If you’re not willing to do the necessary work, forget about even trying to write a spear phishing email. This is not your usual spam email that you simply hope will get through spam filters. A spear phishing email has to be crafted well enough to avoid spam filters and have the attachments opened or the links clicked on. You have to do everything in your power to make this look like a legitimate, trusted correspondence. So, if you’re willing to put in the effort, let’s begin.
I’ll assume you know the particular data that you want to get and the company or institutional networks that you want to get access to. Now, you’re going to have to get one user on this network to click on a link or open an attachment to install the program that will allow you to have full, administrative access to the network. Go to the company’s website and learn everything you can about the company. Try to find the names of as many employees as you can but especially those who are high enough in the organization to have access to the data that you need. You may even want to target upper management. This may have been how hackers got into JP Morgan. Technically, this is called ‘whale phishing’, but it sometimes works because many in upper management aren’t as tech savvy as those below them.
Sometimes you can get email addresses and sometimes you can’t. However, if you can get the name of an employee you’re interested in, you can sometimes figure out their company email address because they follow some formula. For example, JP Morgan uses the formula, first name. middle initial. last name@jpmorgan or jpmorganchase.com (firstname.lastname@example.org). If they have no middle name, just put an ‘x’ in that spot. If you need formulas for the email addresses of various firms, check out this discussion.
After you identify your targets, check out their Facebook pages. See if any of them are open to the public. This will give you access to information about them that you can use in your email. Even if they keep their personal information private, many of them will keep their friends list public. These lists can be valuable in launching a successful attack. Don’t forget other social media pages or any information you can find on search engines. Let me give you some examples of how you can use this kind of information.
If you know something about the target’s personal interests, you can craft your email to appeal to these interests. If, for example, you learn they are supporters of a certain sports team, you can have your link or attachment highlight this fact. Of course, most people aren’t going to click on anything that they don’t trust. This is where that list of Facebook friends comes in handy. You can make the email appear to be coming from one of those friends either by using their actual email account, Facebook page, or creating an email that seems like it is related to that person. Sure, they may contact that person to check to see if they really sent that message, but, you know how most people are. They simply don’t have the time to do it.
The ‘trusted friend’ approach may or may not work. If it does not work, you need to take on the aura of a trusted and authoritative source. It is best if this source has some power over the targeted individual. In other words, you want them to feel that they may get into trouble if they don’t open your attachment or click on your link. The best way to do this is to pretend you are someone in the company. This is where your research into management can be helpful. Make sure you get an email address that seems to be related to the person or department the email is supposed to be coming from. Don’t use stupid user names and email sites like Kmhx24@crazynet.com. If you want to get through the spam filters and the target’s natural suspicions, then use a recognized email provider with at least some username that just might be that of the real person. If, for example, you want to pretend that you are John Smith, use something such as, JSmth, or Smithjohn, or JohnSmith444@yahoo.com. Yes, of course, the person can always call John Smith and ask if the email is, in fact, from him, but if John Smith is an executive, the target may be reluctant to do so.
You should go a step further, however, if you want to overcome the suspicion barrier. Try to find actual examples of company emails that you can use as a template. Often you can just search for ‘(company name) emails to customers’ to see what a typical email from the company looks like. If you can’t find one, you can send an email to their support desk and see what their reply looks like. You need to see what logo they use, what type face they use, and what disclaimers they may include in fine print. This will give your email a feel of legitimacy that will dramatically improve the chances of a click on the attachment or link.
It is vitally important to make your attachment or link also look legitimate. Give it a believable name. In the case of an attachment, be sure to give it a believable extension. The most often opened extensions are .zip, .exe, .pdf, or .jpg. Everyone knows these and will see them as possible. Remember, only use the .jpg extension if you have mentioned a photo or chart in the email, otherwise, the target may become suspicious.
Now, let me get to one point of spear phishing emails that often gives the sender away: bad grammar and poor vocabulary use. I can’t tell you how many times I’ve seen perfectly good spear phishing emails undermined by one grammar mistake. Take a look at this spear phishing email sent to NSA employees.
This spear phishing email came in on the back of a story on an attack on RSA’s two-factor authentication products. The NSA was linked to RSA, thus, an NSA employee would not be suspicious of such an email. It’s always good to use a recent news story to give your spear phishing email more credibility. The address of the sender appears possible, the logo and format appear legitimate, but there is a problem. This email is masking itself as a serious, professional correspondence. It should, therefore, be error free. However, it is not. Unless these people are making costumes for the next NSA performance of Swan Lake, I think the writer meant ‘customers’ not ‘costumers’. Notice the error in the phrase, “a certain types’. True, native speakers sometimes make grammar errors, but not like this. This kind of error seems to point to a nonnative English speaker. Besides, I’m not sure a native speaker would use the word ‘type’ in this context. We would most likely say, “some of our token devices”. In addition, notice the phrase “checking the following link”. The phrasing here is awkward. A native speaker would more likely say something like, “Check to see if your token device is safe by visiting the following link”. Note also that the word, ‘maintenance’, is misspelled (“maintance”). Also, the concluding sentence (“It will exclude the possibility of abuse.”) is odd. The email should end with some apology (we are sorry for…) or an offer of help (if you have any questions, please contact us…). In other words, the writer had a lack of basic sociolinguistic skills. Here we have a physically well-designed letter which would have been quite believable if only the writer had had a better command of English. So, if you are a nonnative English speaker, be sure to have a linguistically trained native English speaker proofread your message, even if you think your English is perfect. You don’t want to do all that research and designing only to see it all fall apart because you misused an article or misspelled a word. In addition, notice that the fine print doesn’t seem to match the email and inexplicably mentions the California Credit Union. Oddly, this credit union reported a similar spear phishing attack about this same time. So for all you potential spear phishing email writers, make sure all the parts of your letter match or be prepared to have it ignored.
I mentioned earlier the recent JP Morgan hack. Now, you may have heard them warning customers to be on the lookout for spear phishing emails. However, I doubt if this will be a problem. This attack was so sophisticated that the attackers could have easily transferred money out of accounts if they really wanted to. Why rely on a spear phishing attack? It just doesn’t make sense. Anyway, it brings up a good point. Never lose the opportunity to use a big news story to launch a spear phishing email. Use all the techniques I outlined above and pretend that you (masquerading as a friend) have some interesting information on a current story. All they have to do is follow the link or open the attachment. Successful spear phishing emails have used the news about missing Malaysian airlines flight 370, the Heartbleed Bug (click here to get protection), and even the death of Robin Williams. The bigger the story, the better it is to use for a spear phishing email.
Okay, you have all the tools you need to write a successful spear phishing email, but I know what you’re thinking. “What are my chances of success?” Well, if you design it well, your chances have been found to be as high as 80%. As long as companies don’t spend much time educating employees on how to identify suspicious emails, you should have a clear path into your target’s most protected files. Just give it a try. The rewards can be great. Good luck!
There is no need for your company to worry about spear phishing attacks at all if you have the right security. With InZero Systems’ architecture, your employees can open all the spear phishing emails they want. Why? Because this architecture divides their mobile devices or personal computers into two devices at the hardware level. Any malware that manages to install itself on the personal side of the device cannot cross over to gain access to sensitive data on the work side of the device. Take a look and you’ll never need to worry about this mode of attack again.