Canadian Security Magazine

Guard against spear-phishing and second stage attacks

By Graham Bushkes   

Features Opinion

Phishing is an electronic communication scam that attempts to secure highly personal information such as credit card info, user names and passwords by tricking a victim into clicking on an obfuscated URL that takes the victim to a malicious website.

An obfuscated URL is a web address that looks like it’s going to one site, but actually redirects to a different website when the link is clicked on. The electronic communication can come from a trustworthy entity, such as a friend or colleague, whose email account has been compromised, or it can come from what looks like large legitimate corporations such as banks or online retailers such as Amazon and eBay.

In general, phishing attacks take a blanket approach, meaning attackers will cast their nets out to as many people as possible with the hopes of snaring a small handful of victims. The term “spear-phishing” takes a more targeted approach. Typically, it’s an attempt to steal information from a single person, and it’s most affective when coupled with a second stage attack.

A second stage attack is a multi-faceted cyber assault where an attacker infiltrates a network and steals data from one organization to leverage a more targeted, victim-specific attack on another account. These types of attacks are more effective, because they’re going after the victim with credible and personalized information. These types of attacks have grown in frequency over the last few years due to the wide adoption of social media networking.

How it works
An employee (we’ll call him “Jeff”) at Company A has a LinkedIn account that spells out what his current job title is and where he works. His account may also include other bits of current job information. Perhaps his manager has written a personal recommendation for him on the site. We now know Jeff’s name, where he works and who his manager is. Using this information, a hacker could create a dummy email account using one of the free email services out there. To make the communication seem even more credible, the address could incorporate the manager’s first initial and last name. From that email account, the hacker would then create a personalized email to Jeff. Maybe it says, “Hi Jeff, I’m offsite today, and I’m having problems viewing my LinkedIn page. Would you mind checking to see if it looks okay at your end.” After the note, the hacker would paste an obfuscated URL. When Jeff clicks on the link in the email, it takes him to a malicious Website that infects his system with a botnet.


How to protect yourself
Always “Think before you link.” An obfuscated URL can be discovered simply by hovering your cursor over the URL in question and carefully reading where the address is actually going. If you notice the forwarding URL is going to a Website you’re not familiar with, you can simply delete the message. Be sure you read that forwarding URL carefully, because sometimes the hacker may employ a forwarding link that looks suspiciously close to the original URL. For example: vs.

If the source of a questionable message is coming from someone you know, send a message back asking a specific question. It could be something as simple as, “Did you mean to send this to me?” If you’d prefer, you can also use a free URL lookup service, which will tell you whether or not a particular link is malicious. Fortinet has one at

For any confidential material that is e-mail bound, PGP encryption and digital signing is recommended to confirm the identity of both parties.

Never give out a credit card or social security number in response to an unsolicited request. Always ensure SSL (HTTPS) secure transactions are enabled when making any transaction online (look for the lock icon in your browser), and lastly, familiarize yourself with the privacy settings for all of your social networks.

Only make public those things that can’t conceivably be used against you in any way shape or form.

Graham Bushkes is the vice president of sales, Canada for Fortinet.

Print this page


Stories continue below


Leave a Reply

Your email address will not be published. Required fields are marked *