Computer NetworksCommon Attacks & Defenses

Phishing and Social Engineering

LevelIntermediate

Duration75 mins

TopicCommon Attacks & Defenses

2 / 5

Spear Phishing

The Precision Strike

While mass phishing campaigns cast wide nets hoping to catch unwary victims by sheer volume, spear phishing represents the opposite approach—a precision strike against carefully selected targets with customized attacks. If mass phishing is a drift net, spear phishing is a harpoon aimed at a specific whale.

Spear phishing is responsible for the most damaging security breaches in history. The 2016 Democratic National Committee breach, the $100 million theft from Bangladesh Bank, and countless corporate espionage campaigns all began with a single, well-crafted email to a specific individual. These attacks succeed not through volume, but through meticulous research and perfect timing.

What You Will Learn

By the end of this page, you will understand how attackers research and select targets, craft personalized attacks, and execute spear phishing campaigns. You'll learn the reconnaissance process, personalization techniques, and why these attacks bypass traditional defenses designed to catch mass phishing.

Understanding Spear Phishing: Targeted Precision

Spear phishing is a highly targeted phishing attack directed at specific individuals or organizations. Unlike mass phishing that relies on deception volumes, spear phishing attacks are researched, personalized, and timed for maximum effectiveness.

The defining characteristics of spear phishing include:

Target specificity: Attacks focus on named individuals or specific roles within organizations
Research-based personalization: Content incorporates information specific to the target
Contextual relevance: Messages relate to the target's actual work, interests, or relationships
Quality over quantity: Attackers invest significant effort into individual attacks
Higher success rates: Personalization dramatically increases click-through and compromise rates

Mass Phishing vs. Spear Phishing Comparison
Characteristic	Mass Phishing	Spear Phishing
Target selection	Random or broad demographics	Specific individuals researched
Personalization	Generic or none	Name, role, context-specific
Volume	Thousands to millions	Single to dozens of targets
Effort per target	Minimal	Hours to weeks of research
Success rate	0.1% - 2%	10% - 60%+
Detection by filters	Often caught	Frequently bypasses filters
Attacker skill level	Low to moderate	Moderate to expert
Typical payoff	Credential harvesting, malware distribution	Targeted data theft, wire fraud, strategic access

The Economics of Spear Phishing

Spear phishing's higher effort is offset by dramatically higher success rates and payoffs. A mass phishing campaign might cost $500 to execute with 0.1% success rate. A spear phishing attack might cost $5,000 in effort but achieve 30%+ success against high-value targets. When the target is a wire transfer approval, the ROI can exceed 10,000%.

Target Selection and Reconnaissance

The foundation of spear phishing is reconnaissance—the systematic gathering of information about targets and their organizations. Attackers use open-source intelligence (OSINT) techniques to build comprehensive profiles that enable convincing personalization.

Reconnaissance Methodology

•Organization profiling — Understand the target company's structure, industry, major projects, recent news, mergers/acquisitions, and financial status. Sources: SEC filings, press releases, company websites, industry publications.
•Employee identification — Build organizational charts identifying key roles: executives, finance teams, IT administrators, HR personnel. Sources: LinkedIn, company websites, conference speaker lists.
•Relationship mapping — Understand reporting structures, vendor relationships, client connections, and trusted partners. Sources: Social media connections, vendor announcements, contract databases.
•Individual profiling — Deep research on specific targets: education, career history, personal interests, writing style, recent activities. Sources: Social media, personal blogs, published articles.
•Technical reconnaissance — Identify email formats, technologies in use, security products, and potential vulnerabilities. Sources: job postings, technology vendor announcements, email signature analysis.
•Timing intelligence — Identify optimal attack windows: fiscal year end, major projects, travel schedules, executive absences. Sources: Event calendars, social media check-ins, out-of-office messages.

