OWASP Top 10 Vulnerabilities
1. Injection
2. Broken Authentication
3. Sensitive Data Exposure
4. XML External Entities
5. Broken Access Control
6. Security Misconfiguration
7. Cross-Site Scripting
8. Insecure Deserialization
9. Using Components with Known Vulnerabilities
10. Insufficient Logging and Monitoring

Extra advice to help companies to thwart spear phishing attacks contains:

▪️Remind workers to be mindful of emails with uninvited files and links, and send reminders of spear-phishing threats.

▪️Enforce threat intelligence solutions to trace and thwart phishing and Spear Phishing drive links.

▪️Execute phishing understanding training programs to keep adequate security procedures against spear phishing.

▪️Encourage all the employees to notify doubted phishing emails so that the security team can prevent spear phishing movements presently underway against the company.

How is Spear Phishing used in targeted attacks?

Various methods can be executed. Common techniques contain:

▪️An attacker sends an email to their victim. That email may contain malicious URLs or files that the victim will be asked to click or open, downloading viruses or ransomware to their machine.
▪️An attacker sends an email that demands the victim to an imitated website in which the victim is requested to deliver private data such as bank account details or access codes.
▪️An attacker pretends as a friend, colleague, manager, or other delegated entity requesting usernames and passwords to get data that they will utilize to exfiltrate data elsewhere.

What is Spear Phishing attachment?

The Spear Phishing attachment is a precise form of this attack. In other words, it utilizes the help of malware attached to an email. All types are electronically furnished social engineering concentrated on a particular user, firm, or enterprise. In this technique, attackers attach a file to the email and depend on User Execution to complete implementation. It may also include social engineering methods, such as pretending as an entrusted authority.

There are many possibilities for the attachment, such as Microsoft Office files, software files, PDFs. Upon clicking the link or opening the file, the attacker’s payload manipulates a vulnerability or instantly runs on the user’s machine. The email message generally endeavors to provide a convincing reason why the file should be opened or downloaded and may demonstrate how to avoid system security to accomplish so. It may also include directions on decrypting the file, such as a zip file password, to bypass email perimeter protection.

What is a Spear Phishing Attack?

▪️Spear Phishing is a kind of deception in which attackers send tailored emails to particular users within a firm. Spear phishers depict themselves as familiar or entrusted individuals or managers, tricking victims into giving private data, transferring money, or downloading harmful malware.

▪️It is important to note that phishing and Spear Phishing are cyber-attack techniques that try to gain sensitive or personal information online. The difference is that the first is widespread while the second is targeted. In phishing, a trickster can transfer one phishing email to numerous recipients at once, throwing a broad trap in attempting to hook targets. But Spear Phishing tries to target weak users by utilizing specific requests and personal information to show confidence.

4) Keylogging

▪️Keylogging. It’s not something you want to mess with. Keylogging is used in targeted attacks where the hacker knows or is particularly interested in the victim. It’s used to target spouses, colleagues and relatives. It’s also used to target corporations and nation-states.

▪️This is a highly complicated technique that requires access or compromise of the victim’s machine via malware. You can find your favorite off-the-shelf keyloggers and commercial spyware on the internet and dark web.

▪️With keyloggers, it really doesn’t matter how strong your password is. The hacker can see exactly what you type in for your username and password. It’s great for gaining access to bank accounts, websites and especially cryptocurrency exchanges and wallets where fund transfers cannot be reversed.

3) Password Spraying

▪️A hacker may only have a list of usernames. This is pretty common. Password spraying is a technique that tests commonly used passwords against a username or account. Examples include passwords such as 123456, password, password123, admin, and others.

▪️You may be thinking that this is similar to credential stuffing. You’re right… Password spraying is very similar to credential spaying. It’s estimated that this technique is used 16% of the time in hacking passwords and accounts.

▪️Most websites and logins now detect repeated password attempts from the same IP. Hackers use numerous IPs to extend the number of passwords they can try before being detected. It could be the top 5, 10, or 100 commonly used passwords.

2) Phishing Attacks

▪️If you thought that credential stuffing was bad, phishing is even worse because you are unknowingly giving bad actors your username and passwords.

▪️It’s estimated that nearly 70% of all cybercrimes begin with phishing attacks. For hackers, they love this technique. It works all too well to steal your information for their own use or to sell it to others on the dark web.

▪️How do phishing attacks work? We’re glad you asked… It’s pretty straightforward. Hackers use a ‘social engineering’ technique to trick users into supplying their credentials to what they believe is a genuine request from a legitimate website, vendor, or employer.

▪️Phishing attacks almost always come through emails that contain a fraudulent link or a malicious attachment. When the user clicks on either, the hacker presents a fake account login page where the user enters in their credentials. Hackers may also use other forms of interception which as a man-in-the-middle attack to steal user credentials.

1) Credential Stuffing

▪Imagine you’re a hacker buying 100,000 usernames, emails, and passwords on the dark web. By the way, those credentials were probably hacked from a weak website, blog, or e-commerce site and then sold on the dark web.

▪Next, you start testing those credentials against other databases to see if there’s a match. For example, you could get your list and start testing it against banks, merchants, and other websites. Once you find a match, you’re in.

▪Furthermore, all of this can be automated. There are tools that test stolen credentials across multiple sites allowing hackers to quickly breach new accounts even on sites with good security.

▪It’s estimated that tens of millions of accounts are tested each day with the credential stuffing technique.