To users, spear phishing emails may seem like innocent requests for information or other forms of benign contact, potentially appearing to even come from a person or company a user is friendly or familiar with. But for attackers, spear phishing emails are most often the best way to get the keys to the kingdom.
Most people are familiar with phishing – an attempt to obtain user credentials, financial data, or other sensitive information by emulating a legitimate email communication. The information gathered can be sold on the black market, or used directly for theft, further fraud, or in some cases, blackmail.
Spear phishing, on the other hand, is a type of targeted phishing in which an attacker first researches the target individual or company to increase their chance of success. Because this allows the attacker to appear more trustworthy as a legitimate business entity, users are less suspicious. This added level of comfort represents a much greater threat than untargeted, mass spam or phishing emails.
In fact, a recent study conducted by Vanson Bourne (sponsored by Cloudmark), 300 firms in the US and UK reported that 38% of cyber attacks in the past 12 months came from spear phishing.
In the past two years, many of the highest profile and most damaging data breaches have started with attackers getting into networks via a successful spear phishing email. This form of entry applies to both for profit attacks as well as state-sponsored hacks on government targets and private businesses.
To illustrate the seriousness of spear phishing threats, here, in no particular order, are Cloudmark’s top ten targeted security breaches that began with spear phishing:
For Profit Attacks – Spear Phishing
- Target: As Many As 100 Banks Worldwide
In 2015, Kaspersky Labs released a report detailing attacks against up to 100 banks worldwide by an unknown group of cybercriminals. Kaspersky claimed that the banks suffered financial losses of $2.5 million to $10 million per bank, for a total of up to $1 billion USD. The attackers used spear phishing emails containing weaponized .doc (Microsoft Word) and .cpl (Microsoft Control Panel) files to execute a backdoor called Carbanak. This allowed the attackers to perform reconnaissance that eventually led to access to money processing services.
Notable for: The largest recorded cyberheist in history, the Carbanak attack was noteworthy for its coordinating attackers (aka “mules”) who waited at pre-arranged times at ATMs as the cash machines spit out millions
On average, it took from two to four months to extract money from each victim bank, starting from the Day 1 of infection to cash withdrawal. The average amount taken from each bank was between $2.5 and $10 million each.
- Target: JPMorgan Chase
Information from 76 million customers and 6 million businesses was exposed when an employee’s credentials were stolen and used to access an older server that lacked two-factor authentication. This breach continues to be tied to ongoing criminal activity like pump and dump stock scams. Following the breach, the bank announced it would increase spending on cybersecurity by $250 million and dedicate a 1,000 person IT team to security.
Notable for: “Professional” approach to spear phishing: the instigators ran a 200 person firm. Also notable was the fact that federal officials found the culprits and charged and arrested two of the three known kingpins in Nov. 2015.
- Target: eBay
A “small number” of employee credentials were compromised, resulting in 145 million user records being stolen. eBay was criticized for having sensitive data in one location and unencrypted. Stolen data did not include credit card or other financial information, so while the eBay users may have been subject to spam or phishing attempts after their contact information was stolen, there was no direct financial risk to eBay itself, aside from the negative publicity.
Notable for: One of the biggest data breaches in history, the eBay attack caused a short term decline in volume for eBay’s merchants and the company’s stock price and longer term damages to the company’s brand and reputation.
- Target: Target
Forty million credit cards and 70 million other records, including customers’ email addresses and phone numbers, were compromised after credentials were stolen from an HVAC firm that did business with Target. The firm had remote access to Target’s network, and the attackers used this to install malware on Target’s point-of-sale payment systems. Experts estimate that the hackers sold the 1-3 million credit cards for $18-35 each, making $54 million from the heist.
Notable for: The devastating and very public impact to the company’s reputation, bottom line and senior management. The story made headline news around the globe. Profits for the quarter dropped 46%. The company spent a minimum of $148 million in direct, breach related costs. Credit card companies paid $200 million to replace 21 million compromised cards (according to the Consumer Bankers Association and the Credit Union National Association). Both the CTO and CEO were summoned to testify before Congress about the breach. Both also resigned.