OSINT Sources for Spear Phishing Reconnaissance
Source	Intelligence Gathered	Attack Value
LinkedIn	Job roles, reporting relationships, career history, connections	Impersonation, pretext development, org chart mapping
Twitter/X	Opinions, interests, real-time activities, writing style	Contextual lures, timing, personality mimicry
Facebook/Instagram	Personal interests, family, travel, hobbies	Emotional manipulation, urgency creation
Company website	Org structure, technology stack, press releases	Technical pretexts, impersonation targets
Job postings	Technologies used, security products, team structure	Technical attack vectors, insider knowledge simulation
SEC filings	Financial data, executive compensation, risk disclosures	Business context, wire fraud targets
Conference materials	Expert topics, presentation styles, industry focus	Professional pretexts, credible impersonation
GitHub/GitLab	Development practices, technology stack, developer emails	Technical pretexts, developer targeting

Thinking Like an Attacker

Understanding reconnaissance helps defenders. Conduct OSINT on your own organization to identify exposed information. What could an attacker learn about your executives, financial processes, or technology stack? This 'red team' perspective reveals what information needs protection.

Pretext Development: Crafting the Narrative

A pretext is the false scenario or cover story that makes a phishing attack believable. In spear phishing, pretexts are carefully developed based on reconnaissance, designed to fit naturally into the target's expected communications.

Effective Pretext Characteristics:

Contextual relevance — Relates to the target's actual work, interests, or relationships
Action justification — Provides a logical reason for the requested action
Authority alignment — Uses appropriate authority level for the request type
Urgency calibration — Creates pressure without appearing suspicious
Trust exploitation — Leverages existing trusted relationships or institutions

Common Spear Phishing Pretexts by Target Role
Target Role	Pretext Theme	Example Scenario	Requested Action
CEO/C-Suite	Board communications	Board member requesting confidential documents	Share sensitive files
CFO/Finance	Urgent wire transfer	CEO requesting emergency vendor payment	Initiate wire transfer
HR Personnel	Employee verification	Background check vendor needing employee data	Send personnel files
IT Administrator	Vendor support	Software vendor needing remote access for patch	Provide credentials/access
Developer	Code review	Open source project maintainer with security fix	Execute code, share access
Sales	Customer inquiry	Potential major client requesting proposal	Open document, share data
Legal	Contract review	Partner firm with urgent contract revision	Open document, share strategy
Executive Assistant	Calendar/access	Executive requesting access on behalf	Share information, grant access

spear-phishing-example.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
/* Example Spear Phishing Email to CFO */
 
From: "Michael Chen" <mchen@acme-partners.net>
        /* Impersonates known investment partner */
To: jennifer.williams@targetcorp.com
Subject: RE: Q4 Closing Documentation - Urgent
 
Hi Jennifer,
 
Following up on our conversation at the industry conference last week.
        /* References real event target attended */
 
As discussed, we need the preliminary Q4 numbers for the due diligence 
process. The board is meeting Friday, and they're pressing for 
the updated projections before the weekend.
        /* Creates urgency with plausible deadline */
 
I've attached the secure document request form. Can you complete 
this today and send the reports to our encrypted portal?
        /* Legitimate-sounding process */
 
The portal link for upload: [Malicious Link Disguised]
        /* Credential harvesting or malware delivery */
 
Thanks again for dinner - looking forward to closing this quarter strong!
        /* Personal touch from reconnaissance */
 
Best,
Michael Chen
Managing Partner, Acme Partners
mchen@acme-partners.net | +1-555-0147
        /* Professional signature mimics real format */
 
/* RED FLAGS (for defenders):
   1. Request for financial data via email
   2. Urgency and deadline pressure
   3. External file upload request
   4. Domain slightly different from real partner */

Attack Personalization Techniques

Personalization transforms generic phishing into believable communications. The more specific details included, the more likely the target accepts the message as legitimate. Attackers use multiple layers of personalization to build credibility.

