spear phishing attacks

Beware of Spear Phishing

Nov 28, 2016 By Paul Curran

For malicious parties hoping to capitalize on the frantic frenzy of online purchasing, both the prevalence of email marketing and popularity of mobile purchasing pose significant threats.


The promise of incredible deals via email marketing campaigns presents the perfect attack vector for malicious parties to prey on unsuspecting shoppers.


Spear Phishing Attacks

This holiday season, if the deals that pop-up on your social media feed or land in your inbox seem too good to be true, they probably are. Simply clicking on an unassuming malicious phishing link could lead to disastrous consequences depending on the situation.

spear phishing attacks

Source: Verizon 2016 DBIR http://www.verizonenterprise.com/verizon-insights-lab/dbir/

According to Verizon’s 2016 Data Breach Investigations Report (DBIR), phishing attacks are on the rise with 30% of phishing emails opened and 12% of the recipients clicking through to either a risky link or attachment.


ScamWatch, an initiative maintained by the Australian government, indicates that last month, during October 2016, of the 361 online shopping scams reported, 44.2% resulted in financial losses and 40% of these scams were launched from either email or social networking links.

Spear Phishing Threats

During the dawn of internet email scams, early phishing attempts would simply send mass emails without any personalization, however the recent trend has been to use spear phishing, which zeroes in on certain people or groups in order to increase the chance of success for their scam. Spear phishing highly increases the “legitimacy” of this fraudulent communication as our guard tends to be let down when our personal details are included.


Sophisticated email phishing operations can also utilize cross-site scripting (XSS) to pose as legitimate e-commerce vendors become even more hard to identify and stop as the links that are used to lure users actually appear legitimate while taking the user to a malicious URL that would appear as the trusted entity, such as, www.mybank.com/account despite being an entirely different URL.


With the sensitive data of over half a billion Yahoo user accounts leaked earlier this year, and over 400 million sets of user details leaked in the Adult Friend Finder breach, cyber criminals are even more empowered and focused when it comes to any phishing attacks that they could be planning for this holiday season.


Due to the fact that the leaked user data from the massive Yahoo leak, and countless others that have occurred over the course of 2016, attackers are able to upgrade their email scamming to spear phishing attacked which appear even more legitimate as these phishing emails may contain user names, telephone numbers, dates of birth and in extreme cases, security questions and answers.



Are Spear Phishers Armed with your Login Details?

How to check if your login details have been released in a major data dump

What if your data has been leaked? That’s a question tackled by Troy Hunt, a Microsoft Regional Director and Most Valuable Professional awardee for Developer Security, blogger at troyhunt.com, international speaker on web security and the author of many top-rating security courses for web developers on Pluralsight.

spear phishing attacks

A quick search of the author’s email address on HaveIbeenPwned.com

His popular website haveibeenpwned.com was built after the massive breach of Adobe customer accounts in order to help educate and inform the public about both the scale and frequency of large data breaches.

spear phishing attacks

Top breaches and leaks. Source: HaveIBeenPwned.com

All of the data comes from breaches where the data is publicly available, however passwords are not stored within the site itself. By entering your email address, a quick search will show if your account data has been compromised. Users are also able to set up alerts if their user info compromised in future leaks.


If your information has been leaked or compromised, it’s critical that you change your password for that platform and ensure that you are not reusing that password anywhere else on the internet as it could provide hackers, spammers and spear phishers with a quicker attack vector.



jumping 1

Watch Troy Hunt discuss employing automation to streamline secure coding practices in our “Meet the Experts” webinar Software Security & Early Prevention of Vulnerable Code here.

The following two tabs change content below.

Paul Curran

Content Specialist at Checkmarx
With a background in mobile applications, Paul brings a passion for creativity reporting on application security trends, news and security issues facing developers, organizations and end users to Checkmarx's content.

Latest posts by Paul Curran (see all)

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.