Spear Phishing: Effective Because it’s Believable

Quote 1:

Spear phishing is targeted. The attackers did their research, usually through social engineering. They might already know your name or your hometown, your bank, or your place of employment—information easily accessed via social media profiles and postings. That bit of personalized information adds a lot of credibility to the email.

Spear-phishing emails work because they’re believable.

Quote 2:

Spear-phishing attacks are not trivial or conducted by random hackers. They are targeted at a specific person, often times by a specific group. Many publicly documented advanced persistent threat (APT) attack groups, including Operation Aurora and the recently publicized FIN4 group, used spear-phishing attacks to achieve their goals.

-Best Defense Against Spear Phishing, FIreEye

Quote 1:

Phishing emails are exploratory attacks in which criminals attempt to obtain victims’ sensitive data, such as personally identifiable information (PII) or network access credentials. These attacks open the door for further infiltration into any network the victim can access. Phishing typically involves both social engineering and technical trickery to deceive victims into opening attached files, clicking on embedded links and revealing sensitive information.

Spear phishing is more targeted. Cyber criminals who use spear-phishing tactics segment their victims, personalize the emails and impersonate specific senders. Their goal is to trick targets into clicking a link, opening an attachment or taking an unauthorized action. A phishing campaign may blanket an entire database of email addresses, but spear phishing targets specific individuals within specific organizations with a specific mission. By mining social networks for personal information about targets, an attacker can write emails that are extremely accurate and compelling. Once the target clicks on a link or opens an attachment, the attacker establishes a foothold in the network, enabling them to complete their illicit mission.

Quote 2:

A spear-phishing attack can display one or more of the following characteristics:

  • Blended or multi-vector threat. Spear phishing uses a blend of email spoofing, dynamic URLs and drive-by downloads to bypass traditional defenses.
  • Use of zero-day vulnerabilities. Advanced spearphishing attacks leverage zero-day vulnerabilities in browsers, plug-ins and desktop applications to compromise systems.
  • Multi-stage attack. The spear-phishing email is the first stage of a blended attack that involves further stages of malware outbound communications, binary downloads and data exfiltration.
  • Well-crafted email forgeries. Spear-phishing email threats usually target individuals, so they don’t bear much resemblance to the high-volume, broadcast spam that floods the Internet.

White Paper: Spear-Phishing Attacks, FIreEye

Poverty and The Law of Compounding Exploitation

As a security professional within a corporate environment, I am tasked with identifying and mitigating vulnerabilities or threats. Information Security (InfoSec) effectively comes down to this: 1) know what you have (valuables), where it’s located and who has access to it, 2) identify potential vulnerabilities/weaknesses coming from both inside and outside the company (or DMZ), and 3) eliminate/reduce all vulnerabilities and weaknesses to the fullest extent possible, while carefully monitoring those that you choose to allow to remain unaddressed (there are many reasons for making this decision).

Take this process and apply it to a community of people. For the sake of argument:

  • Make 10% of that population homeless.
  • Create an economic structure wherein people are constantly flowing in and out of homelessness. The population keeps changing.
  • The total % of people who are homeless increases, slowly, over time.
  • 25% of the people who experience homelessness spend the rest of their lives living with a mental or physical illness (disability?) acquired as a direct result of being homeless.
  • 75% of the people experiencing homelessness, at any point in time, are children.
  • The protection afforded to housed people is not provided to homeless, making them perfect targets for criminals, predators and ‘recruiters’ of all kinds.
  • Surviving homelessness requires surviving violence.

If this community has 100,000 people, then a minimum of 10,000 people are being forced to live underground at any given moment in time. 7500 of these individuals are children whose education is being interrupted and/or negatively impacted by the experience. There are also a minimum of 2500 people who are dealing with illnesses and disabilities as a direct result of being forced to live underground while surviving extreme poverty.

Those 7500 children and 2500 permanently injured/disabled adults (we’ll assume they are all adults) are (re)entering society with training, experience, perspective and skills that may or may not positively contribute to the safety, security and positive function of society.

As a security professional, I shake my head in disgust because those 7500 unknowns (at this point, they are not officially threats) were completely avoidable. I did not have to be concerned about them at all. It is a situation that could (should) be eliminated through housing, access to basic resources/necessities, respectful and effective assistance from police forces and safe, quality, reliable and free education.

Now, let’s introduce some known threats.

All of these threats could consist of a grand total of 10,000 people due to overlap (read: the highest number listed above), but it also could consist of a total threat base of 16,200 people – assuming no overlap. So my known threat base ranges from 10,000 to 16,000 people in the total population. Assuming %s remain consistent and all known threats are adults, then it can be assumed 250–400 experienced homelessness at some point.