Identity Personalization

•Full name usage — Correct name, not "Dear Customer"
•Title recognition — Appropriate use of job title
•Relationship reference — Mention shared connections or past interactions
•Writing style mimicry — Match formality level and communication patterns
•Signature matching — Clone real email signatures from previous communications

Contextual Personalization

•Current projects — Reference active initiatives or deals
•Recent events — Mention conferences, announcements, or news
•Business timing — Align with fiscal periods, deadlines, or cycles
•Internal language — Use company-specific terminology or acronyms
•Process knowledge — Reference actual procedures or systems

Advanced Personalization Tactics

•Thread hijacking — Compromise a legitimate account and reply to existing email threads, inheriting complete trust context from the previous conversation.
•Document context — Use screenshots or excerpts from real company documents obtained through previous compromise or public sources to establish credibility.
•Voice matching — Use AI voice cloning to create vishing calls that sound exactly like known executives or colleagues, bypassing voice recognition trust.
•Behavioral timing — Send emails during the target's historically busy periods when careful analysis is less likely, or immediately after related legitimate communications.
•Multi-channel coordination — Coordinate email phishing with LinkedIn messages, phone calls, or SMS to create a complete, believable scenario across multiple touchpoints.

The AI Amplification

Large language models have dramatically increased personalization capability. AI can analyze a target's writing samples and generate emails that match their communication style. It can process reconnaissance data and generate contextually appropriate pretexts at scale. This shifts spear phishing from an artisanal attack to a potentially industrialized one.

Whaling: Executive-Level Spear Phishing

Whaling is spear phishing specifically targeting senior executives—the "big fish" or "whales" of an organization. These attacks represent the highest-stakes phishing operations, combining sophisticated social engineering with significant potential payoffs.

Why Executives Are Prime Targets:

Authority — Executives can authorize high-value transactions and access sensitive information
Visibility — Public presence provides abundant reconnaissance material
Pressure — Busy schedules mean less time for careful message analysis
Trust cascade — Requests from executives are rarely questioned by subordinates
Access — Executives typically have broad system and information access

Whaling Attack Scenarios
Attack Type	Target	Pretext	Typical Damage
CEO Fraud	CFO/Finance	CEO requests urgent wire transfer	$50,000 - $500,000+
Vendor Fraud	Accounts Payable	Vendor requests payment detail update	Multiple payments redirected
M&A Fraud	Executive Team	Board/advisor requests confidential data	Strategic data theft
Tax Fraud	HR/Payroll	CEO requests all W-2s for "audit"	Mass identity theft
Legal Fraud	General Counsel	Regulatory body requests documents	Legal strategy disclosure
Board Fraud	Executive Assistant	Board member requests meeting materials	Governance data theft

Business Email Compromise (BEC)

Whaling is closely related to Business Email Compromise (BEC), which the FBI identifies as the most financially damaging cybercrime. BEC attacks resulted in over $2.7 billion in losses in a single year. These attacks often combine whaling with impersonation of compromised executive accounts for maximum credibility.

Executive Protection Measures

•Out-of-band verification — All sensitive requests verified through separate channel (phone call to known number, in-person confirmation)
•Executive security awareness — Tailored training addressing executive-specific attack patterns and scenarios
•Financial controls — Dual authorization for transfers above thresholds, mandatory cooling-off periods for new payment destinations
•Digital footprint reduction — Limit executive exposure on social media and in public databases
•Executive assistant training — Assistants often receive requests on behalf of executives; they need enhanced awareness
•Email authentication enforcement — Strong DMARC policies prevent domain spoofing of executive addresses

Technical Sophistication in Spear Phishing

Spear phishing attacks often employ advanced technical methods to evade detection and increase effectiveness. These techniques distinguish sophisticated campaigns from basic phishing attempts.

