The document outlines a methodology for spear phishing testing, aimed at assessing an organization's vulnerability to social engineering attacks. It details the nuances of spear phishing, emphasizing the importance of impersonating authoritative figures and manipulating trust to extract confidential information. The methodology includes stages such as identifying targets, establishing trust, stressing urgency, and employing innovative techniques to gather sensitive data.

1. SPEAR PHISHING TESTING
METHODOLOGY
From
An article on our Spear Phishing Testing Methodology which can be used in social
engineering exercise to determine organization wide susceptibility to an APT style
attack.

2. Spear Phishing Testing and
Methodology
Confidential  Network Intelligence (India) Pvt. Ltd. Page 2 of 6
Document Tracker
Author Version Summary of Changes
Manasdeep September 2012 Document Created

3. Spear Phishing Testing and
Methodology
Confidential  Network Intelligence (India) Pvt. Ltd. Page 3 of 6
Contents
1. Introduction .............................................................................................................................. 4
2. Methodology for Spear Phishing Testing:................................................................................... 5

4. Spear Phishing Testing and
Methodology
Confidential  Network Intelligence (India) Pvt. Ltd. Page 4 of 6
1. INTRODUCTION
Spear phishing is an e-mail spoofing fraud attempt that targeting an organization to
glean out confidential data and gain unauthorized access to organization's confidential
data or internal network. Attacker may be motivated to carry confidential internal
information to seek out financial gain, trade secrets or proprietary information.
The emails sent to internal employees in spear phishing attempt appear to originate
from a high ranking authoritative source positioned in the company. It is purposefully
done so that very few people will question the intent regarding this request and readily
provide the "supposed authority" with the requested details.
Necessary factors for successful spear phishing attack:
a. A known trusted "highly placed" authoritative figure in organization
b. The message must complement the context in what is being said and the
contained information supplements its validity
c. The recipient can draw a "firm need" or a logical reason for the request made by
sender.
Popular Techniques used for the Spear Phishing attack comprise of mixture of social
engineering, client side attacks, and requests via social networking sites etc.

5. Spear Phishing Testing and
Methodology
Confidential  Network Intelligence (India) Pvt. Ltd. Page 5 of 6
2. METHODOLOGY FOR SPEAR PHISHING TESTING:
a. Identify targets
We identify our target audience which can easily be convinced into believing our
story. To know about their mode of working we can interact frequently with
helpdesk employees, security guards etc. which are frequently involved in front-
line customer interaction. We can use this gathered information to construct our
fake impersonated identity handle to do spear phishing.
b. Planning and Using Pretexts:
While selecting your pretext background it is imperative to consider a few key
questions:
 What problem am I trying to solve?
 What questions am I trying to answer?
 What information do I seek?
 The nature of the person whom we will be contacting
One of attacker’s goals in pre-texting is to bring the target to logical conclusion,
to do that we must anticipate their attitudes to be spontaneous enough to lead
them down the path we want.
c. Establishing Trust:
The attacker smartly walks through his way to the perimeter defence of "human
trust" by impersonating as well known authoritative high ranking personnel
requesting confidential details. For e.g.
“Hi, This is your system admin from mail server. We recently discovered that your mail was sending mail bounces. As per
corporate policy, your mail address has been temporarily blocked for 48 hrs. Please reply with your user name and
password by logging on ww.thisfakesite.com for verifying your account and saving it from getting blocked. “
d. Stresses the "need":
The attacker now presses the urgency of the action required on part to be done
by the user. He crafts the message accordingly which supports the context
making it to appear genuine in eyes of victim. For e.g.
“If you don’t activate your account by clicking this link within 48 hour deadline, as per corporate policy, your mail address will
be permanently blocked and you will lose all your files and mails stored on the mail server.“
e. Convincing user:
The attacker now has convinced user to take action to carry out the necessary
action required to access the organization network. He gets friendly with user to
assist him for revealing more sensitive details about the organization. For e.g.
“Thank you for your prompt and timely action. Unfortunately, I was unable to recover 2 mails belonging to your department.
Please use the recovery backup website to login with your department credentials. Once you are logged in, your mails will
be immediately restored. Thanks for your cooperation. Have a great day  !!

6. Spear Phishing Testing and
Methodology
Confidential  Network Intelligence (India) Pvt. Ltd. Page 6 of 6
f. Newer ways to get information:
Attacker utilizes innovative tools, techniques and social interaction ways to
ultimately obtain access in organization through various avenues. A good
attacker doesn't uses the same trick repeatedly for long to evade detection which
rules out consistency behaviour patterns emerging from the analyst point of
view.
g. Buffer periods:
To iron out any possibility of any alarm raised due to emerging patterns of
attempts, a buffer period of 1-2 weeks is usually taken to break the pattern chain.
Popular Phishing Tools Used:
 SET (Social Engineering Toolkit)
 Super Phisher Creator
 Manual mass mailing via any mass mail solution