While skimming through my emails today, one in particular caught my eye because the subject was a password I used on many sites a long time ago.
Curious, I opened it to find a demand: I was to pay a $7000 using bitcoins in one day or the sender would email my friends a compromising video he/she allegedly had created of me.
Normally I would just delete the email while shaking my head, since I receive similar scam emails every day. Yet there was something different about this particular email and the way it leveraged a password I legitimately used in the past to catch my attention.
Including my password in the email elevated the attempted attack from a regular phishing attack to a spear phishing attack. Spear phishing attacks are targeted at individuals rather than mass user groups and do so by including sensitive, personal information about the person being attacked in the email.
Spear phishing attacks have been used for many years, but they used to be used to primarily target high net worth individuals. They make the recipient more vulnerable to falling for the scam because the addition of sensitive information adds legitimacy to the assertions in the message.
As personalized cyberattacks shift from a narrow focus to target millions of people, it becomes increasingly important to be able to identify and protect yourself from spear phishing attacks.
Let’s break down the tactics the attacker used to get my attention and try to leverage me to act.
1. Capture attention
Spear phishing attack are structured to convey to the recipient as quickly as possible that the request or demand being made is legitimate. They accomplish this by using sensitive information, which could be your home address, an account number or as in my case, the fact that they had a legitimate password you have used.
In my case I was prompted to open an email I would normally have deleted because the subject line contained a password I frequently used in the past, which made me curious enough to open the email.
2. Use sensitive information to make a false story believable
The attacker then spun a story claiming to have compromised an account I allegedly had. Now in my case the story was very obviously false, because several of the details clearly did not match up.
Yet someone for whom the details did match up the story would have been very concerning indeed.
A key marker of a spear phishing attack is that the attacker uses sensitive information they have mined about the recipient to make their overall email and its request / demand seem real.
3. Leverage emotion to bypass barriers to action
Next comes the major attack that is part of almost every spear phishing attack: the psychological play.
The email I received today targeted feelings of insecurity and shame. But a spear phishing attack could just as easily have targeted greed, fear or worry.
A marker of all spear phishing attacks is that they try to invoke a powerful emotion that will cause the recipient to bypass rational thought and act quickly.
There are many actions the attacker will try to trick someone into taking, from clicking on an attachment, link or as in the case of the email I received today, demanding a monetary payment.
Here are some common examples of other spear phishing attacks that will have your accurate personal details and then will insist that you to either click on a link or an attachment:
- Legal matters: You receive a subpoenas that has all of your personal details correctly filled out and a short time window to respond or face serious legal consequences.
Emotional triggers: fear and concern. - Aren’t you lucky! You receive a notice from the government or an agency that you will be receiving a large refund or windfall.
Emotional triggers: greed and hope. - Frozen bank accounts: This one has been around for many years and will claim that your bank account has been frozen and will be closed if you do not act immediately.
Emotional triggers: fear and concern. - Account problems: Similar to the frozen bank account scam, you may be told that your Netflix / Amazon / iTunes / etceteras account is about to be closed unless you act immediately.
Emotional triggers: fear and concern. - The overdue invoice: Again touching on legal risk, you receive a demand notice from a company you have never heard of that is usually accompanied by a “copy” of the invoice you failed to pay.
Emotional triggers: anger, concern and possibly fear.
The point is that by including sensitive personal information in the email, the likelihood of someone believing the scam and acting rashly in response to the emotional trigger is increased and has a greater likelihood of getting people to act in a way that will be harmful to themselves and that they would not likely do if their emotions had not been triggered.
4. Lessons Learned: beware the hidden risks of data breaches
What was interesting about the spear phishing email I was sent is that passwords I have used in the past should be something that is only known to myself and the site(s) where the password was used.
This makes this particular piece of information particularly persuasive.
So how could an attacker get such a sensitive piece of information? The answer here is data breaches, which sadly have made it a lot easier for someone to get your email and password than you might expect.
Each year billions of accounts are compromised in data breaches leading to an enormous number of sensitive information, including names, emails and passwords, being available for purchase on the dark web.
According to the 2017 Year End Data Breach Report fromn Risk Based Security there were a record 5,207 breaches in 2017 that compromised 7.8 billion records.
Far too many people are particularly vulnerable because they use the same password on many sites.
That is a terrible idea that can caused significant problems when there is a data breach, because never mind having to trick you with a spear phishing attack… a smart hacker can purchase a list of breached accounts and then easily write a software program to attempt to login using your email / password combination on thousands of popular websites.
Numbers like those from Risk Based Security should provide a strong reason for everyone who reuses password to change their practices and start following some simple security best practices:
- Use a unique password for each login
- Use long passphrases that contain at least one lowercase and one uppercase letter plus a number
- Track your logins in a secure password vault
5. Create strong passphrases
When I talk to people who have weak passwords I have yet to meet someone who was not aware of the fact that their password was weak and that this was not a great idea. The rationale that most people I spoke with provided was that they felt making a hard password unique to each website was onerous and would require them to write the password down, which they felt would also make the password insecure.
Take a look at the following passwords – which one do you think is more secure?
Password 1: aGb4$mZp
Password 2: longerISmoreSecure5
Most people will pick the first option, because it looks more complicated and has a special character. Yet if you check the strength of both passwords using HowSecureIsMyPassword.net you will find that the second option is much stronger.
Password 1 will take just 9 hours for a computer to crack, while password 2 will take 9 quadrillion years to crack with a standard computer! By adding just a few more words and making password 2 “longerISmoreSecureYesItIs5” or even better “longerISmoreSecureYesItIs5!” the strength of password 2 increases to 32 octillian and 682 nonillion years respectively.
Even better, remembering a password like “longerISmoreSecureYesItIs5!” is actually much easier to remember than aGb4$mZp.
A tip for creating a unique password for each site you visit is to create a simple cypher that only you know and use it to create individual passwords that you will find easy to reverse for each website without having to lookup in a password vault. For example, you could follow a pattern like this:
{noun}{NUMBER}{Verb}{DATE}{special character}
For each site you need to make the password for, you could associate a logical noun and verb with the site.
Using this cypher for Facebook, since it’s a social site about sharing with friends and starts with the 6th letter in the alphabet, you might use:
- friend as your noun
- 6 as your number for the number of letters in the word friend
- share as your verb with the first letter capitalized
- the current year as your date
- ) as your character to represent a smile
- To make the resulting password: friend6Share2018)
For LinkedIn, which is a professional network and L is the 12th letter in the alphabet you might choose:
- professional as your noun
- 12 as your number for the number of letters in professional
- sell as your verb
- 2018 as your date
- @ as your character to represent connecting in a work environment
- To make the resulting password: professional12sell2018@
According to HowSecureIsMyPassword, using these simple cyphers it would take a computer roughly 93 trillion years to crack friend6Share2018) and 1 sextillion years to crack professional12sell2018@.
The only challenge you might face with this approach is that some websites will be too restrictive in the number of characters they will accept in a password!