CAPEC-163: Spear Phishing
An adversary targets a specific user or group with a Phishing (CAPEC-98) attack tailored to a category of users in order to have maximum relevance and deceptive capability. Spear Phishing is an enhanced version of the Phishing attack targeted to a specific user or group. The quality of the targeted email is usually enhanced by appearing to come from a known or trusted entity. If the email account of some trusted entity has been compromised the message may be digitally signed. The message will contain information specific to the targeted users that will enhance the probability that they will follow the URL to the compromised site. For example, the message may indicate knowledge of the targets employment, residence, interests, or other information that suggests familiarity. As soon as the user follows the instructions in the message, the attack proceeds as a standard Phishing attack.
Last updated
Overview
CAPEC-163 (Spear Phishing) is a detailed-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Explore
[Obtain useful contextual detailed information about the targeted user or organization] An adversary collects useful contextual detailed information about the targeted user or organization in order to craft a more deceptive and enticing message to lure the target into responding.
- Conduct web searching research of target. See also: CAPEC-118.
- Identify trusted associates, colleagues and friends of target. See also: CAPEC-118.
- Utilize social engineering attack patterns such as Pretexting. See also: CAPEC-407.
- Collect social information via dumpster diving. See also: CAPEC-406.
- Collect social information via traditional sources. See also: CAPEC-118.
- Collect social information via Non-traditional sources. See also: CAPEC-118.
- Step 2Experiment
[Optional: Obtain domain name and certificate to spoof legitimate site] This optional step can be used to help the adversary impersonate the legitimate site more convincingly. The adversary can use homograph attacks to convince users that they are using the legitimate website. Note that this step is not required for phishing attacks, and many phishing attacks simply supply URLs containing an IP address and no SSL certificate.
- Optionally obtain a domain name that visually looks similar to the legitimate site's domain name. An example is www.paypaI.com vs. www.paypal.com (the first one contains a capital i, instead of a lower case L).
- Optionally obtain a legitimate SSL certificate for the new domain name.
- Step 3Experiment
[Optional: Explore legitimate website and create duplicate] An adversary creates a website (optionally at a URL that looks similar to the original URL) that closely resembles the website that they are trying to impersonate. That website will typically have a login form for the victim to put in their authentication credentials. There can be different variations on a theme here.
- Use spidering software to get copy of web pages on legitimate site.
- Manually save copies of required web pages from legitimate site.
- Create new web pages that have the legitimate site's look at feel, but contain completely new content.
- Step 4Experiment
[Optional: Build variants of the website with very specific user information e.g., living area, etc.] Once the adversary has their website which duplicates a legitimate website, they need to build very custom user related information in it. For example, they could create multiple variants of the website which would target different living area users by providing information such as local news, local weather, etc. so that the user believes this is a new feature from the website.
- Integrate localized information in the web pages created to duplicate the original website. Those localized information could be dynamically generated based on unique key or IP address of the future victim.
- Step 5Exploit
[Convince user to enter sensitive information on adversary's site.] An adversary sends a message (typically an e-mail) to the victim that has some sort of a call to action to get the user to click on the link included in the e-mail (which takes the victim to adversary's website) and log in. The key is to get the victim to believe that the message is coming from a legitimate entity trusted by the victim or with which the victim or does business and that the website pointed to by the URL in the e-mail is the legitimate website. A call to action will usually need to sound legitimate and urgent enough to prompt action from the user.
- Send the user a message from a spoofed legitimate-looking e-mail address that asks the user to click on the included link.
- Place phishing link in post to online forum.
- Step 6Exploit
[Use stolen credentials to log into legitimate site] Once the adversary captures some sensitive information through phishing (login credentials, credit card information, etc.) the adversary can leverage this information. For instance, the adversary can use the victim's login credentials to log into their bank account and transfer money to an account of their choice.
- Log in to the legitimate site using another user's supplied credentials.
What the attacker needs
Prerequisites
- None. Any user can be targeted by a Spear Phishing attack.
Skills required
- Medium skill: Spear phishing attacks require specific knowledge of the victims being targeted, such as which bank is being used by the victims, or websites they commonly log into (Google, Facebook, etc).