For Profit Attacks – Spear Phishing – Wire Fraud
- Target: Ubiquiti Networks
The company lost $46.7 million due to CEO spoofing (also known as the “business email compromise”), in which the attacker impersonates a ranking executive via email and authorizes a wire transfer to an account owned by the attacker. Ubiquiti later tracked down and recovered $8.1 million through legal actions in various countries. The Chief Accounting Officer resigned.
Notable for: The largest known case of wire fraud from spear phishing to date.
State-Sponsored Attacks – Businesses
- Target: Anthem (Blue Cross)
Industry: Health Care
Eighty million records were stolen from the country’s second largest health insurer, including social security numbers and patient records – both valuable, high-priority assets for attackers. While credit card numbers sell for $0.50-$1 each in underground markets, social security numbers, which can be used for tax return fraud or other forms of identity theft, may sell for as much as $30 each. Medical records can sell for $50-$100 each. The attack vector is unknown, but Anthem called it “a very sophisticated external cyberattack.”
Notable for: The attack has been widely attributed to state-sponsored hackers from China. Recent reports have concluded that the attack took place because the Chinese government wanted to understand how the U.S. healthcare system worked. Although the Chinese government was the prime suspect; later, Chinese officials arrested civilian hackers.
- Target: Sony Pictures Entertainment
Internal documents, financial records, unreleased motion pictures, and private, revealing emails were leaked by what were believed to be North Korean state-sponsored actors upset by the release of The Interview, a movie which depicts the assassination of North Korean leader Kim Jong-un. Employees’ personal information and 47,000 social security numbers were also stolen, and malware was used to cripple Sony’s network. Access was obtained with a combination of spear phishing using fake Apple ID verification, public LinkedIn information, and users using the same password for multiple accounts.
Notable for: Hundreds of theaters refused to show the film, limiting its release to a small number of theaters and online video rental services.
One of the company’s chairmen resigned. Employees filed a class action lawsuit seeking damages for the loss of their privacy.
- Target: ThyssenKrupp
A Russian group, responsible for several other high-profile attacks and believed to be a state-sponsored actor, used spear phishing emails to collect credentials, gain access to a trusted network, and overheat a blast furnace at a steel mill in Germany, causing significant physical damage. Experts believe a second ThyssenKrupp plant in Brazil may also have been attacked.
Notable for: one of the earliest known cyber attacks that successfully crippled infrastructure.
State-Sponsored Attacks – Governments
- Target: Office of Personnel Management (OPM)
More than 21 million U.S. federal employees had their personnel files exposed, including many with high level security clearances. Many reports attributed the attack to state-sponsored hackers connected to the Chinese government. China denies the charges but in late 2015 announced it had arrested some of (allegedly) “civilian” hackers. In addition to personnel files, copies of more than 5 million employees’ fingerprints on file were also stolen.
Notable for: Exposing the Office of Personnel Management’s weak cybersecurity practices. The head of the agency, a political appointee, was summoned to testify before Congress and subsequently resigned from her position. In addition, American spies operating in China were forced to abandon their posts, after their covers were blown from the hack.
- Target: White House, State Department, the Pentagon and the Joint Chiefs of Staff
In the fall of 2014, Russian actors, possibly state-sponsored, used spear phishing to obtain access into the State Department and from there leapfrogged into an unclassified, but still sensitive, White House system that gave Russian actors access to email sent to and from President Obama. This forced a partial shutdown of the White House email system and caused further disruption of the State Department email system.
In the summer of 2015, in a similar intrusion Russian actors used spear phishing to obtain access to an email system used by the Pentagon’s Joint Staff, forcing it to be taken offline and “cleansed.” The intrusion enabled the attackers to see unclassified emails of the Joint Chiefs of Staff. The attack on the Joint Chiefs and the Joint Staff caused the Defense Dept. to shut down email service for 10 days, affecting 4,000 employees.
Notable for: Both attacks are being investigated by the FBI and Secret Service, and are considered by officials to be among the most sophisticated attacks ever launched against U.S. government systems.