Advanced Evasion Techniques

•Aged domains — Register lookalike domains months before attack, building reputation and avoiding new-domain detection filters
•Legitimate infrastructure — Host malicious content on trusted platforms (cloud storage, document sharing) to bypass URL reputation systems
•Time-delayed payloads — Links initially point to benign content, changed to malicious after email security scanning completes
•Targeted landing pages — Phishing pages that only display malicious content for specific IP ranges or browser fingerprints, showing benign content to researchers
•Encrypted attachments — Password-protected documents bypass content scanning; password provided in email body
•QR codes and image-only emails — Bypass text-based content analysis by embedding malicious URLs in images or QR codes
•Captcha-protected phishing — Add captcha before phishing page to prevent automated security analysis

evasion-technique-example.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
// Example: Time-delayed payload switching
// Initial URL serves benign content for first 30 minutes
// (while email security tools scan)
// Then switches to phishing page
 
// Attacker's server-side logic:
function serveContent(request) {
    const emailSentTime = getEmailTimestamp(request.referrer);
    const currentTime = Date.now();
    const minutesSinceEmail = (currentTime - emailSentTime) / 60000;
    
    // Check for security scanner signatures
    const isSecurityScanner = 
        request.headers['user-agent'].includes('SecurityBot') ||
        request.ip.startsWith('10.') ||  // Common sandbox ranges
        !request.headers['accept-language'];  // Automated tools often skip this
    
    // Serve benign content to scanners or in first 30 minutes
    if (isSecurityScanner || minutesSinceEmail < 30) {
        return serveBenignPage();  // Normal-looking document preview
    }
    
    // After delay and for real users, serve phishing page
    return servePhishingPage();  // Credential harvesting form
}
 
// Defense: Test links periodically after initial scan
// Implement delayed URL re-checking
// Use browser-based URL inspection at click time

Defense-in-Depth Against Evasion

Counter sophisticated evasion with layered defenses: real-time URL inspection at click time (not just delivery time), browser isolation for untrusted links, attachment sandboxing with delayed detonation, and user reporting mechanisms that trigger re-analysis of suspect messages across the organization.

Real-World Spear Phishing Case Studies

Examining real-world spear phishing incidents reveals the techniques in practice and the devastating consequences when attacks succeed.

The Attack: In February 2016, attackers used spear phishing to compromise Bangladesh Bank's network, then submitted fraudulent transfer requests through the SWIFT network.

Reconnaissance: Attackers studied SWIFT transfer procedures, bank operating hours, and staff patterns over months.

The Spear Phish: Initial access came through targeted emails to bank employees containing malicious documents. Once inside, attackers spent weeks mapping the network and understanding procedures.

Execution: Attackers submitted 35 transfer requests totaling $951 million during a weekend when verification would be delayed. $101 million was successfully transferred before detection.

Lesson: Sophisticated spear phishing can enable attacks far larger than the initial phishing payload. Network dwell time amplifies damage.

Summary: Understanding Spear Phishing

Spear phishing represents the precision end of the phishing spectrum. Let's consolidate the key takeaways:

Key Takeaways

•Quality over quantity — Spear phishing trades volume for personalization, achieving dramatically higher success rates against specific targets.
•Reconnaissance is foundational — Attackers invest significant time in OSINT gathering, building profiles that enable convincing personalization and contextual pretexts.
•Pretexts follow context — Effective spear phishing narratives align with the target's actual work, relationships, and current activities.
•Whaling targets authority — Executive-level attacks exploit organizational hierarchy, enabling wire fraud and strategic data theft at massive scale.
•Technical sophistication evades detection — Advanced techniques like time-delayed payloads and captcha-protected pages bypass traditional security tools.
•Real-world impact is severe — Case studies show hundreds of millions in losses from successful spear phishing, affecting even security-focused organizations.

What's next:

Spear phishing is just one application of broader social engineering techniques. The next page examines the psychology and methodology of social engineering—the art of manipulating humans to achieve security objectives. Understanding social engineering explains not just why phishing works, but why humans are often the weakest link in any security system.

Page Complete

You now understand the mechanics of spear phishing: reconnaissance methods, pretext development, personalization techniques, and the advanced technical evasion employed by sophisticated attackers. Next, we'll explore the broader field of social engineering that underlies all human-targeted attacks.

2 / 5

Loading learning content...

