Home > CAPEC List > CAPEC-163: Spear Phishing (Version 2.9)  

CAPEC-163: Spear Phishing

 
Spear Phishing
Definition in a New Window Definition in a New Window
Attack Pattern ID: 163
Abstraction: Detailed
Status: Draft
Completeness: Complete
Presentation Filter:
+ Summary

An attacker targets a specific user or group with a Phishing (CAPEC-98) attack tailored to a category of users in order to have maximum relevance and deceptive capability. Spear Phishing is an enhanced version of the Phishing attack targeted to a specific user or group. The quality of the targeted email is usually enhanced by appearing to come from a known or trusted entity. If the email account of some trusted entity has been compromised the message may be digitally signed. The message will contain information specific to the targeted users that will enhance the probability that they will follow the URL to the compromised site. For example, the message may indicate knowledge of the targets employment, residence, interests, or other information that suggests familiarity. As soon as the user follows the instructions in the message, the attack proceeds as a standard Phishing attack.

+ Attack Execution Flow
Explore
  1. Obtain useful contextual detailed information about the targeted user or organization:

    An attacker collects useful contextual detailed information about the targeted user or organization in order to craft a more deceptive and enticing message to lure the target into responding.

    Attack Step Techniques

    IDAttack Step Technique DescriptionLeveraged Attack PatternsEnvironments
    1

    Conduct web searching research of target.

    • 405
    env-Web
    2

    Identify trusted associates, colleagues and friends of target.

    • 405
    env-All
    3

    Utilize social engineering attack patterns such as Pretexting.

    • 407
    env-All
    4

    Collect social information via dumpster diving.

    • 406
    env-All
    5

    Collect social information via traditional sources.

    • 408
    env-All
    6

    Collect social information via Non-traditional sources.

    • 409
    env-All
Experiment
  1. Optional: Obtain domain name and certificate to spoof legitimate site:

    This optional step can be used to help the attacker impersonate the legitimate site more convincingly. The attacker can use homograph attacks to convince users that they are using the legitimate website. Note that this step is not required for phishing attacks, and many phishing attacks simply supply URLs containing an IP address and no SSL certificate.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Optionally obtain a domain name that visually looks similar to the legitimate site's domain name. An example is www.paypaI.com vs. www.paypal.com (the first one contains a capital i, instead of a lower case L).

    env-Web
    2

    Optionally obtain a legitimate SSL certificate for the new domain name.

    env-Web

    Security Controls

    IDTypeSecurity Control Description
    1Preventative
    Websites can acquire many domain names that are similar to their own. For example, the company example.com should be sure to register example.net, .org, .biz, .info and so on. Likewise they should register exarnple.com, examp1e.com, exampIe.com (and possibly .net, .org variations). Although this does not preclude the possibility of phishing, it makes the attackers' job harder because all the easily believable names are taken.
  2. Optional: Explore legitimate website and create duplicate:

    An attacker creates a website (optionally at a URL that looks similar to the original URL) that closely resembles the website that he or she is trying to impersonate. That website will typically have a login form for the victim to put in their authentication credentials. There can be different variations on a theme here.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Use spidering software to get copy of web pages on legitimate site.

    env-Web
    2

    Manually save copies of required web pages from legitimate site.

    env-Web
    3

    Create new web pages that have the legitimate site's look at feel, but contain completely new content.

    env-Web
  3. Optional: Build variants of the website with very specific user information e.g., living area, etc.:

    Once the attacker has his website which duplicates a legitimate website, he needs to build very custom user related information in it. For example, he could create multiple variants of the website which would target different living area users by providing information such as local news, local weather, etc. so that the user believes this is a new feature from the website.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Integrate localized information in the web pages created to duplicate the original website. Those localized information could be dynamically generated based on unique key or IP address of the future victim.

    env-Web
Exploit
  1. Convince user to enter sensitive information on attacker's site.:

    An attacker sends a message (typically an e-mail) to the victim that has some sort of a call to action to get the user to click on the link included in the e-mail (which takes the victim to attacker's website) and log in. The key is to get the victim to believe that the message is coming from a legitimate entity trusted by the victim or with which the victim or does business and that the website pointed to by the URL in the e-mail is the legitimate website. A call to action will usually need to sound legitimate and urgent enough to prompt action from the user.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Send the user a message from a spoofed legitimate-looking e-mail address that asks the user to click on the included link.

    env-Web
    2

    Place phishing link in post to online forum.

    env-Web

    Outcomes

    IDTypeOutcome Description
    1Success
    Legitimate user clicks on link supplied by attacker and enters the requested information.
    2Failure
    Legitimate user realizes that the e-mail is not legitimate, or that the attackers' website is not legitimate, and therefore, does not enter the information requested by the attacker.

