The spearphishing analysis focuses on two types of spearphishing: general and extortion. A spearphishing email can be a bulk email, a clone, malspam, or a personal solicitation, so my focus is more on specific examples rather than a general category, as the language changes based on the type of attack.
Spearphishing is a sophisticated phishing attack that combines social engineering, publicly available data, and personalized emails phishers use to target their victims into giving them information, credentials, or financial gain. It gets its name due to the targeted nature of the attack, with these emails having had the time spent on them to target individuals. Much like bulk email, these attacks rely on existing business relationships in order to be successful. Spearphishing can include things such as vishing (voice phishing) and smishing (SMS-phishing) but those are outside of the scope of this specific project.
A subset of this type of attack is called whaling. As the name implies, it is a type of spearphishing attack aimed at bigger fish - high-level executives - which is incredibly effective as they often do not take part in security awareness training with their employees. A great example of this is the Podesta email phish, which was the same one responsible for Colin Powell's email leaks as well. If you're curious about how the Podesta email worked, I cover the phish in great detail here. I am using two types of examples for the spearphishing category here: a general (and typical) spearphish and extortion - dubbed "sextortion" in the media. While each of these function differently, they still are using the same phishing mechanisms to capture victims' information, deposit a payload, or compromise them financially.
Spearphishing generally behaves as if it's an email from someone within an organization to another. Usually, it's an attempt to mimic existing business relationships using email templates from companies such as eBay, Apple, Facebook, or other commonly used platforms. This type of data can come from a company's database that is compromised and leaked or publicly available data such as usernames and profiles or gathered through social engineering tactics. Spearphishing attacks generally create their ethos with company names/logos, spoofing email addresses to match the organizations, or outright cloning business communications.
The method of how the author displays ethos varies depending on what they're doing. For instance, a spearphishing clone email looks like a receipt for a purchase or a compromised account alert. In contrast, other spearphishing attempts can look more like a document from HR or a giveaway announcement inside a specific community. Most of the time, spearphishing emails follow the conventions of the "genre" they are using or impersonating.
A spearphishing type that deserves a bit more attention is extortion scams, specifically "sextortion" scams. These typically imply that the victim has been caught using illegal forms of pornography (such as child or animal pornography,) masturbating while at work, or have incriminating pictures or videos of themselves engaging in sexual acts. These campaigns have been incredibly popular - and successful - in the last few years, causing damage both financially and unfortunately, physically. They've made the rounds recently in 2018 and 2019 with a series of sextortion bitcoin scams designed to scare people into giving the phishers money. In this phishing scam specifically, emails and their old connected passwords from data breaches leaked onto the internet were inserted into these emails to catch the attention of the victim. As you would expect from an extortion-based scam, they rely on an immediate emotional response to work. The fear of the unknown regarding what a hacker can do, plus the cultural aspect of shame and guilt in regards to pornography usage, is what I think makes these particular extortion spearphishing campaigns so successful.
Phishers state the emails are sent from a fake or unmonitored email, cutting off the victim from any possibility of contact outside of a Bitcoin (BTC) address. The phisher's identity is now constructed as a hacker who put a virus on a pornography website. Their credibility is enhanced further by showing an old password used for that email, most likely obtained through a data leak/breach. The discussion of RAT/trojans and how the email is spoofed is an example of "in" language that can be used to complicate, create fear, and obfuscate the situation that it's just a phishing email, and none of this is true. They also use threatening language and emotional manipulation, with threats to ruin the life of the victim and financial extortion to prevent video leaks. Plus, since Hackers Love Crypto™, the mention of a Bitcoin wallet only further adds to that image the all-powerful and elusive hacker, dangling their unfortunate, helpless victim by a digital thread, ready to end their life in a simple click. You're the entertainment, and this hacker isn't afraid to cause you hell in exchange for some coin.
Sextortion scams have a lot of underlying assumptions at play to be effective. These attacks assume the user uses porn sites, especially those that may be considered risqué such as "young Teens." However, knowing these are for anyone whose data leaked in a breach, it's unsurprising they'd use something that "common" while still playing the shame card - "The last time you visited a erotic [sic] website with young Teens [...] You are very perverted!" I did some digging around and found an article from MalwareBytes that discusses the recent wave of sextortion scams from February 2019, and what struck me more was not the content but the user comments.
Across the board, it seems as if these are "missing their mark," with people generally reporting across the board how funny or misplaced they were for contacting them in the first place due to not using porn or having a webcam. What these emails fail to consider then is that perhaps the user doesn't use pornography at all, or that perhaps they reject camera interfaces on their computers by either covering, disabling, or removing them entirely. I suppose the number of people who reject camera interfaces or don't use pornography is probably minimal. The sample size from a comments section on a security blog certainly isn't a valid metric to apply for a general analysis. Still, I'm guessing the non-porn or security-conscious folks were not a consideration to the phisher. These emails still have been relatively financially successful, with one BTC address used in this phishing campaign receiving .28 BTC (around $2300 USD) in one week. There's a market for these types of emails, or they wouldn't keep going around every so often.
Spearphishing emails operate as a personalized version of general phishing emails and can vary greatly depending on the form taken. Since the "spear" implied a targeted attack, any email that is personally addressed (as opposed to a bulk mailing) is considered a spearphish. These aren't always individually written, and they could be compiled and auto-generated based on whatever database of leaked user data is available. But measures are taken to make them feel personal, and that is the dangerous aspect of spearphishing. Because these emails take a little more effort from the phisher to pull off successfully, chances are they're more put together and less easy to spot. After all, if you're going to invest your time in creating a dossier on a victim, you might as well do it right the first time.