Computer NetworksCommon Attacks & Defenses

Phishing and Social Engineering

LevelIntermediate

Duration75 mins

TopicCommon Attacks & Defenses

2 / 5

Spear Phishing

The Precision Strike

What You Will Learn

Understanding Spear Phishing: Targeted Precision

The defining characteristics of spear phishing include:

Target specificity: Attacks focus on named individuals or specific roles within organizations
Research-based personalization: Content incorporates information specific to the target
Contextual relevance: Messages relate to the target's actual work, interests, or relationships
Quality over quantity: Attackers invest significant effort into individual attacks
Higher success rates: Personalization dramatically increases click-through and compromise rates

Mass Phishing vs. Spear Phishing Comparison
Characteristic	Mass Phishing	Spear Phishing
Target selection	Random or broad demographics	Specific individuals researched
Personalization	Generic or none	Name, role, context-specific
Volume	Thousands to millions	Single to dozens of targets
Effort per target	Minimal	Hours to weeks of research
Success rate	0.1% - 2%	10% - 60%+
Detection by filters	Often caught	Frequently bypasses filters
Attacker skill level	Low to moderate	Moderate to expert
Typical payoff	Credential harvesting, malware distribution	Targeted data theft, wire fraud, strategic access

The Economics of Spear Phishing

Target Selection and Reconnaissance

Reconnaissance Methodology

•Organization profiling — Understand the target company's structure, industry, major projects, recent news, mergers/acquisitions, and financial status. Sources: SEC filings, press releases, company websites, industry publications.
•Employee identification — Build organizational charts identifying key roles: executives, finance teams, IT administrators, HR personnel. Sources: LinkedIn, company websites, conference speaker lists.
•Relationship mapping — Understand reporting structures, vendor relationships, client connections, and trusted partners. Sources: Social media connections, vendor announcements, contract databases.
•Individual profiling — Deep research on specific targets: education, career history, personal interests, writing style, recent activities. Sources: Social media, personal blogs, published articles.
•Technical reconnaissance — Identify email formats, technologies in use, security products, and potential vulnerabilities. Sources: job postings, technology vendor announcements, email signature analysis.
•Timing intelligence — Identify optimal attack windows: fiscal year end, major projects, travel schedules, executive absences. Sources: Event calendars, social media check-ins, out-of-office messages.

OSINT Sources for Spear Phishing Reconnaissance
Source	Intelligence Gathered	Attack Value
LinkedIn	Job roles, reporting relationships, career history, connections	Impersonation, pretext development, org chart mapping
Twitter/X	Opinions, interests, real-time activities, writing style	Contextual lures, timing, personality mimicry
Facebook/Instagram	Personal interests, family, travel, hobbies	Emotional manipulation, urgency creation
Company website	Org structure, technology stack, press releases	Technical pretexts, impersonation targets
Job postings	Technologies used, security products, team structure	Technical attack vectors, insider knowledge simulation
SEC filings	Financial data, executive compensation, risk disclosures	Business context, wire fraud targets
Conference materials	Expert topics, presentation styles, industry focus	Professional pretexts, credible impersonation
GitHub/GitLab	Development practices, technology stack, developer emails	Technical pretexts, developer targeting

Thinking Like an Attacker

Pretext Development: Crafting the Narrative

Effective Pretext Characteristics:

Contextual relevance — Relates to the target's actual work, interests, or relationships
Action justification — Provides a logical reason for the requested action
Authority alignment — Uses appropriate authority level for the request type
Urgency calibration — Creates pressure without appearing suspicious
Trust exploitation — Leverages existing trusted relationships or institutions

Common Spear Phishing Pretexts by Target Role
Target Role	Pretext Theme	Example Scenario	Requested Action
CEO/C-Suite	Board communications	Board member requesting confidential documents	Share sensitive files
CFO/Finance	Urgent wire transfer	CEO requesting emergency vendor payment	Initiate wire transfer
HR Personnel	Employee verification	Background check vendor needing employee data	Send personnel files
IT Administrator	Vendor support	Software vendor needing remote access for patch	Provide credentials/access
Developer	Code review	Open source project maintainer with security fix	Execute code, share access
Sales	Customer inquiry	Potential major client requesting proposal	Open document, share data
Legal	Contract review	Partner firm with urgent contract revision	Open document, share strategy
Executive Assistant	Calendar/access	Executive requesting access on behalf	Share information, grant access

spear-phishing-example.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
/* Example Spear Phishing Email to CFO */
 
