target into clicking
Clicking these links leads to malicious websites or downloads malicious software

ex. Links like "Click here to verify your account."

Including Malicious Attachments

Attackers attach files containing malicious code to the email
Opening these files can infect the target's system

ex. An email stating "Important document attached. Please check the attached file."

4-4. Creating Similar Websites

Phishing Sites

Attackers create phishing sites that closely resemble legitimate websites, tricking the target into entering login information
This information allows attackers to access the target's account

ex. A phishing site imitating a bank's website.

Fake Webinar Platforms

Attackers create fake webinar platforms to lure targets into installing malicious VPN applications
This allows them to take control of the system

ex. An email stating "Join our webinar for a new security update."

5. Types of Attacks

Spear phishing is a type of social engineering email attack, but it also includes malicious code attacks because it tricks users through e-mails including malware.

Now let’s find out about each type of attacks.

First, the explanation will cover malware attacks, including zero-day malware attacks, malware attacks within attachments, and malware attacks within URLs.

5-1 Zero-day malware

The vulnerability of zero-day is exploited to insert an attachment or a clickable link containing unknown malware that the security system cannot detect, and send an email that induces users to click when they should not.

5-2 Malware in an attachment

A malicious attachment is one type of threat in which attackers conceal malware inside commonly emailed files. The attachments within these malicious emails can be disguised as documents, executable files or even image and video files. These files can also be encrypted with other extensions. Attacks using executable files may involve spoofing the sender’s address to deceive the recipient into opening emails with malicious documents.

5-3 Malware in uniform resource locator

A malicious URL attack is made by inserting a clickable link containing malware in emails for the purpose of inducing users to visit malicious websites. Also, malicious URLs can be contained in a large attachment or in the body of an email. This can be an attack that causes malware to be executed when a user clicks on a URL in an email or regular attachment, not only at the time of delivery.

Next is social engineering email attacks with forged header, look-alike domain, account take-over, and uniform resource locator phishing.

5-4 Forged header

One type of social engineering attack involves scammers dodging detection by forging account information in a header. Attackers use email header forgery to bypass the destination of emails when a user sends a reply. Through a forged header attack, attackers are able to intercept emails from normal users that may contain information relating to a company’s credentials and personnel.

5-5 Look-alike domain

A look-alike domain is a type of attack where attackers send a malicious email from an email address that on cursory visual examination is remarkably similar to that of a normal, familiar sender. For example, capital “I” and lower case “1” letters are similar in appearance and this similarity can be abused in an attack.

5-6 Account take-over

ATO is a social engineering attack that uses the account of a real user. After attempting to log in to the stolen email account to browse the email history of the user, the attacker finds confidential information and potential secondary victims. For example, account information stolen from a phishing site can be used by an attacker to send an email asking for remittance account changes or to deliver confidential information stored in the account to an external party.

5-7 Uniform resource locator phishing

URL phishing is the theft of the identifier (ID) and password of a victim, in which the attacker creates a phishing page or website to induce the victim to enter account information through the use of a malicious URL or file embedded in an email.

If you want to know more about the attacks, please refer to the blog below.

https://mailinspector2.blogspot.com/

6. Prevention Methods

Then how can spear phishing attacks, with their various and formidable attack methods, be prevented?

The following are effective measures to prevent spear phishing

1. Raising Education and Awareness

Regular Security Training: Train employees about the risks of spear phishing attacks and how to recognize them. Conduct practical exercises using real-life phishing scenarios.
Identifying Suspicious Emails: Teach employees to identify emails that contain unclear senders, grammatical errors, and urgent action requests, etc.

2. Multi-Factor Authentication, MFA

Implement Additional Authentication Steps: Require additional authentication steps beyond passwords to make account take-overs more difficult.

3. Email Filtering and Spam Blocking

Use Advanced Email Filters: Utilize spam filters and email security solutions to proactively block suspicious emails.

4. Use Security Software

Install Up-to-Date Antivirus Software: Protect systems by installing regularly updated antivirus and anti-malware software.

5. Verify Suspicious Emails

Confirm Email Senders: Verify email addresses and directly contact the sender if there are any suspicious requests.

6. Apply the principle of Minimum Authority

Minimal privilege principle: Reduce the risk of being exposed to attacks by giving users the least amount of privileges they need.

7. Protect Confidential Information

Minimize Sharing Confidential Information: Establish policies to avoid sending confidential information via email. Use encrypted channels when necessary.

Preventing spear phishing requires these numerous methods and special attention.

However, there is an easy and quick way to enhance protection: use a security solution that complies with all International Email Security Standards set by ITU to keep emails safe from such risks.

7. Conclusion

As spear phishing attacks become increasingly sophisticated and prevalent, the importance of cybersecurity is underscored more than ever. The activities of hacker groups like CharmingCypress, which employ new social engineering techniques to target specific individuals, raise significant alarm in both the public and private sectors.

The risks of spear phishing attacks are not just about information leakage, but can come in many forms, including financial loss, system damage, and reputation damage. To counter these threats, the adoption of cutting-edge security technologies and regular security training is essential. Compliance with International Security Standards is particularly effective in mitigating risks from malware and social engineering attacks.