According to the FBI, victims are selected because of their involvement in an industry or organisation the attackers wish to compromise.
In an analysis of targeted attack data, collected between February and September 2012, Trend Micro found 91% of targeted attacks involved spear phishing.
The FBI warns that the emails typically contain accurate information about victims obtained via a previous intrusion or from data posted on social networking sites, blogs or other websites.
This information adds a veneer of legitimacy to the message, increasing the chances the victims will open the email and respond as directed.
Read more about spear phishing
- Study finds spear phishing at heart of most targeted attacks
- Spear phishing, manpower drive Chinese APTs, says researcher at RSA 2013
- Spear phishing attacks target defense contractors, security firms
- Spear phishing attacks likely key in U.S. Chamber of Commerce breach, experts say
- RSA discloses phishing-attack data breach details
Spear-phishing emails often lead victims to malicious web pages or compromised websites. These are used to launch drive-by downloads of malware without the victims’ knowledge.
Drive-by downloads are enabled by vulnerabilities in browsers, browser plug-ins and common applications such as Adobe Acrobat.
Once the victim’s machine is compromised, attackers can use it to gain access to the corporate network, steal intellectual property and compromise operational systems and/or financial assets.
Path of least resistance
“In the past, it was believed that proper user education would prevent phishing attacks. However, despite the significant time and resources invested in education programs, spear phishing attacks continue to be successful,” she wrote in a blog post.
Tamir believes the success is mainly due to the fact that attackers use information gained through social engineering to convince targeted users that the message is legitimate.
She also believes it is impossible to prevent enterprise users from opening email attachments or opening email links, since it is a routine part of their everyday activity.
“As long as our lives are dependent on online information, spear-phishing will remain a threat,” she wrote.
Trusteer advises that, to stop spear phishing attacks, organisations need to prevent drive-by downloads, protect enterprise credentials and block data theft.
However, training firm Phishme says technology alone is not the answer and claims the effectiveness of awareness training is validated by customer data.
“For example, 57% of one organisation’s users were susceptible to phishing emails, despite a long-standing security awareness training that included newsletters, security awareness events and a poster campaign,” said Scott Gréaux, vice-president of product management and services.
“Three months after the first PhishMe email, the proportion of susceptible users fell to 10%, and five months later, that was down to 3%.”
The organisations focused on that 3% and recorded a 75% improvement, with only 25% remaining susceptible.
“While it is impossible to achieve 100%, it is possible to reduce susceptibility and no security measure is 100% effective. Phishing awareness adds another layer to an organisation's defences,” said Gréaux.