2016: The Year of the Spearphish

Last updated by UpGuard on July 19, 2019

scroll down

On November 29th, after a high-profile year of published leaks and hacks targeting the Democratic Party, Wikileaks struck once more, albeit against an unexpected target: HBGary Federal, a now-defunct government contracting affiliate of the eponymous cybersecurity firm. It was not a name unfamiliar to online observers; in 2011, HBGary Federal CEO Aaron Barr had boldly claimed to have identified the leading members of internet hacking collective Anonymous, drawing attention from federal investigators eager to identify and arrest the culprits behind DDoS attacks in support of Wikileaks.

What came next in 2011 seemed to surprise nobody but Barr: a full-court press by hackers against HBGary Federal, with a takeover of the company website and the erasure of as much as a terabyte of company backup data. Most damaging, however, was the revelation that by exploiting an SQL vulnerability, the hackers had been able to access the firm’s internal email system - taking with them tens of thousands of embarrassing messages.

Some sixty thousand of these messages had soon appeared on torrent sites such as The Pirate Bay, drawing attention to the shady world of corporate intelligence-gathering and private data mining. Now, five years later, Wikileaks has published the emails in a searchable database, in honor of the release from federal prison of journalist and internet “hacktivist” Barrett Brown. While the disclosures revealed in the emails provoked a furious backlash from privacy advocates and internet activists at the time, the revelations of the HBGary hack have only grown more relevant with time.

While the emails revealed Barr as ultimately desperate, ill-informed, and self-deluding - to the delight of Anonymous - the true relevance of the HBGary hack is genuinely chilling. In several emails, Barr and his associates discuss deploying possibly illegal hacks against targets, in the context of growing the struggling affiliate’s business. Whether mulling how to build a fake online persona to implant malware in a "targeted and effective" manner against a victim, or considering how best to automate spearphishing attacks against internet browsers - concluding, We should have a capability to do this to our adversaries - Barr’s proposals, advanced in all seriousness, are unfortunately the most cartoonish examples of a burgeoning trend.

The emails provide an entrance not just into the lunacy of one high-flying, wannabe spy, but far more importantly, into a tech underworld in which for-hire cybersecurity companies jockey for lucrative private and public contracts - not so much combatting internet criminals as, at times, imitating their favorite tactics.


As far as hacking methods go, spearphishing is having a star turn in 2016. Just ask Hillary Clinton’s erstwhile presidential campaign chairman, high-powered lobbyist and political operative John Podesta. In March 2016, Podesta received an urgent email that looked to be an official security notification from Google, alerting him that someone had attempted to illicitly access his account. Clicking a password reset link inside the email, Podesta entered his Gmail login information, and resumed his work losing the presidential election to Donald Trump.

The email received by Podesta, meant to look like an official Gmail notification (Image: The Smoking Gun)

The email received by Podesta, meant to look like an official Gmail notification (Image: The Smoking Gun)

To the Democratic Party’s dismay, the email Podesta received had not come from Google. The password reset link Podesta had clicked was a URL generated on link management platform Bitly, one of nine thousand deployed over the preceding five months by a hacking ring known as Fancy Bear. By directing the politico not to a secure Google site, but to a spoof site made to look like one, Podesta entered his credentials directly into a site controlled by the hackers. The results were deeply embarrassing, as hackers disseminated thousands of Podesta’s emails to Wikileaks, where they were published in a searchable database. Among other revelations, the public learned of Clinton’s predilection for privately stating policy preferences and beliefs at odds with those of her campaign platform, in highly compensated private speeches to financial institutions.

The content of Clinton’s private speeches to Wall Street investment giant Goldman Sachs had been one of the most politically explosive and closely guarded secrets of the 2016 election - a subject of heated controversy and no small conjecture, given Clinton’s rumored compensation of $225,000 per address. Yet, through a simple email scam, excerpts of the speeches were exposed to the voting public weeks before Election Day - illegally accomplishing what months of political calculations had not. How did this happen?

Many online cons rely upon casting a wide net for victims; advance-fee scams, in which an exiled African prince might beg via email for money to be wired overseas, are so ubiquitous that it would be hard to find an email user who has not received such a message. Spearphishing takes a more targeted approach, aiming at a select in-group, or even a specific individual. In the case of Fancy Bear, Podesta was ultimately one of four thousand individuals specifically targeted for spearphishing, which included the “targeting [of] 108 email addresses on the hillaryclinton.com domain.” The effort, which cybersecurity researchers at SecureWorks linked to previous assaults on an array of international journalists and political figures, and which they believe is linked to the Russian government, was highly focused and sophisticated - with its organizers determining where to strike for maximum effect.

Given this growing popularity of spearphishing as a tactic, it may seem surprising that a high-profile figure like Podesta could be victimized using the tactic. But as everyone from Aaron Barr to the droogs of Fancy Bear knows, spearphishing’s effectiveness is as much a matter of social engineering as it is a technical undertaking. For the average email user, lacking much in the way of an education into the latest advances in nefarious internet schemes, which proposition sounds more reasonable: that an email bearing all of the graphics, logos, and apparent trappings of a Google notification is valid, or that it is the painstaking detail work of Russian agent provocateurs?

Ultimately, sussing out valid emails from scams relies upon the human senses - which, for even the keenest observers of spearphishing tactics, are fallible. If the success of spearphishing relies upon convincing the recipient a communication is valid, using any number of means of social engineering, then the best defense would choke off such messages before any such personal appeals to a potential victim could be effected.

The good news is, there are free-to-inexpensive tools and practices available to anyone concerned with the risk spearphishing may pose to their cyber profile. Merely educating email users of the existence of such tactics is a necessary start, while at an institutional level, ensuring a company or agency’s email policies are up to date can save users a great deal of time and energy. Protocols such as SPF can be instituted to verify that incoming emails originate from a trusted server, while DKIM can likewise authenticate communications using an encrypted key. Used in collaboration with DMARC, which can quarantine or delete any emails which fail to clear either hurdle, these tools can make it significantly more difficult for bad guys to breach a system and fool its users. While the costs of spearphishing can be staggeringly high, the costs of prevention are remarkably, incredibly low.


Unfortunately, in a cyber landscape in which all internet users, from online shoppers to journalists to whistleblowers, must already contend with the risk of online fraud and theft, the privatization of such criminality by big business and use of such tactics by government agencies is a deeply worrying development. Fortunately, there is an easy way of evaluating the risk posed by spearphishing; using UpGuard’s CSR scan, you can determine immediately whether any website deploys SPF, DKIM, and DMARC, while the CSR Chrome plug-in automatically displays the cybersecurity strength of every site you visit.

Related posts

Learn more about the latest issues in cybersecurity