Here's a quick exercise in phishing that anyone can try. Go ahead, give it a shot. In just five minutes – assuming your search skills are halfway decent – you can gather enough information about a high-value target to create your own spear phishing attack. First, choose one of your company executives about whom you have very little information. Or choose their executive assistant, a system admin with uber-privileges or an executive from another organization - it doesn't really matter. With your web browser open, set a timer for 5 minutes, press start and begin searching for information about your 'target.' Your goal is to gather enough personal information so your phish email can appear to be legitimate enough so the recipient takes the desired action, so use your imagination while doing your research (e.g. notices about public speaking engagements, upcoming board meetings, big company news, news from important customers/partners). I've shared the results of my own basic search below. Please use the Comments section to let us know what you dug up (no real names please!). My target is the CEO and Chairman of the Board of a Fortune 500 company. I quickly learned that he also currently sits on three other boards. Other notable facts that I turned up about my target:
- Date of birth
- Work history for 20+ years
- University degree and fraternity affiliation
- Detailed stock transactions, including dates and amounts
- Address and photos of his primary residence
- Address of his vacation home in Vail
While the individual I researched isn’t very active online (e.g. his LinkedIn profile is just a placeholder), he is probably the exception among prominent executives. Other targets might reveal seemingly insignificant details about their lives in blog posts, Twitter conversations and elsewhere. Such data can help a spear phisher craft very targeted messages. However, my search still provided plenty of fodder for spear phishing campaigns, possibly enough to compel my target to click on a link or malicious file. With a little more effort and access to an illicit directory or two, I’m sure the odds of a successful attack increase considerably.
After all, it only took this spear-phishing newbie, without any financial motivation, 5 minutes to identify several potential points of contact. Imagine what a skilled and determined spear phisher might be able to conjure up. If nothing else this exercise showcases how easy it is for cyber-crooks to develop effective spear phishing campaigns. There are certain security measures all organizations can take to protect themselves from attacks, but phishing campaigns are different beasts, and the best tactics are awareness, training and testing. Internal policies and strict spam rules within an organization should be top priorities to protect critical data exposures, but communicating the nasty effects of opening a suspicious email or putting personal information on unsecure forms can be a useful form of deterrence. Employee phish testing can help raise awareness about the types of phishes and teach employees how to detect them. And for data or metrics driven organizations, phish testing can help teach you about the effectiveness of your employee training and anti-phishing techniques. While phishing attacks are tough to protect against, they can be limited and contained.