From: "Michael Chen" <mchen@acme-partners.net>
        /* Impersonates known investment partner */
To: jennifer.williams@targetcorp.com
Subject: RE: Q4 Closing Documentation - Urgent
 
Hi Jennifer,
 
Following up on our conversation at the industry conference last week.
        /* References real event target attended */
 
As discussed, we need the preliminary Q4 numbers for the due diligence 
process. The board is meeting Friday, and they're pressing for 
the updated projections before the weekend.
        /* Creates urgency with plausible deadline */
 
I've attached the secure document request form. Can you complete 
this today and send the reports to our encrypted portal?
        /* Legitimate-sounding process */
 
The portal link for upload: [Malicious Link Disguised]
        /* Credential harvesting or malware delivery */
 
Thanks again for dinner - looking forward to closing this quarter strong!
        /* Personal touch from reconnaissance */
 
Best,
Michael Chen
Managing Partner, Acme Partners
mchen@acme-partners.net | +1-555-0147
        /* Professional signature mimics real format */
 
/* RED FLAGS (for defenders):
   1. Request for financial data via email
   2. Urgency and deadline pressure
   3. External file upload request
   4. Domain slightly different from real partner */

Attack Personalization Techniques

Identity Personalization

•Full name usage — Correct name, not "Dear Customer"
•Title recognition — Appropriate use of job title
•Relationship reference — Mention shared connections or past interactions
•Writing style mimicry — Match formality level and communication patterns
•Signature matching — Clone real email signatures from previous communications

Contextual Personalization

•Current projects — Reference active initiatives or deals
•Recent events — Mention conferences, announcements, or news
•Business timing — Align with fiscal periods, deadlines, or cycles
•Internal language — Use company-specific terminology or acronyms
•Process knowledge — Reference actual procedures or systems

Advanced Personalization Tactics

•Thread hijacking — Compromise a legitimate account and reply to existing email threads, inheriting complete trust context from the previous conversation.
•Document context — Use screenshots or excerpts from real company documents obtained through previous compromise or public sources to establish credibility.
•Voice matching — Use AI voice cloning to create vishing calls that sound exactly like known executives or colleagues, bypassing voice recognition trust.
•Behavioral timing — Send emails during the target's historically busy periods when careful analysis is less likely, or immediately after related legitimate communications.
•Multi-channel coordination — Coordinate email phishing with LinkedIn messages, phone calls, or SMS to create a complete, believable scenario across multiple touchpoints.

The AI Amplification

Whaling: Executive-Level Spear Phishing

Why Executives Are Prime Targets:

Authority — Executives can authorize high-value transactions and access sensitive information
Visibility — Public presence provides abundant reconnaissance material
Pressure — Busy schedules mean less time for careful message analysis
Trust cascade — Requests from executives are rarely questioned by subordinates
Access — Executives typically have broad system and information access

Whaling Attack Scenarios
Attack Type	Target	Pretext	Typical Damage
CEO Fraud	CFO/Finance	CEO requests urgent wire transfer	$50,000 - $500,000+
Vendor Fraud	Accounts Payable	Vendor requests payment detail update	Multiple payments redirected
M&A Fraud	Executive Team	Board/advisor requests confidential data	Strategic data theft
Tax Fraud	HR/Payroll	CEO requests all W-2s for "audit"	Mass identity theft
Legal Fraud	General Counsel	Regulatory body requests documents	Legal strategy disclosure
Board Fraud	Executive Assistant	Board member requests meeting materials	Governance data theft

Business Email Compromise (BEC)

Executive Protection Measures

•Out-of-band verification — All sensitive requests verified through separate channel (phone call to known number, in-person confirmation)
•Executive security awareness — Tailored training addressing executive-specific attack patterns and scenarios
•Financial controls — Dual authorization for transfers above thresholds, mandatory cooling-off periods for new payment destinations
•Digital footprint reduction — Limit executive exposure on social media and in public databases
•Executive assistant training — Assistants often receive requests on behalf of executives; they need enhanced awareness
•Email authentication enforcement — Strong DMARC policies prevent domain spoofing of executive addresses

Technical Sophistication in Spear Phishing

Spear phishing attacks often employ advanced technical methods to evade detection and increase effectiveness. These techniques distinguish sophisticated campaigns from basic phishing attempts.

