What is spearfishing? ‘Spearfishing is an ancient method of fishing that has been used throughout the world for a long time. Early civilizations were familiar with the custom of spearing fish from rivers and streams using sharpened sticks’ (this citation has been powered by Wikipedia: http://en.wikipedia.org/wiki/Spearfishing). Actually, that does not tell us a lot but the principle is clear: You take a spear and try to catch one fish out of the swarm of them passing by. It is one single hit, targeted at an individual target whereby it could also hit one of the others roaming around. You have to know how these fishes swim, how they react to someone standing in the water next to them and it does not matter which one of them you hit as long as it is the species of fish you want to catch and not a crab or your foot. How do we translate that into cyberspace as an act of hacking/ cracking that it is?
The fisher is someone who has an interested in gaining access to certain computer systems. Therefore it does not matter if he wants to make money out of it or belongs to groups like LulzSec, Anonymous are the recently merged organization AntiSec. The issue remains the same.
The virtual spear in that case is most probably an email with a forged sender address and content which tricks the recipient into opening an attached document or going to a certain website. Both solutions lead to the infection of the utilized computer which opens a (back) door for the fisher.
The swarm of fishes is the target group. That can be a certain group of employers in a company or government agency (e.h. Human Resource) or the whole of employers per se. At that point I would like to mention that spearfishing – as an act of hacking/ cracking – is not very different from social engineering. Social engineering is a bit broader because it might also involve non-virtual, physical actions while the articles about spearfishing in that context are limited to virtual means.
The swarm can be studied in several ways. The easiest of course is an inside study. Meaning, there has been a security breach before and the attackers got hold off certain patterns of communications e.g.: design of corporate documents, signatures, way how communication is working in general. Of course, that is a lucky case. Normally, the ‘swarm’ has to be studied from outside. The outside approach can involve but is not limited to: search engines lookup, forged inquiries and particularly stalking on social networks. All these things are open intelligence sources and no criminal act or harm is done so far. Sun Tzu already said; ‘Know your enemy and know yourself and in hundred battles you will never be in peril’ (Sun Tzu, The Art of War). Composing information about a potential target is okay as long as you do not say what are you going to do with these information. Just curiosity, no malicious intent.
The interesting point here is the information that can be obtained via social networks such as Facebook. Not a lot of people adjust there privacy setting swell, and even so, just try creating a forged profile which states that you work in the same company as your targets and hope the company is big enough so no one would notice that the profile is not related to a real person. If you know the name and position of someone who is working there, even better. Just create a profile with that information, varying some parts of the name. Most people are so eager about having one thousand ‘friend’ that they would not even notice that they have the same person in their list twice. I am not suggesting any criminal activity here, I am just thinking out loud. Anyway, in the end, it is pretty safe to say that you will obtain some vital information, one way or the other. If the trick does not work with a particular guy, just try it with another fish from the swarm.
What can you do about it? The first move should be capacity building and awareness raising. The employees have to know what they can do and what not. What information to share and what not. Especially social networks as a merger between private life and professional life should part of the curriculum. I can imagine companies forgetting about it because they regard social networks as something ‘private’. Time to re-think that strategy?