How do you catch email scammers

Data security in the cloud

Phishing has been a hot topic in IT security for some time - and it remains a major problem today. While "normal" phishing has long been a popular tool of cyber criminals, the newer, more sophisticated form of phishing has been added for some time: so-called "spear phishing". How exactly spear phishing works and how you can protect yourself from it are some of the questions that will be answered in this article.

Spear phishing: definition

Spear phishing is the practice of sending fraudulent emails aimed at specific individuals or organizations in order to gain unauthorized access to confidential information. Analogous to the English word origin (Spear Fishing = spear fishing), no bait is randomly thrown at a wide range of victims in spear phishing. Instead, in contrast to regular fraudulent emails, these are extremely targeted attacks that target a specific victim and penetrate their defense - like a spear.

Although these attacks are not quite as widespread as less specific, common phishing attacks due to their higher complexity and overhead costs, the trend is clearly upwards: According to a study by Proofpoint, 88 percent of the companies surveyed worldwide reported that they were carried out by at least one Spear phishing attack in 2019.

Spear Phishing Attacks: Who Is Behind It?

Spear phishing campaigns are started by a wide variety of groups. It could be a competing company or it could be cybercriminals who identified the victim as particularly lucrative. In addition, cyber criminals can also act on behalf of a direct competitor, for example, who benefits from the fact that a company can no longer offer certain services, or that sensitive information such as patents or new products, programming code or just contracts and business data is leaked.

A customer list can also be worth gold and therefore the cost of such a campaign. Of course, such campaigns can also be started by governments or states or their secret services or special authorities in order to carry out espionage.

As already indicated, it depends on what kind of company or institution the victim is. Ultimately, the client determines the value of the information or the cybercriminal group defines the value of copied data via the ransom to be collected. It is important to know here that the amounts sometimes do not have to be that high, as the affected employee or his / her head of department may try to cover up the incident.

So it doesn't always have to be in the millions, because if copied data may have an unknown value, this can be quickly determined through blackmail or an offer in relevant marketplaces. A data set that is bought back from a victim quickly and unbureaucratically seems to be valuable, so that a follow-up blackmail may take place. We are also happy to sell data to the highest bidder.

  1. Botnets
    A network of computers that have been infected with malware can be controlled by cyber criminals without their users being aware of it. In the cyber underground, (pseudo) hackers can acquire access to already infected computers - often in a network. The infrastructure of a botnet can be “rented” from around 100 dollars per month, a complete, finished system costs around 7,000 dollars.
  2. Browser exploit packs
    In combination with a botnet framework, BEPs allow their buyers to spread ransomware or malware on a large scale. Like any advanced malware, BEPs have built-in modules for obfuscation, optimization and administration of criminal activities. A complete BEP package costs between $ 3,000 and $ 7,000 underground.
  3. Phishing toolkits
    Criminal hackers who want to attack a certain group or simply normal users can purchase ready-made SMTP servers, scam websites or high-quality mailing lists in the CaaS environment - at a low price: between 15 and 40 dollars due. The combination with “weapons-grade documents” is also popular - ie files that at first glance look like Word documents or Powerpoint presentations, but contain malicious code that exploits known and unknown vulnerabilities in Office to put malware on the user's computer to install. This can be ransomware or remote access toolkits - depending on the purposes of the computer criminals. The cost of such an office exploit is between $ 2,000 and $ 5,000.
  4. Ransomware
    One of the most popular hacking tools currently in the cyber underground is the family of blackmail malware. This type of malware can be developed at very different levels of complexity and cause devastating follow-up costs. According to research by Trend Micro, a customizable crypto locker file is available from around $ 50. However, many ransomware providers usually charge an additional "commission", the amount of which is based on the damage caused - this is usually around ten percent.

Spear Phishing Emails: Structure

Spear phishing emails are very similar to phishing emails, they consist of a subject line that triggers an emotion in the victim. Compared to regular phishing emails, spear phishing emails are personalized. The attackers therefore spend a lot of time in advance on what is known as social engineering.

