The difference between phishing and spear phishing is precisely that the latter targets a specific individual making the subject of this post – massively distributed spear phishing – particularly convoluted. The thing is that we’ve crossed that line. We are now at a time and place where spear-phishing will now target millions of simultaneous people.

From: Random Name [email protected]
Subject: your-hopefully-old-password – your username
To: [email protected]

I know, dragon is one of your Password and now I will cut to the chase. You don’t know anything about me but I know you very well and you must be thinking why you are receiving this email, correct? (…) scare tactics – you did something nasty and I’ve got you (…) BTC ADDRESS: 1K5xuXn573Uyh49qhgwuvfEMPvVtuMVkGJ Notice: You have one day in order to make the payment

spear phishing illustrative image
Photo by Jeremy Bishop

This week alone I got more than half a dozen reports from friends and colleagues who were targeted by this very scam. Even for me, the volume was a novelty. I know that Krebs has focused on this specific sort of attack for over 7 years but only now do I believe we’ve gone main-stream.

Why now?
Scammers are cleaver. You’re probably bombarded by three or four scams weekly, the inheritance scam, the no-effort high-paying job, the computer-has-been-hacked scam. And there is something common to all of them; they’re awfully constructed. Poorly written. Imperfectly crafted. You would guess that the oil-magnate from Nigeria would have an email better looking than [email protected]. All those tell-tales? They are there for a reason. It’s on purpose. A filter to weed out the less gullible ones. They are looking for the easy targets. The highest return on investment which is quite the opposite of spear phishing.

Oh, no! Pwned on 11 breached sites.

A New Breach?
Doesn’t look like it. MySpace was breached 10 years ago leaking 360 million records. LinkedIN 5 years ago. I think it’s simply a matter of cost/opportunity. Three years ago Google claimed to catch more than 99.9% of spam, I’m pretty sure the competition is also steering towards those numbers. Throwing stuff to the wall hopping some will stick is just not cutting it anymore so scammers are simply stepping up.

SCAM 2.0?
We’re bound to see this sort of abuse increase spectacularly. As both the cost of AI and infrastructure plummets it will become commonplace to track your email to your Facebook, LinkedIN, Instagram, etc and from there cross and match with your leaked passwords and craft this sort of abuse in a rupturing new fashion. Attaching-your-old-password-to-your-email-scam is just the beginning. Soon you’ll see decade old pictures you forgot you’ve posted online, names of previous companies you worked for, etc waived in front of your eyes presenting a million of new opportunities for you to take the bait.

What can you do?
All companies I’ve worked for have had a top-notch defense team who continuously educate the workforce by partaking in this sort of specific attacks against employees to keep them alert and vigilant. If you have any say in your company, start there. As an individual you have the responsibility of protecting yourself by:

If this very same scam started like this:

I know, PhrBjyS0QNk2h%Z4y^HwxGoqrv#UVS is one of your Password and now I will cut to the chase…

You would not have the intended jolt of adrenaline (in fact you’d have no recollection of such password being yours). But you’d do your due diligence and search for it in LastPass’s Vault, replace if need be and just forget it.

Email and the password manager are the ultimate resorts. The castle within the castle. Treat them as different beasts. 2FA for both is mandatory.

In the digital age, stay long and unique. Stay safe.
Obligatory xkcd.

Addendum:
Only now did I stumble on Krebs take on this phenomenon and, Krebs being Krebs, it’s a definite must read.