October 02, 2012

How to Spear Phish the White House

Apparently there has been a cyber attack on the White House’s network.  The reported attack vector?  Spear phishing.  At least it appears that no data theft took place, yet. 

This incident reminds us how easy it is as an organization, even as secure and well funded like the White House, to get infected since antivirus is so porous.  Lucky for the White House, their team of security specialists were able to find the compromised entity, but it is not trivial and usually happens very late, if ever.

While "phishing" is a technique which by hackers mimic sites such as IRS , or your Bank etc, in order to lure you to submit your credentials.  “spear phishing” is the targeted technique of identifying an individual in an organization that the hacker wishes to compromise,and uses different techniques in order to lure that individual to activate malware on his/her computer. Effectively, creating the compromised insider.

As you can see below, finding an individual to target is fairly easy in todays social networking world. All a hacker has to do is look for “White House” as the current position and select which is pertinent:


There are several known as infection methods, the three most common include:

  • Email attachment of either executable in an EXE form ( less common now ) or a PDF with malicious code in it
  • Link distribution of an infected site, that once you go into you get infected. Can come via email or any form.
  • A gift. Something as simple as a USB given at a convention that contains malware

We would encourage you to read our “The Quantum Mechanics of Spear Phishing” blog to get yourself more familiarized with how it works.

As we said before, here is what you can do to protect yourself as a company or an individual :

  1. Assume you've been compromised.  For more, read this
  2. Treat Social Network messages like you do with your Emails. Check who is it from and understand context before you choose to reply.
  3. Make sure that in your social networks profiles, you are not sharing your contact information, unless you explicitly approve them.
  4. As an organization, have the tools to protect your employees from such scams, and a policy in place.
  5. Education:  train employees and raise the levels of awareness.

(NOTE:  An old Sunday School teacher taught, "repetition is the art of learning."  Let's hope that applies for spear phishing).

Authors & Topics:

Share on LinkedIn


Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.