I’m guessing that you are looking at that relatively low number of homeless predators and wondering: how does this illustrate compounding vulnerability exploitation? Allow me to illustrate…

Compounding force #1: One vulnerability leads to a strengthening of a threat which, in turn, creates another vulnerability.

10,000 perpetrators/threats (10% of the total population) are committing crimes against 10,000 vulnerable (homeless) people (10% of the total population) either by preference or as a form of practice. The homeless are not provided police protection and they cannot defend themselves due to extreme poverty and social stigma. Therefore, a potential criminal who has not crossed the line into full-blown criminal activity, is provided a ‘sandbox’ where these behaviors can be acted out and perfected before perpetrating them against people who ‘matter.’

Compounding force #2: The purposeful allowance of an exploitation, and the refusal to take proper action in response, increases both the threat and the vulnerability.

The widespread acceptance surrounding the degradation, marginalization and violent treatment of poverty survivors (homeless people in particular), creates a pervading social construct (culture) that is less able (unable?) to identify and address these same behaviors perpetrated against the general population. The community has become ‘numb’ to criminal activity and lost a significant (important) portion of it’s willingness and/or ability to properly address these actions.

The culture of a community/environment must be such that threats can be identified and addressed, promptly, properly and effectively. If the culture is negatively affected in one circumstance, allowing a known threat/criminal act to go unaddressed (unpunished), then that same threat will not only continue, but will grow stronger and begin to expand (aggressively).

Compounding force #3: Threats that are mitigated ad-hoc and separate from the whole often generate more vulnerabilities and create new categories of threats.

The widespread refusal to treat poverty survivors (homeless in particular) with the basic respect due to any human being, combined with an aggressively enforced caste system that forces people into permanent association with a ‘lesser-than’ category, directly and negatively affects all poverty survivor’s ability to improve their lives both financially and socially. They are placed between the proverbial ‘rock and a hard place.’

Desperation and lack of options can force people to find creative solutions (this is good), but it can also push them into making alliances and decisions that place them into the community threat category (this is bad).

The homeless are the absolute bottom, they are not the entire community of poverty survivors. Those who are surviving poverty while remaining housed (however tenuous that situation may be) will see what is happening to those trying to survive homelessness. The actions taken against the homeless will directly and profoundly effect the decisions made by those who are ‘merely poor.’

The two communities combined are placed in a state of desperation, trying to improve their situation. This makes them all particularly vulnerable to everything from relatively light criminal activity (e.g.: shoplifting) to criminal association (e.g.: joining a gang or a criminal network) and radicalization (e.g.: joining terrorist organizations like the KKK or ISIL and participating in hate crimes or terrorist attacks).

By isolating and ignoring the safety and welfare of one segment of the community, the threat level is increased for another segment of the community. Due to the ostracism and marginalization of poverty survivors, the actions taken by poverty survivors, in reaction to their situation, are separate from the actions taken by the police and similar organizations in protections of the community as a whole. This disconnect creates an increased number of threats seeking to exploit vulnerabilities found throughout the community.

Compounding force #4: The creation of exploitable vulnerabilities increases with the acceptance of those exploitations.

When the only thing separating those vulnerable to degradation, vicious social behavior and open violence is financial standing, moving a targeted individual into a state of absolute vulnerability hinges on destroying their financial standing.

In other words, everyone is vulnerable, because anyone can have a financial crisis at any moment.

It’s easy to assume that you are immune to such experiences. But it is even easier to examine the life and habits of any individual or family and identify that ways in which they could go from housed and financially secure to living out of shelter – in a stunningly short period of time.

For criminals and predators, this is an important loophole. It permanently establishes a vulnerability within every single household, that can be exploited to reduce or eliminate a threat to criminal operations. Because the vulnerability is entirely financial, exploiting it presents minimal risk to criminals and predators. After all, arranging for a family member for come down with a mysterious illness that requires a lengthy hospital stay, or simply ensuring the primary breadwinner looses his or her job, is relatively easy.


There is no such thing as an isolated threat. Every ecology or environment (e.g.: computer systems, the environment, human social networks, towns and cities, etc.) operates within the push-and-pull of threats-vs-vulnerabilities. Every threat has the potential to grow strong and every vulnerability has the potential to grow larger. Both have the ability to spread to other systems, ecological environments, communities, etc.

Dividing the world into absolute, unchanging, categories of US and THEM is a dangerous habit. A truly effective system of threat identification and mitigation recognizes that there is no them – there is only us.