Spear Phishing: Exploiting Known Vulnerabilities

Article Phishing

November 8, 2016

Spear Phishing

 

Just last week, Google publicly revealed a zero-day flaw in Windows that Russian hackers exploited via spear phishing attacks. The hackers targeted a specific set of customers and used malicious code to exploit an Adobe Flash vulnerability to gain control of the browser process and take advantage of a Windows kernel bug to gain admin privileges and access to the insecure PCs.

What is spear phishing? It is a term used when hackers target a specific company or group of individuals with e-mails designed to trick them into divulging sensitive or confidential information. Spear phishing is much more focused than a general phishing e-mail which is sent to a large group of people. A spear phishing campaign will use specific, carefully researched details in order to seem authentic.

For example, if a hacker wants to gain access to XYZ organization. A simple LinkedIn search reveals that the organization’s CISO is an alum of the Sigma Chi Fraternity. is e-mail is found on the company contact page. The CISO then receives an e-mail from his fraternity inviting him to the annual alumni BBQ next month. The email references an attachment with more details on the event. He clicks the attachment, but nothing happens. Or does it…? He may have just granted the hackers access to his PC!

Below are some best practices to follow:

  • Limit the use of organizational email addresses.
  • Do not open e-mail attachments on communications that you were not expecting.
  • Limit the amount of information shared on social networking sites.
  • Never ask for personal information from your staff via e-mail.
  • Report any suspicious emails to your IT department immediately.
  • Ensure all applications and systems are kept current, and updates/patches are applied as soon as possible.

Microsoft is planning to release a patch for the identified flaw as part of its regularly scheduled updates on November 8th. Whether or not you agree with Google’s decision to share the zero-day flaw before a patch was released, one thing is certain, the best practices remain the same. Stay vigilant and remember – your users are your first line of defense.

Share

About the Author
Katie Johnson

Katie Johnson

PCIP

AVP Product and Senior Manager, Operations Support

With over 20 years of experience in information security and awareness training, Katie leads CampusGuard's product and software teams, including our Online Training, Phishing Simulator, CampusGuard Central Portal, and the GRC Platform. Katie is responsible for product planning, roadmap execution, business systems ownership, cross-functional coordination, and day-to-day oversight of product-related initiatives. She also manages the teams responsible for operational support, online training delivery, and vulnerability scanning.

Back to Resource Library