Podcasts
Word Notes
Ep 146
Word Notes 5.2.23
Ep 146 | 5.2.23

spearphishing (noun)

Show Notes
Transcript

Rick Howard: The word is: spear phishing.

Rick Howard: Spelled: Spear for a specific target, and phishing for the act of compromising victims.

Rick Howard: Definition: A type of cyber attack where an attacker sends a targeted and personalized email or other form of communication to a specific individual or a small group of individuals with the intention of tricking them into divulging sensitive information, such as a password, or convincing them to click a malicious link that will enable the attacker to take control of the victim's machine.

Rick Howard: Example sentence: Kevin, the fry chef in the company cafeteria became a victim to a spear phishing attack when he received an email that appeared to be from his boss requesting logging credentials to the electronic cash register.

Rick Howard: Origin and context: According to Russell Kay in the 19 January, 2004 edition of Computerworld, Hackers may have started using the word phishing in the Alt dot 2600 Hacker News Group in January of 1996, but the term also might have arrived earlier from the print journal, 2,600, the Hacker Quarterly. According to Kay, hackers used email lures to hook digital fish for their American online passwords.

Rick Howard: They would blast phishing emails to everybody in the American online pool to see who would bite. It's unclear when hackers sent the first spear phishing email to target a specific user or a small group of users, but according to Daniel Brecht at InfoSec online in 2015, people started to notice the attack technique when the news of the RSA security company breached in 2011 became public. The attack where the Chinese military used a spear phishing attack to establish a beach head inside RSA security, that eventually allowed them to compromise the company's two-factor authentication token product

Rick Howard: Nerd reference: In 2013, the McKinsey Institute asked Tim Richardson, the University of Toronto management professor about the difference between phishing and spear phishing.

Tim Richardson: So most people have heard of phishing spelled P H I S H I N G. Uh, lemme just repeat, uh, why that slang word is, is used when you're actually standing on a dock and trying to fish. You can't see with laser vision where the fish actually are. So you cast your rod in the water, reel it back in, cast your rod in the water, reel it back in, et cetera. So that's why it's a slang word used to describe a situation where you send out spam email to thousands of thousands of people saying, dear xx bank customer. Please log into here because of a threat, et cetera, et cetera. They may or may not actually be a customer of that bank, but if you send out enough emails, you'll capture some people who are actually customers of the bank. Then if you have a large enough number, the percentage that will respond will be large enough that you could then engage them in some type of trickery to commit an identity theft.

Tim Richardson: But since so many people know about this, their percentage response rate is quite low. So what they're doing is spear phishing. Spear phishing is a slang expression to say, instead of sending out a spam email to tens of thousands of people about XX bank, they'll send an email specifically to John Smith at Roe Bank in Aurora because we know that you bought something at the new market store, et cetera, et cetera. And then please be aware of this opportunity. So log into the website before five o'clock today to check something, something, something. So those type of attacks are very successful because when if people do receive that email, they say, well, this couldn't be a scam. It actually has my real name. It has something that I actually know I did, and there's a much higher response rate. 

Tim Richardson: At the same time, these attacks are being done by people in a very select way. They can't contact tens of thousands and try to do follow up. They just contact a few people and then they work the situation. And these are with people that they get profile information about through social media. They find out some purchase that they did because they boast about it on Facebook or some other thing that they tweeted or they have a YouTube video talking about it. So the. Response rate is much, much higher. And they do this with high net worth individuals in order to be able to make a lot of money cuz it's easy to rob rich people than poor people.

Rick Howard: Word Notes is written by Tim Nodar, executive produced by Peter Kilpe and edited by John Petrik and me, Rick Howard. The mix, sound design, and original music have all been crafted by the ridiculously talented Elliot Peltzman. Thanks for listening.

Word Notes
Podcast Info
HOST(S):
Rick Howard
Rick Howard is the CSO of N2K and the Chief Analyst, and Senior Fellow at the N2K Cyber, formerly CyberWire. His past lives include CSO at Palo Alto Networks, CISO at TASC, the GM at Verisign/iDefense, the Counterpane SOC Director, and the Commander of the Army's Computer Emergency Response Team (CERT). Rick served 25 years in the Army, taught computer science at West Point, edited two books and just published his own book, "Cybersecurity First Principles: A Reboot of Strategy and Tactics" and he is regularly joined at the N2K Cyber's Hash Table by a collection of industry experts.
Schedule: Tuesdays
Creator: CyberWire, Inc.
ADVERTISEMENT
Sponsored by KnowBe4
Sponsored by KnowBe4

KnowBe4, the provider of the world’s largest integrated security awareness training and simulated phishing platform. KnowBe4 helps organizations address the human element of security by raising awareness of social engineering tactics through a new-school approach to security awareness training. Learn more at KnowBe4.