Spear Phishing Review:
If you took my CompTIA A+ 220-902 course, you remember we discussed spear phishing. As a quick review, phishing is when we have email that looks legitimate, but is really faked. It is typically an attempt to gain our personal information, or to spread malware at the very least. Spear phishing can be much more successful since it will be much more targeted. The emails might look to be from people you know in your organization, or they might already have some information about you so they look even more legitimate.
Spear Phishing in Action:
So how could something like this happen…really! Well let’s examine a recent case of it!
Here we have the true story of Charles Harvey Eccleston, an environmental scientist formerly employed by the Energy Department and the Nuclear Regulatory Commission. For unknown reasons, but enough to really anger him, Eccleston was terminated from the NRC in 2010.
Fast forward to April 2013, when Eccleston offers to provide an unnamed foreign government with more than 5,000 email addresses of all Energy Department employees for $19,000. He indicates that if the foreign government does not take the offer, he will offer the information up to China, Iran or Venezuela. He is of course selling the email addresses so that they may launch spear phishing attacks.
Thankfully the FBI catches wind of this and sets up a sting operation. In January 2015, the FBI has him target more than 80 Energy Department employees in Washington and at four national nuclear labs. The spear phishing emails contain what Eccleston thinks are links to malicious websites. He is led to believe that, if activated, the sites could infect and damage computers. Obviously the FBI ensures that no malicious code ever gets transferred. The FBI pays Eccleston $9,000 for the fake operation and thanks him for the 1,200 email addresses (they already had!).