Spear Phishing
Attack Pattern ID: 163 (Standard Attack Pattern Completeness: Stub)Typical Severity: HighStatus: Draft
+ Description


An attacker targets a specific user or group with a phishing attack tailored to a category of users in order to have maximum relavence and deceptive capability. Spear Phishing is an enhanced version of the Phishing attack targeted to a specific user or group. The quality of the targeted email is usually enhanced by appearing to come from a known or trusted entity. If the email account of some trusted entity has been compromised the message may be digitally signed. The message will contain information specific to the targeted users that will enhance the probability that they will follow the URL to the compromised site. For example, the message may indicate knowledge of the targets employment, residence, interests, or other information that suggests familiarity. Once the users follow the instructions in the message, the attack proceeds as the standard Phishing attack.

+ Attack Prerequisites

None. Any user can be targeted by a Spear Phishing attack.

+ Resources Required

The attacker must have the identity of the individual being attacked and inform sufficient to generate a compelling reason for clicking on the supplied URL. Access to a compromised email account of a trusted individual or ability to spoof the origin of the message greatly enhances the probability that the target will be compromised. This is in addition to the resources needed for regular Phishing attack.

+ Solutions and Mitigations

Design: Provide for anti-Spam filtering, blacklisting addresses and virus scanning in email delivery solution.

Implementation: Scan all email for Spam, virus and blacklisted sites. Keep Spam and addresses blacklists current. Quarantine any suspicious email and attachments.

Implementation: Train users to be suspicious of email and not to open attachments or click on URLs contained in suspicious email.

Implementation: Log all email subjects, senders, attachments and should a Phishing email be detected inform all recipients with who might have received the same email.

Implementation: Do not follow any links supplied in email or from untrusted web sites.

+ Related Weaknesses
CWE-IDWeakness NameWeakness Relationship Type
184Incomplete BlacklistSecondary
357Insufficient UI Warning of Dangerous OperationsSecondary
247Reliance on DNS Lookups in a Security DecisionSecondary
+ Related Attack Patterns
NatureTypeIDNameDescriptionView(s) this relationship pertains toView\(s\)
ChildOfAttack PatternAttack Pattern98Phishing 
Mechanism of Attack (primary)1000