Trend’s threat research, carried out between February and September this year, shows that such attacks most often have quite humble beginnings – a simple email that will attempt to entice a particular individual into opening an infected file or clicking on a malicious link.
Spear phishing often works because it uses information about the target to appear more personal – an email with your name on it, for example, is likely to be far more intriguing than a random looking one that is quite obviously generic in nature.
According to Trend Micro’s report (found here as a PDF) some 94% of these targeted emails utilise malicious file attachments whilst the other 6% use other means of infection such as downloading payloads via infected web links. The reason why email attachments are a far more popular avenue of attack is because large company and government employees are far more likely to share via email since downloading directly from the internet is regarded as way less secure.
Notable highlights from the report:
- The most commonly used and shared file types accounted for 70 percent of the total number of spear phishing email attachments during the monitored time period. The main file types were: .RTF (38 percent), .XLS (15 percent), and .ZIP (13 percent). Alternatively, executable (.EXE) files were not as popular among cybercriminals, most likely because emails with .EXE file attachments are usually detected and blocked by security solutions.
- The most highly targeted industries are government and activist groups. Extensive information about government agencies and appointed officials are readily found on the Internet and often posted on public government websites. Activist groups, highly active in social media, are also quick to provide member information in order to facilitate communication, organize campaigns or recruit new members. These habits elevate member profiles, making them visible targets.
- As a result, three out of four of the targeted victims email addresses are easily found through web searches or using common email address formats.
Has your organisation been targeted by such an attack and did any of your employees fall victim to it?