By cutting the cost (research and execution time) of spear phishing, cyber criminals will not only blur the lines of phishing and spear phishing, they will build mass spear phishing campaigns that hyper target thousands of victims at a time. Wuvavi Employee Cybersecurity.
1. How Hackers Hyper Target
Phishing Emails
by cutting the cost of spear phishing
2. Spear phishing is a targeted cyber attack that uses custom tailored
information to increase the likelihood that a victim performs the requested
action.
3. Spear phishing is not to be confused with phishing, which is typically a more
generic cyber attack against a large quantity of people. The bad guys send
generic phishing emails in hope to just convert on a small percentage of the
group.
4. If Phishing is a Shotgun, Spear Phishing is a Sniper Rifle.
5. Phishing is a numbers game. It used to be easy to identify.
6. In the 90s, they were Nigerian Prince emails offering to share their riches.
9. Today, phishing emails are more sophisticated. For example, cyber criminals
know that millions of people use Amazon, Paypal, and Google, so by
mimicking these sites they can increase the likelihood of a successful attack.
10. Take this one for example. It looks like an email from Amazon, and most
people would click on it.
11. How can you check if it’s a legitimate email or a phishing attack?
Check the sender to
see if it’s actually
coming from who
you think it should
be.
Hover over links to
see if they are
directing you to
where you expect.
12. There’s one more big clue on this email. Can you see it?
The smile is backwards. Come on!
These emails were designed from real world attacks by Wuvavi. They let you simulate phishing
attacks in your company and train employees to identify phishing emails.
13. Phishing emails are typically generic, like the one I just shared.
Spear phishing emails are more targeted. Cyber criminals target a specific
person, often a CEO or CFO, and use information obtained from social
channels to increase trust with their targets.
14. For example, I could
see from my targets
facebook that they
have a son named
Noah, a wife, and a
dog named Fido. The
family is on vacation
and just posted
pictures.
So I could create
an account -
john.doe@yahoo.
com, so it looks
like that the
CEOs email.
15. Then, send their business partner this email...
Hey Sherry. We’re having a great time with the family on vacation. Here’s a picture of little Noah,
Fido, and my wife. I’m making a stop at a customers on our way back, but I don’t have my credit card
to book. Can you wire transfer $7,000 to my account xxxxxxx?
Would your partner, CFO, or colleague fall for this?
16. There’s a cost to this for the attacker in the time to identify their targets,
monitor them for an opportunity, and then executing the attack.
Compared to regular mass phishing, it’s quite expensive.
17. Now, what if an attacker could reduce the cost of spear phishing.
18. Meaning, they spend less time identifying good prospects, less time
monitoring their social media channels, and less time executing.
19. Well, they could unleash a hell of an attack on a large number of people.
Hell of an attack is the technical term for a hyper targeted mass phishing
campaign.
20. This is happening now. Have you heard of the shame scam where bad guys
claim they’ve recorded you watching porn from your webcam?
You can read about it in detail below.
https://wuvavi.com/2018/07/17/shame-scammer-claim-theyve-filmed-you-watching-porn-from-webcam/
21. The email starts with
I will cut to the chase. I am aware your password is Fluffy1234. I also know your secret but you do not know me….I
installed a malware on the adult vids you visited to experience fun. While you were watching the videos, your internet
browser began operating as an RDP with a keylogger that gave me access to your webcam.
These bad guys are using your username and password to show they mean
business and create a sense of trust that they are telling the truth, and fear
that they’ve done what they said.
22. Cyber criminals have scraped usernames and passwords from a previous data
breach, and they are now using that to shame scam people into paying a
ransom.
In reality, it’s believed that no one has been recorded.
23. Effectively, they’ve cut the cost of spear phishing, and found a way to spear
phish the masses with a hyper targeted email.
24. What’s next? I believe these mass spear phishing campaigns will be on the
rise.
25. What can you do about it?
Care more, share less on social media.
Make good passwords, and change them regularly.
Do not click links in emails.
Provide employee cybersecurity training to raise employee awareness (wuvavi.com).
26. About Me
Jon Santavy is the CEO of Wuvavi (www.wuvavi.com) – the world’s leading employee cybersecurity awareness platform for
small and medium sized business. Through innovative training, simulated phishing attacks, and the right analytics, Wuvavi
customers reduce their employee related cybersecurity risks. Wuvavi’s goal is to create a culture of awareness in every
organization.