Threat actors who phish see themselves as businesspeople, even if that business is illegal. They’re always seeking ways to maximize their profits, and with phishing, they know they can do that by better tailoring the email lure to resonate with the intended recipient.

For example, if the fake email is meant to trick an Office 365 user into entering their account details into a fake Microsoft login site, then cybercriminals seeking profit know they’ll have a higher success rate if they only send phishing emails to registered Office 365 users.

Attackers are increasingly zooming their scope in on more and more precise targets in the hope of scoring bigger profits from a smaller number of victims. Targeted phishing attacks like these either limit the prey to particular groups of people or, in the case of spear-phishing, to specific individuals.

Not only do targeted attacks make it easier to tailor a lure for victims and make it look more authentic and convincing, but they can also home in on higher-value targets. With spear-phishing, attackers can focus on compromising specific business-critical machines or gaining access to higher value business accounts that will score the criminal a larger payday at the end of the attack.


Case Study: How Targeted Phishing Works

Targeted phishing is particularly favored among sophisticated hacking groups that have the resources and technical wherewithal to carry out more complicated attacks. For example, one such group BlackBerry has been tracking has established a years-long track record of targeted phishing success through some very advanced techniques and infrastructure.

Dubbed BAHAMUT, the history and tradecraft of this group was recently detailed in a comprehensive threat report written by the BlackBerry Research & Intelligence Team. Viewed as a case study on phishing (among many other nefarious techniques), BAHAMUT’s activity demonstrates that typically the groundwork for targeted phishing is laid out by the criminals through the following measures:

Deliberate Reconnaissance Work: Through analysis of the threat actor’s phishing behavior, BlackBerry observed that BAHAMUT was generally in possession of a great deal of detailed information about their targets prior to phishing them. This was clearly the result of a concerted and robust reconnaissance operation prior to the phish.

In one example, when BAHAMUT was targeting Middle Eastern government officials and journalists, the group already knew the targets’ personal email addresses, and usually avoided phishing attempts directed against their corporate or government email accounts.

Convincing Fake Sites: A lot of the early information gathering by BAHAMUT was done by using a range of different painstakingly crafted fake websites. This includes fake login sites, but also fake news sites and fake social profiles to fashion “a convincing veneer of legitimacy,” serve up malware, and provide back-end infrastructure for phishing campaigns.
For example, BlackBerry observed BAHAMUT-controlled, fake social media profiles are used to build credibility with journalists as well as to engage with targets, directing them to assets that share the same network fingerprint. BlackBerry also identified nearly a dozen “empty” websites that borrowed most of their code from elsewhere on the Internet and did not appear to be used for anything at the time of discovery.

Robust and Dynamic Infrastructure: While monitoring BAHAMUT’s operations over the past year, BlackBerry watched new phishing infrastructure spring up weekly. Just as other researchers previously observed, many of these highly targeted spear-phishing operations lasted anywhere from a few hours to a few months, depending on the domain and success rates. BlackBerry researchers wrote that “this embrace of ever-fleeting infrastructure makes real-time detection all but impossible.”


Preventing Targeted Phishing Attacks

As attackers like the BAHAMUT threat group become ever more sophisticated, it becomes increasingly difficult for everyday users to spot targeted phishing messages and spear-phishing attempts. This means that phishing defense must involve strong partnership and action both at the employee and employer level.  As we look ahead with the New Year, this vigilance in both regards will prove no less important than it has in this last.