Advanced Evasion Techniques

•Aged domains — Register lookalike domains months before attack, building reputation and avoiding new-domain detection filters
•Legitimate infrastructure — Host malicious content on trusted platforms (cloud storage, document sharing) to bypass URL reputation systems
•Time-delayed payloads — Links initially point to benign content, changed to malicious after email security scanning completes
•Targeted landing pages — Phishing pages that only display malicious content for specific IP ranges or browser fingerprints, showing benign content to researchers
•Encrypted attachments — Password-protected documents bypass content scanning; password provided in email body
•QR codes and image-only emails — Bypass text-based content analysis by embedding malicious URLs in images or QR codes
•Captcha-protected phishing — Add captcha before phishing page to prevent automated security analysis

evasion-technique-example.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
// Example: Time-delayed payload switching
// Initial URL serves benign content for first 30 minutes
// (while email security tools scan)
// Then switches to phishing page
 
// Attacker's server-side logic:
function serveContent(request) {
    const emailSentTime = getEmailTimestamp(request.referrer);
    const currentTime = Date.now();
    const minutesSinceEmail = (currentTime - emailSentTime) / 60000;
    
    // Check for security scanner signatures
    const isSecurityScanner = 
        request.headers['user-agent'].includes('SecurityBot') ||
        request.ip.startsWith('10.') ||  // Common sandbox ranges
        !request.headers['accept-language'];  // Automated tools often skip this
    
    // Serve benign content to scanners or in first 30 minutes
    if (isSecurityScanner || minutesSinceEmail < 30) {
        return serveBenignPage();  // Normal-looking document preview
    }
    
    // After delay and for real users, serve phishing page
    return servePhishingPage();  // Credential harvesting form
}
 
// Defense: Test links periodically after initial scan
// Implement delayed URL re-checking
// Use browser-based URL inspection at click time

Defense-in-Depth Against Evasion

Real-World Spear Phishing Case Studies

Examining real-world spear phishing incidents reveals the techniques in practice and the devastating consequences when attacks succeed.

The Attack: In February 2016, attackers used spear phishing to compromise Bangladesh Bank's network, then submitted fraudulent transfer requests through the SWIFT network.

Reconnaissance: Attackers studied SWIFT transfer procedures, bank operating hours, and staff patterns over months.

The Spear Phish: Initial access came through targeted emails to bank employees containing malicious documents. Once inside, attackers spent weeks mapping the network and understanding procedures.

Execution: Attackers submitted 35 transfer requests totaling $951 million during a weekend when verification would be delayed. $101 million was successfully transferred before detection.

Lesson: Sophisticated spear phishing can enable attacks far larger than the initial phishing payload. Network dwell time amplifies damage.

Summary: Understanding Spear Phishing

Spear phishing represents the precision end of the phishing spectrum. Let's consolidate the key takeaways:

Key Takeaways

•Quality over quantity — Spear phishing trades volume for personalization, achieving dramatically higher success rates against specific targets.
•Reconnaissance is foundational — Attackers invest significant time in OSINT gathering, building profiles that enable convincing personalization and contextual pretexts.
•Pretexts follow context — Effective spear phishing narratives align with the target's actual work, relationships, and current activities.
•Whaling targets authority — Executive-level attacks exploit organizational hierarchy, enabling wire fraud and strategic data theft at massive scale.
•Technical sophistication evades detection — Advanced techniques like time-delayed payloads and captcha-protected pages bypass traditional security tools.
•Real-world impact is severe — Case studies show hundreds of millions in losses from successful spear phishing, affecting even security-focused organizations.

What's next:

Page Complete

2 / 5