Op-ed

Anatomy of a Spear-Phishing Attack

| Written By:

The Head of IDI's Democracy in the Digital Age Program was the target of an attempted cyber-attack. The highly specific, human, and professional nature of the attack serves as a reminder that technical defenses only go so far. The tools used are becoming more sophisticated and targeted to the human psyche – so, too, must our defenses.

Head of IDI's Democracy in the Digital Age Program Dr. Tehilla Shwartz Altshuler in an interview with Kan 11 about the Spear Phishing attack

A couple months ago, I received an email from a well-known individual, a former director general of a government ministry who is now involved in business and high-tech entrepreneurism, asking for help with a new initiative he’s trying to get off the ground. It was a polite and focused request, worded in English. The email was completely personalized, with no embarrassing linguistic errors or offers to share the inheritance of some Nigerian prince. I wasn’t asked for any personal details, there was no sense of artificial urgency about it, and it came in at a reasonable time of the day. It didn’t contain any content that was too good to be true, no one promised me a big prize or asked for a donation. It wasn’t even a “whaling” scam, in which someone pretends to be a senior manager in your organization and asks you for something.

I replied politely that I’d be happy to help. A few days later, this individual asked that we switch to WhatsApp, and that didn’t seem odd to me either, because he gave me a UK phone number, and I understood that the individual in question lives there part of the time. I read a PDF he sent me with the plan for the initiative, and while it was fairly general, I could see that it was appropriate for someone with a bird’s-eye view of things. I sent him a voice message along those lines, and didn’t give it any more thought.

That was where things started to go wrong. A few days later, I traveled to a conference in New Delhi. There, I received a series of messages from the former director general, this time in Hebrew, in which he asked to schedule a conversation. I wrote that because I would be in Delhi the entire week, I’d be happy to set a time for the beginning of the following week. He said that was fine, but that the meeting would be with his assistant in the United States. And then came the “Holy Grail request”: I was sent a link that I was asked, “for security reasons,” to open from my computer. That was the "ah ha" moment. At that point, I realized that I had seemingly been taken in. Of course, I didn’t click on the link.

But I was unnerved. I was outside Israel, at an international conference, with no other Israelis close by. I realized that I had told some bad actor where I was, and had thus made myself even more vulnerable. I found myself looking around from time to time to check I wasn’t being followed. When an Indian hotel worker asked me in the elevator, “Is everything alright, ma’am?” I said it was, but when she asked what room I was staying in, I didn’t know whether to answer her. When I needed drinking water from room service, I was afraid to ask for it. Every taxi driver became a potential threat.

I swallowed my pride and wrote to a good friend in Israel, who also happens to be an outstanding digital investigator. She asked to see screenshots of the correspondence and recommended that I block the number in question. I have to admit that I hadn’t thought to carry out even this simple action.

In retrospect, I had fallen victim to a type of attack known as spear-phishing—a form of phishing that is focused on a specific target. In a twisted way, it could even be flattering, because to attempt it, someone had to conduct in-depth research on the target, that is, on me. My first question was: Who was after me? Was this a financial scam? Who wanted access to the contents of my computer? I quickly realized that I wouldn’t get an answer. A quick Google search for “spear-phishing attack” in Hebrew revealed that in recent months, the Shin Bet has uncovered cyberattacks by Iran against senior figures in the defense establishment and against politicians, academicians, and journalists, and that in each case a suitable cover story had been fabricated and individually tailored. A Shin Bet official had commented that “the goal of this threat is assassination.” It was also reported that the Shin Bet had launched a large-scale operation to update and brief the relevant individuals. I, however, hadn’t been warned.

The deeply worrying part was that their approach was clearly tailored in a way that I would respond to. Recent research shows that spear-phishing attacks are responsible for 95% of successful hacking operations—in other words, there would seem to be a critical gap in cyber defenses, in that they focus primarily on technical protections and fail to address psychological vulnerabilities. Attackers use techniques that exploit frailties in the human psyche to bypass even the most secure technological defenses.

I carried out a “root cause analysis” of my own case, to identify what had led me to be tricked. There was no misuse of authority here, because I didn’t get the email from my boss; nor was there an artificial sense of urgency that made me respond. Perhaps it was cognitive overload—I work at a fast pace with a high volume of correspondence. And here’s an uncomfortable truth: I don’t properly vet the address of every email I get, especially when there are no obvious red flags.

Eventually, I found the suspicious sign: The original mail address contained a real name, the @ sign, and a real organization name, but then there was another @ followed by “proton.me.” This is a suffix belonging to an email service, just like Gmail. However, there’s a key difference: Gmail doesn’t allow addresses with a double @ sign, so as to prevent fraud like this, but Proton does, which is why it has become a useful and effective tools for attackers.

But more than anything else, the attack played on my desire to help and to be involved. The email included a request for advice and for my professional opinion. When someone asks for a favor, the initial instinct is to want to say yes. This mutuality bias, along with a polite writing style and the allusion to a problem with which I could help in my field of expertise, was precisely aligned with the kind of communication I would expect from someone like the individual in question.

Luckily for me, nothing happened in the real world: I didn’t hand over sensitive details, no-one drained my bank account, and I wasn’t physically harmed. But I did experience hours of anxiety and stress. I couldn’t help thinking about the public implications: First, I didn’t know where to turn to. Is there a support line for individuals in such cases? And if I were to contact it, would I be suspected of communicating with a foreign agent? Second, there’s a need for psychological support, to reframe these events and prevent targets from experiencing them with a sense of shame. And third, what should be done regarding the real person who was impersonated? I decided to call him. The conversation was embarrassing, especially when he asked, perhaps rightly, “How can I know that it’s really you, and that what you’re telling me is true?”

We can talk about education, awareness, and digital literacy to prevent these kinds of attacks—as I have spent decades doing—but the tools being used are becoming more and more sophisticated, and the damage to our sense of personal security ever more painful. Ultimately, I have developed a set of assumptions about the world, such as a belief in people’s basic decency. Did this act against me? And how can we lead our lives with immense wariness and suspicion while also maintaining our sense of trust in others?

A version of this article was published in the Times of Israel