Resources required
- An adversay must have the ability communicate their phishing scheme to the victims (via email, instance message, etc.), as well as a website or other platform for victims to enter personal information into.
Consequences
What a successful CAPEC-163 attack can achieve.
Read Data
Affects: Confidentiality
Information Leakage
Gain Privileges
Affects: Accountability, Authentication, Authorization, Non-Repudiation
Privilege Escalation
Modify Data
Affects: Integrity
Data Modification
How to mitigate it
Defenses that reduce the risk of CAPEC-163.
- Do not follow any links that you receive within your e-mails and certainly do not input any login credentials on the page that they take you too. Instead, call your Bank, PayPal, eBay, etc., and inquire about the problem. A safe practice would also be to type the URL of your bank in the browser directly and only then log in. Also, never reply to any e-mails that ask you to provide sensitive information of any kind.
Examples
The target gets an official looking e-mail from their bank stating that their account has been temporarily locked due to suspected unauthorized activity that happened in a different area from where they live (details might be provided by the spear phishers) and that they need to click on the link included in the e-mail to log in to their bank account in order to unlock it. The link in the e-mail looks very similar to that of their bank and once the link is clicked, the log in page is the exact replica. The target supplies their login credentials after which they are notified that their account has now been unlocked and that everything is fine. An adversary has just collected the target's online banking information which can now be used by them to log into the target's bank account and transfer money to a bank account of the adversary's choice.
An adversary can leverage a weakness in the SMB protocol by sending the target, an official looking e-mail from their employer's IT Department stating that their system has vulnerable software, which they need to manually patch by accessing an updated version of the software by clicking on a provided link to a network share. Once the link is clicked, the target is directed to an external server controlled by the adversary or to a malicious file on a public access share. The SMB protocol will then attempt to authenticate the target to the adversary controlled server, which allows the adversary to capture the hashed credentials over SMB. These credentials can then be used to execute offline brute force attacks or a "Pass The Hash" attack.
Terminology & mappings
Mapped taxonomies
- ATTACK: Internal Spearfishing (1534)
- ATTACK: Phishing: Spearfishing Attachment (1566.001)
- ATTACK: Phishing: Spearfishing Link (1566.002)
- ATTACK: Phishing: Spearfishing via Service (1566.003)
- ATTACK: Phishing for Information: Spearfishing Service (1598.001)
- ATTACK: Phishing for Information: Spearfishing Attachment (1598.002)
- ATTACK: Phishing for Information: Spearfishing Link (1598.003)
Frequently asked questions
Common questions about CAPEC-163.
- What is CAPEC-163?
- An adversary targets a specific user or group with a Phishing (CAPEC-98) attack tailored to a category of users in order to have maximum relevance and deceptive capability. Spear Phishing is an enhanced version of the Phishing attack targeted to a specific user or group. The quality of the targeted email is usually enhanced by appearing to come from a known or trusted entity. If the email account of some trusted entity has been compromised the message may be digitally signed. The message will contain information specific to the targeted users that will enhance the probability that they will follow the URL to the compromised site. For example, the message may indicate knowledge of the targets employment, residence, interests, or other information that suggests familiarity. As soon as the user follows the instructions in the message, the attack proceeds as a standard Phishing attack.
- How does a Spear Phishing attack work?
- It typically unfolds over 6 phases. It begins with: [Obtain useful contextual detailed information about the targeted user or organization] An adversary collects useful contextual detailed information about the targeted user or organization in order to craft a more deceptive and enticing message to lure the target into responding.
- How do you prevent CAPEC-163?
- Do not follow any links that you receive within your e-mails and certainly do not input any login credentials on the page that they take you too. Instead, call your Bank, PayPal, eBay, etc., and inquire about the problem. A safe practice would also be to type the URL of your bank in the browser directly and only then log in. Also, never reply to any e-mails that ask you to provide sensitive information of any kind.
- What weaknesses does CAPEC-163 target?
- CAPEC-163 exploits 1 CWE weakness, including CWE-451 (User Interface (UI) Misrepresentation of Critical Information).
- How severe is CAPEC-163?
- MITRE rates CAPEC-163 as High severity with high likelihood of attack.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-163
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.