The attackers collect as much information about the company as possible and, similar to profilers, begin to create profiles of various employees in order to find the employee who will get them to their destination as quickly as possible and as securely as necessary. His preferences, family, friends and business partners are analyzed in order to make the e-mail as efficient as possible. Then the attackers try to win the trust of the employee.

The email must therefore already contain a topic that the victim finds interesting or puts in an emotional mood. The context of the e-mail must be structured logically and the link to the infected website must be embedded in such a way that the recipient does not question the link, but rather executes it impulsively. In addition to embedding a link, an attachment can also be infected. MS Office files from Excel, Word or Powerpoint are particularly suitable, but image files or PDFs are also popular.

Spear Phishing: Precautions Against Email Fraud

There are a number of security measures that companies can take to protect themselves from spear phishing or their employees and their e-mail accounts. It is usually advisable to combine organizational and technical measures.

  • Security awareness trainings: The first and sometimes most important line of defense of an organization are the employees themselves. Since phishing attacks can only work if they are made possible by careless behavior on the part of employees, this is of course also the case when it comes to preventing phishing.

  • Endpoint security solutions: Another way to protect against spear phishing is software that protects the respective devices in the network. Antivirus programs and endpoint security solutions can help automatically block malware hidden in attachments and links.

Incident Response

A spear phishing email can be forwarded to an incident response team for further analysis in a number of different ways. Under certain circumstances, a message is automatically intercepted by the system due to suspicious indicators and does not even end up at the recipient, but immediately on the screen of the security specialist - this is the optimal case, since the risk of an actual infection with malware is zero.

However, since spear phishing attacks are a lot more sophisticated than regular phishing, these messages appear very legitimate and are often not intercepted by the system. This brings us to the next possibility: The email actually lands at the intended recipient. Now it depends on the individual who discovers the message in their mailbox. If it is a cautious employee who, in the best case scenario, has been trained on the topic of security awareness, he may be able to identify the message as suspicious and forward it to the organization's IT security team. Finally, there is the case that is most likely to pose a serious threat: users who actually fell for the phishing attempt and clicked on an infected attachment or link.


The analysis usually begins either as part of the incident response process or in the Security Operations Center (SOC) by viewing a threat with the help of a security solution, which then sends the message to the SOC for further analysis.

The analysis is always the same: an expert examines the email. Then comes the decision-making process: is it really a phishing email, or is it a false positive? The email is checked for indicators of compromise (IoCs) such as any attachments. Among other things, sandboxing tools are used for this, to which the attachment is sent for verification. Other tools are also used to investigate the message. The goal is always to make a decision about it: is it spear phishing or not? If it is really a confirmed attack, IoCs such as URLs, email addresses and IP addresses are fed into a sensor grid to prevent further attacks.

For many companies, a simple yes / no as an analysis result is not enough. They call for a more advanced analysis of spear phishing incidents from which further information can be obtained. Interesting points include: Is it a single email sent to one person, or is the entire company part of a larger campaign. Such campaigns can take place across national and company borders.

Victimology examines who belongs to the victim group. Is it just affecting a single person, the team, the entire company, or is this attack part of a campaign that affects multiple organizations in the industry?

Threat intelligence

When it comes to the targeted approach of spear phishing, a threat intelligence-based approach can help. Spear phishing emails contain a wealth of hidden clues - so-called IoCs (Indicators of Compromise) - with which the attackers' methods can be tracked and understood. By extracting and analyzing this information, analysts can better understand what to look for in order to identify other users who may have succumbed to the trick.

With this evidence, data analysts can make associations between multiple spear phishing messages, for example, to determine whether the attack is a larger campaign that might be ongoing. Identifying malware samples across different fraud campaigns and assigning them to attacker profiles and their intentions improves the responsiveness of security professionals.

The challenge with Threat Intelligence, however, is the correct handling of the immense amount of data and information. This can be remedied by a threat intelligence platform that automatically correlates and evaluates the evaluation of various sources of information for threats - so-called threat intelligence feeds. A threat database is fed with information about current threats via these threat feeds from providers such as Google and MITER. This threat intelligence provides information about attacker groups, their actions, which tools they use, how the tools are defined and what the attackers' goals are. Finally, there are ways to defend against these attacks. (bw / fm)