Spear Phishing

Example

From: Max Mustermann (Department Head)
Sent: Today, 10:23 am
To: Erika Mustermann
Subject: Urgent transfer

Hi Erika.

I need to transfer 430 euros to the following account: XXXXX. It's urgent, but I'm out of the office. Can you take care of that today? Thanks!

Max

This is what a spear fishing e-mail could look like. One of the characteristics of such attacks is that the hacker has specific information about the addressee (your name, who your supervisors are, your area of responsibility) and exploits it. With these kinds of e-mails, ask yourself if there is a reason to deviate from a normal workflow, such as the money transfer in this example. You can verify that by acquiring additional information (in this case calling the department head for confirmation).

What is Spear-Phishing?

Phishing attacks are meanwhile a known phenomenon in which hackers typically use false pretenses in an e-mail to gain access to specific data such as addresses, bank account numbers or log-in details. After a successful attack, the data is often illegally used for various purposes. Spear phishing is a very special type of attack that has been observed much more frequently of late and it demands special vigilance.

In an article from Sophos on this topic, the difference between normal phishing and spear fishing is outlined in simple terms: If a bogus e-mail begins with "Dear Customer," this is normal phishing, while an -e-mail that starts with "Dear Erika" or "Dear Ms Schmidt" (in other words, her real name) involves spear phishing.

The term spear phishing is a play on words from the English "spear fishing" and refers to the selective, targeted attempt to gain valuable information. The subject of these e-mails can be about just anything, whether it's an alleged e-mail from the boss requesting that important documents be urgently sent to his private address or a supposed colleague asking questions about a current process.

Measures

These deceptive attacks are difficult to differentiate from legitimate e-mails. The question is, what can you do?

  • Be especially careful when it involves a deviation from standard procedures (i.e. communication via private e-mail if work e-mail addresses are normally used or if there is pressure to do something quickly that otherwise would take several days).
  • Double-check the validity by asking the originator of the e-mail for a call-back or by looking up the right contact address instead of using the one provided in the e-mail.
  • These types of attacks can occur over any communications channel that you normally use (e-mail, telephone, text messages, social networks or even personally).
  • Be aware that these hackers likely have extensive information about you and your environment, such as from publicly-available sources or from previously successful attempts.
  • That means you are the one who can best fend off these attacks since you are on the only person who can comprehensively judge the context of the e-mail (who, what, how, why). Malware programs or firewalls can only help to a certain extent.

Warning mail to scientists of TUM (September 2017)

The following e-mail was sent to all TUM scientists to warn against current spear phishing attacks:

"Dear colleagues,

we would like to warn you considering recent cyber attacks targeting our research facilities.

Members of our research facilities received increasing numbers of spear phishing emails lately. Spear phishing emails systematically target specific people or groups with the aim of gaining access to information.

Currently, hackers attempt to capture your TUM account (or credentials) in order to get access to unpublished information such as research results, conference papers and dissertations in process. One common method involves an inquiry that pretends to express special interest in one of your publications or to request a review of an article. The originator provides a link to the article, which will supposedly route you to the university library eAccess portal. In reality, it will take you to a remarkably genuine-looking replica of the university website. As soon as you enter your TUM login data on the fraud website, the hacker knows your password and can thus access your files, emails and other IT services.

To fend off such attacks, you should always be suspicious of these types of inquiries. In doubt, ask your colleagues or the IT support (it-support@tum.de) for a second opinion.

Fraud links have addresses that deviate only slightly from a genuine address. For instance: login.eaccess.ub.tum.de.in/login instead of login.eaccess.ub.tum.de/login. It's important to note that the critical part of the address is before the first single slash - / - and our TUM IT services should always end with .tum.de/, .mwn.de/ or .lrz.de/. Never click on links in emails. Instead, manually copy and paste the address in your browser. This is the only way to have full control of which page you actually open.


Ultimately, the only safe approach is healthy distrust and close scrutiny when dealing with digital media. Be aware that hackers invest a lot of time and effort and collect detailed information in order to target your access data. Your stolen password can ensure hackers to access sensitive private or confidential information and unpublished research data.

If you suspect you have already been attacked, please change your access data immediately. You can find tips for creating secure passwords at: https://www.it.tum.de/en/it-security/for-employees/password/. Concrete security incidences please report to: it-sicherheit@tum.de. This allows us to coordinate a central response and warning if appropriate. Specific questions can be addressed to IT support (it-support@tum.de)"

Contact

If you have suspicions about a work e-mail, please contact IT Support (it-support@tum.de). If an e-mail has been identified as an actual or probable attack, please inform your colleagues since multiple persons are often targeted.