/rhetsec_

/other_writing

/visaudio

/eva

spearphishing


The spearphishing analysis focuses on two types of spearphishing: general and extortion. A spearphishing email can be a bulk email, a clone, malspam, or a personal solicitation, so my focus is more on specific examples rather than a general category, as the language changes based on the type of attack.

# what is spearphishing?

Spearphishing is a sophisticated phishing attack that combines social engineering, publicly available data, and personalized emails phishers use to target their victims by giving them information, credentials, or financial gain. It gets its name due to the targeted nature of the attack, with these emails having had the time spent on them to target individuals. Much like bulk email, these attacks rely on existing business relationships to be successful. Spearphishing can include vishing (voice phishing) and smishing (SMS-phishing).

A subset of this type of attack is called whaling. As the name implies, it is a spearphishing attack aimed at bigger fish - high-level executives - which is incredibly effective as they often do not take part in security awareness training with their employees. A great example is the Podesta email phish responsible for Colin Powell's email leaks. Suppose you're curious about how the Podesta email worked. In that case, I cover the phish in great detail here. I am using two genres for the spearphishing category: a general (and typical) spearphish and extortion - dubbed "sextortion" in the media. While each function differently, they still use the same phishing mechanisms to capture victims' information, deposit a payload, or compromise them financially.

# general spearphishing

Spearphishing generally behaves like an email from someone within one organization to another. Usually, it's an attempt to mimic existing business relationships using email templates from companies such as eBay, Apple, Facebook, or other commonly used platforms. This type of data can come from a company's compromised database and leaked or publicly available data such as usernames and profiles or gathered through social engineering tactics. Spearphishing attacks generally create their ethos with company names/logos, spoofing email addresses to match the organizations, or outright cloning business communications.

The author's method of displaying ethos varies depending on the method of attack, as spearphishing emails tend to follow the conventions of the "genre" they are using or impersonating. For instance, a spearphishing clone email looks like a receipt for a purchase or a compromised account alert. In contrast, other spearphishing attempts can look more like a document from HR or a giveaway announcement inside a specific community.

# [s]extortion

A spearphishing type that deserves more attention is extortion scams, specifically "sextortion" scams. These typically imply that the victim has been caught using illegal forms of pornography (such as child or animal pornography,) masturbating while at work, or has incriminating pictures or videos of themselves engaging in sexual acts. These campaigns have been incredibly popular - and successful - in the last few years, causing financial and, unfortunately, physical and emotional damage. They've made the rounds recently in 2018 and 2019 with a series of sextortion bitcoin scams designed to scare people into giving the phishers money. In this phishing scam, attackers put emails and their old connected passwords from data breaches leaked onto the internet into these emails to catch the victim's attention. As you would expect from an extortion-based scam, they rely on an immediate emotional response to work. The fear of the unknown regarding what a hacker can do, plus the cultural aspect of shame and guilt in regards to pornography usage, is what I think makes these particular extortion spearphishing campaigns so successful.

Phishers state the emails are sent from a fake or unmonitored email, cutting off the victim from any possibility of contact outside of a Bitcoin (BTC) address. The phisher's identity is now constructed as a hacker who put a virus on a pornography website. Their credibility is enhanced further by showing an old password used for that email, most likely obtained through a data leak/breach. The discussion of RAT/trojans and how the email is spoofed is an example of "in" language that phishers use to complicate, create fear, and obfuscate the situation that it's just a phishing email, and none of this is true. They also use threatening language and emotional manipulation, with threats to ruin the victim's life and financial extortion to prevent video leaks. Plus, since Hackers Love Crypto™, the mention of a Bitcoin wallet only further adds to that image of the all-powerful and elusive hacker, dangling their unfortunate, helpless victim by a digital thread, ready to end their life in a simple click. You're the entertainment, and this hacker isn't afraid to cause you hell in exchange for some coin.

Sextortion scams have a lot of underlying assumptions at play to be effective. These attacks assume the user uses porn sites, especially those that may be considered risqué or illegal depending on how you interpret the phrase "young Teens." (The last time you visited a erotic [sic] website with young Teens [...] You are very perverted!) I did some digging around and found an article from MalwareBytes that discusses the recent wave of sextortion scams from February 2019, and what struck me most was not the content but the user comments.

Across the board, it seems as if these are "missing their mark," with people generally reporting across the board how funny or misplaced they were for contacting them in the first place due to not using porn or having a webcam. What these emails fail to consider is that perhaps the user doesn't use pornography at all, or that they may reject camera interfaces on their computers by either covering, disabling, or removing them entirely. The number of people who refuse camera interfaces or don't use pornography is probably minimal. The sample size from a comments section on a security blog certainly isn't a valid metric to apply for a general analysis. Still, I'm guessing the non-porn or security-conscious folks were not a consideration to the phisher as these emails have been relatively financially successful, with one BTC address used in this phishing campaign receiving .28 BTC (around $2300 USD) in one week. There's a market for these emails, or they wouldn't keep going around every so often.

# final thoughts

Spearphishing emails operate as a personalized version of general phishing emails and can vary greatly depending on the form taken. Since the "spear" implied a targeted attack, any email personally addressed (as opposed to a bulk mailing) is considered a spearphish. These aren't always individually written and may be compiled and auto-generated based on the database of leaked user data. But measures are taken to make them feel personal, which is the dangerous aspect of spearphishing. Because these emails take a little more effort from the phisher to pull off successfully, chances are they're more put together and less easy to spot. After all, if you invest your time in creating a dossier on a victim, you might as well do it right the first time.


Thanks for reading my thesis! If you'd like to look at the email corpus or my references, feel free. Otherwise, you're done. 🎉

Please let me know your thoughts or if you'd like to work together on security research. I plan on working on additional attack vectors and mitigation strategies in the future and would be happy to collab.

Activate Windows
Go to Settings to activate Windows.