According to a recent survey, 75% of security professionals cite social engineering and phishing attacks as the top threat to their organizations. The combination of increasingly public personal data, more sophisticated data collection techniques, and leveraging the latest AI tools and micro-targeting marketing techniques has given rise to spear phishing at scale. While initially predicted a few years ago under the Phishing 2.0 moniker, these types of attacks at scale are now a key topic of discussion as all of the required elements are now a reality. This post — #4 in our series on social engineering prevention — is focused on how attackers are using technology to automate spear phishing campaigns and deliver them on a massive scale.
As demonstrated in the prior post where we shared some of the most common social engineering examples using a target’s LinkedIn profile attributes, the messages targets receive are fairly simple in nature. But they’re highly effective because attackers use micro-targeting tactics to deliver the right message, to the right person, at the right time using exactly the right context to prompt a response. If that sounds like tedious work that might require having one or more attackers troll through platforms like LinkedIn to identify these opportune moments, it’s not. Delivering the right message, to the right person, at the right time is exactly what today’s marketing tools and platforms are designed to do — automated and at scale. And attackers have the same access to these tools and platforms as marketers to drive their spear phishing attacks at scale.
In fact, considering that cybercriminal organizations operate the same way legitimate businesses do, it might help to think of social engineering as the marketing arm of the business where phishing equates to mass email/text marketing and spear phishing is more like Account Based Marketing (ABM). The tools, tactics and strategies are basically identical to a legitimate marketing approach with a couple of key differences — the most obvious being that attackers are running illegitimate operations for nefarious purposes. The second is that while legitimate companies and marketers are required to adhere to data privacy and compliance regulations, cybercriminals are not bound by rules, or ethics for that matter, which means any and all data they can find is on the table for weaponization. Publicly available data is the easiest to harvest and comes with the lowest acquisition cost, so naturally, that’s where attackers start. It’s important to note that even if a database is not free, it may still be publicly available. And while attackers likely prefer free services, they can — and do — use paid, legitimate business services to launch their attacks.
As in the previous post, we use LinkedIn as a prime example because it offers everything an attack would need. With more than 750 million professionals in over 200 countries that includes 40 million decision-makers, 61 million senior-level influencers, and 10.7 million opinion leaders, LinkedIn has the largest global community of professionals. To an attacker, the platform is essentially a giant barrel packed with phish. From user provided data to inferred data based on a member’s connections, interests and digital behaviors, the average social media profile serves up a wealth of information attackers use to micro-target prospective victims. Job titles, industry, skill sets, interests, business pain points, and connections are all valuable pieces of information that are harvested using any number of different tools to craft highly personalized, convincing, and contextually relevant messages to be used in spear phishing attacks on a massive scale.
When it comes to scaling their attacks, the attackers often walk a fine line between stealthiness and volume until they find their sweet spot between maximum conversion and minimum risk — the balance between conversion rates, ROI, and most importantly, avoiding detection by triggering red flags like too many spam notifications, high bounce rates, phishing detection or malware detection solutions, etc. They may run smaller campaigns, run A/B tests on content and subject lines, track and measure KPIs, refine and then repeat. Once they find the right balance, it’s easy to automate and scale their operations with simple scripts to automate the entire process from harvesting the data, to analyzing it to identify profiles, to customized email automation, and more. Add in new tools like ChatGPT from open.ai that can do everything from writing emails, to content, to code, and cybercriminal organizations have even greater capabilities to increase the volume and the velocity of their attacks.
As next generation technologies continue to evolve and develop, it’s crucial to recognize that cybercriminals are using those same tools to grow their business by increasing the efficiency and effectiveness of their operations, decreasing costs, growing revenue, and so on. The use of publicly available data just makes it that much easier for attackers to launch spear phishing at scale, and the lack of adherence to data privacy and compliance regulations makes it impossible for organizations to rely solely on technology to protect themselves.