    Security Controls

    IDTypeSecurity Control Description
    1Detective
    Monitor server logs for referrers. Phishing websites frequently include links to "terms and conditions" "privacy" and other standard links on the legitimate site. Users' web browsers will generally reveal the phishing site in the Referrer header. Since the URL may not visually stand out compared to the legitimate URL, some programmatic consolidation of referrers from log files may be required to ensure that example.com stands out from examp1e.com, for example.
  2. Use stolen credentials to log into legitimate site:

    Once the attacker captures some sensitive information through phishing (login credentials, credit card information, etc.) the attacker can leverage this information. For instance, the attacker can use the victim's login credentials to log into their bank account and transfer money to an account of their choice.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Log in to the legitimate site using another user's supplied credentials.

    env-Web

    Security Controls

    IDTypeSecurity Control Description
    1Preventative
    Use a human verifiable shared secret between legitimate site and end user such as the one provided by PassMark Security (now part of RSA Security). This prevents the attacker from using stolen credentials. Note that this does not protect against some man-in-the-middle attacks where an attacker establishes a session with the legitimate site and convinces an end user to establish a session with him. The attacker then records and forwards information flowing between the end user and the trusted site. This security control is currently used by many online banking websites including Bank of America's website.
    2Preventative
    Use an out-of-band user authentication mechanism before allowing particular computers to "register" to use the legitimate site with particular login credentials. This also prevents the attacker from using stolen credentials. An example may be sending a SMS message to the user's cell phone (cell phone number previously acquired by site) with an "activation code" every time the user attempts to log into the site from a new computer. This solution also does not protect against the man-in-the-middle attack described in the previous security control. This mechanism is currently used by several online banking websites including JP Morgan Chase's website.
+ Attack Prerequisites
  • None. Any user can be targeted by a Spear Phishing attack.

+ Typical Severity

High

+ Typical Likelihood of Exploit

Likelihood: High

+ Methods of Attack
  • Social Engineering
  • Spoofing
+ Examples-Instances

Description

John gets an official looking e-mail from his bank stating that his or her account has been temporarily locked due to suspected unauthorized activity that happened in the area different that where he lives (details might be provided by the spear phishers) and that John needs to click on the link included in the e-mail to log in to his bank account in order to unlock it. The link in the e-mail looks very similar to that of his bank and once the link is clicked, the log in page is the exact replica. John supplies his login credentials after which he is notified that his account has now been unlocked and that everything is fine. An attacker has just collected John's online banking information which can now be used by him or her to log into John's bank account and transfer John's money to a bank account of the attackers' choice.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Medium

+ Resources Required

Some web development tools to put up a fake website.

+ Solutions and Mitigations

Do not follow any links that you receive within your e-mails and certainly do not input any login credentials on the page that they take you too. Instead, call your Bank, PayPal, eBay, etc., and inquire about the problem. A safe practice would also be to type the URL of your bank in the browser directly and only then log in. Also, never reply to any e-mails that ask you to provide sensitive information of any kind.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Confidentiality
Read application data
Information Leakage
Accountability
Authentication
Authorization
Non-Repudiation
Gain privileges / assume identity
Privilege Escalation
Integrity
Modify application data
Data Modification
+ Purposes
  • Exploitation
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: HighAvailability Impact: Low
+ Technical Context
Architectural Paradigms
Client-Server
n-Tier
Frameworks
All
Platforms
All
Languages
All
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
Modifications
ModifierOrganizationDateCommentsSource
CAPEC Content TeamThe MITRE Corporation2017-01-09Updated Related_Attack_PatternsInternal

More information is available — Please select a different filter.
Page Last Updated or Reviewed: December 07, 2015