Spearphising was a pretty good choice. In practice, phishing was very effective, being able to send large quantity of emails to many people and needing only one individual to fall for the trap. The Law of Large Numbers would be in his favor.
Unfortunately, Mr. Spider was a bit picky about his targets, and he was only interested in this one individual. About a quarter of individuals would click on a phishing email and that a tenth would click on the attachment, but most phishing emails follow common patterns that makes them easy to tell that they are fraudulent. For instance, some emails would impersonate an organization with inconsistent branding; the choice color and logos would be all wrong. The formatting of the email would be inconsistent to previous emails that someone might regularly receive. Some would have blatantly suspicious email addresses. Spelling and grammar mistakes would ruin one’s credibility if it came from a well-known organization. In other words, most phishing scams were just low quality, and if he can craft an email carefully and meticulously enough, the chances of his victim falling for it ought to increase.
Spearphishing targeted a very specific user by tailoring the email to build authenticity.
From Rebecca’s social media, he found that she has liked certain university pages.
Through screenshots online of what an email from one of such universities looked like, he created an authentic email template with the exact logo, structuring, and formatting as the reference.
Email spoofing meant disguising the email as someone else. Emailing protocols lacked any mechanism for authentication, so phishing emails can forge the sender address.
His email impersonated someone who worked at the Financial Aid Services of the university. The content welcomed applicants to apply for a scholarship program and to fill out a form attached below.
Of course, such a scholarship program did not actually exist. And the form served two purposes. First, to apply, Rebecca would have to fill out the form and reply it back to the same email chain. Such a form would require her to fill out some personal information about her. Second, even if she never bothers with the application process, he attached a Remote Access Trojan along with the form. The instant she downloads the attachment, a malware would be installed onto her computer unannounced.
A day after he sent the Phishing email, he successfully found a connection to the malware on the girl's computer, suggesting that Rebecca must have downloaded the attachment.
On his end, he can discreetly turn on the camera and microphone on her laptop. On his screen was a window with a clear view of the brunette sitting in her room right now.
A week has passed by, and he received Rebecca’s filled out application form which includes her personal cell phone number, personal email address, home address, and date of birth. Upon scanning her files, programs, browsing history, and even the recycling bin on her desktop, there was nothing particularly noteworthy. She was not hiding anything, true to her innocent and pure nature. Had he hacked a high school boy; he likely would have found out something more embarrassing.
More importantly, something unexpected had occurred. He learned a bit more about her schedule and tendencies. For instance, whenever she leaves her room, her laptop remained open and unguarded. She would shower right before school and right before bed, but as she changes in her room, everything she does was recorded in a livestream. In other words, he had obtained footage of her changing in front of her laptop that captured her nude body.
What should he do with these footages?