zveloBLOG™ - alerts, discussions, studies, articles, white papers about the latest malware, spam, phishing scams, and other Web threats researched or detected by zveloLABS™.


  • Home
    Home This is where you can find all the blog posts throughout the site.
  • Categories
    Categories Displays a list of categories from this blog.
  • Tags
    Tags Displays a list of tags that has been used in the blog.
  • Bloggers
    Bloggers Search for your favorite blogger from this site.
Posted by on in Spear Phishing
  • Font size: Larger Smaller
  • Hits: 18028

Spear Phishing Attacks: a Real-World Example

Spear phishing attacks aimed at popular email service vendors and large companies have been abundant as of late. Google blogged1 about its recent Gmail incident, in which a spear phishing campaign selectively targeted senior U.S. government officials, Chinese political activists, officials in several Asian countries, military personnel and journalists. Yahoo! Mail and Windows Live Hotmail reported2 similar spear phishing attempts against their users, which were intended to serve up malicious code or steal email account passwords. The security breaches of RSA3 were also traced to a successful series of spear phishing activities.


Spear phishing is the practice of using fraudulent emails to lure unsuspecting users to fake websites in an attempt to gain unauthorized access to their personal information, communications and other online activities, and/or their computers. Unlike traditional spam, spear phishing is by no means random – it is a highly-targeted operation. In spear phishing emails the sender impersonates a friend or colleague of potential victims in order to trick them into opening malware-ridden files or into visiting malicious websites.

Spear phishing has a high success rate largely because of the vast amounts of personal data readily available online and in social networking communities. Traditional forms of phishing have resulted in a modest five-percent success rate, whereas spear phishing achieves a much higher rate of nineteen-percent4. It is difficult to defend against these types of threats because the vulnerabilities are not technology-based but rather a result of user error instead.

To provide detailed insight into how spear phishing attacks are deployed, zvelo staged itself as a hypothetical target. Hackers must first harvest as much information about zvelo as is available online.  After a little snooping and some hacker know-how, numerous email addresses of key personnel within zvelo were obtained:


Spear Phishing - a Real World Example - illustration 01: Valid e-mail addresses harvested
Illustration 01: Valid e-mail addresses harvested


As depicted in illustration 1, email addresses were pulled for zvelo's Web Media Manager (acarrillojr) and CEO (jfinn), which function as perfect starting points. The hacker must next decide who to target (we will use myself as a victim). A simple Google search for Miguel Gomez reveals a non-zvelo email address found on an academic website. With a personal Gmail address in-hand the phisher then drafts a clever and fictitious email to attempt to trick the victim.

Several tools exist that allow malicious users to devise and transmit fraudulent emails within a matter of minutes. Illustration 2 is an example of a fake spear phishing email.


Spear Phishing - a Real World Example - illustration 02: Victim's e-mail address
Illustration 02: Victim's e-mail address


Spear Phishing - a Real World Example - illustration 03: Fake e-mail message
Illustration 03: Fake e-mail message


By itself, the email is harmless. The real damage occurs when an attached file is opened or after a link is launched. As shown in illustration 3, the email message is not your run-of-the-mill spam. The sender appears to be Armando, a legitimate zvelo employee. The email subject and body are representative of the tasks typically associated with the would-be victim. In this case, the email pertains to a “report” supposedly sent from the company CEO to be used as possible subject matter for a new zveloBLOG™.

From this point the malicious sender can either lure the email recipient to a website where their credentials can be stolen or where a known vulnerability can be exploited in order to gain access to the victim's system. Considering how common it is for corporate users to check personal messages at work, this is a popular approach. As shown in illustration 4, the perpetrator utilized a key logger to capture my password. After a password is obtained other possibilities arise, including but not limited to the installation of backdoors, screen-capturing the desktop environment and activating web cameras and built-in microphones.


Spear Phishing - a Real World Example - illustration 04: Compromised system
Illustration 04: Compromised system


The best defense against spear phishing attacks for most organizations is awareness and education. Training users to be cautious and skeptical about unsolicited emails should counter the majority of these threats. The information systems used by organizations should also be kept up-to-date to prevent the risk of compromise through known attack vectors.


1.    Eric Grosse, Engineering Director, Google Security Team.  (June 01, 2011).  Ensuring your information is safe online.  The Official Google Blog.  Retrieved June 09, 2011 from http://googleblog.blogspot.com/2011/06/ensuring-your-information-is-safe.html.

2.    Robert McMillan.  (June 03, 2011).  Hotmail and Yahoo users also victims of targeted attacks.  ComputerWorld.com.  Retrieved June 09, 2011 from http://www.computerworld.com/s/article/9217278/Hotmail_and_Yahoo_users_also_victims_of_targeted_attacks.

3.    Robert Westervelt, News Director.  (April 04, 2011).  RSA SecurID breach began with spear phishing attack.   SearchSecurity.com.  Retrieved June 08, 2011 from http://searchsecurity.techtarget.com/news/1529523/RSA-SecurID-breach-began-with-spear-phishing-attack.

4.    Unknown Author.  (n.d.).  Ready for some spear phishing.  SearchSecurityChannel.com.  Retrieved on June 08, 2011 from http://searchsecuritychannel.techtarget.com/feature/Ready-for-some-spear-phishing.

Rate this blog entry:
Trackback URL for this blog entry.
  • West Nile virus symptoms

    Posted by Hurricane Isaac on 24 Aug 2012
    Hurricane ...
  • education.com

    Posted by education articles on 23 Aug 2012
    education city ...
  • rotc colleges

    Posted by online college on 22 Aug 2012
    belhaven college ...
  • business pages

    Posted by business development on 21 Aug 2012
    grants for business ...
  • online education

    Posted by education information on 20 Aug 2012
    education definition ...
  • Thomasena Edster

    Posted by Robyn Fickling on 10 Aug 2012
    Marshall Heiny ...
  • gucci sunglasses

    Posted by gucci sunglasses on 01 Aug 2012
    There are a lot of blogs and articles out there on this topic, but you have captured another side of the subject. This is good content thank you for sharing it. ...

Miguel Alberto Gomez is a contributing writer to zveloBLOG and is an instructor and researcher with the College of Computer Studies at the De La Salle University, Manila, Philippines.


  • No comments made yet. Be the first to submit a comment

Leave your comment

Guest 18 Apr 2014