The practice of ‘spear phishing’ has been known for quite some time. However, it doesn’t seem to get it’s far share of attention. We have all heard (or gotten) phishing scams using random services as bait (i.e. Paypal). Most daily internet users can identify those pretty easily as phishing scams. These new targeted phishing scams are far more sophisticated (i.e. relevent subject matter or offer). Keep a look out.
At West Point in 2004, teacher and National Security Agency expert Aaron Ferguson sent out a message to 500 cadets asking them to click a link to verify grades. Ferguson’s message appeared to come from a Colonel Robert Melville of West Point. Over 80% of recipients clicked the link in the message. In response, they received a notification that they’d been duped and warning that their behavior could have resulted in downloads of spyware, Trojan horses, and/or other malware.
Spear phishing is a targeted form of cyber crime whereby e-mail messages appear to come from a highly trusted source, such as someone in a position of authority in the recipient’s own organization. Spear phishers use these messages to gain unauthorized access to corporate systems and confidential data.
According to an article in the New York Times, spear phishing attempts are not typically initiated by “random hackers” but are more likely to be conducted by “sophisticated groups out for financial gain, trade secrets or military information.”
Here’s a spear phishing attack scenario: The perpetrator finds a Web site for a targeted organization that supplies contact information for employees and other relevant data about the company. Using available details to make the message seem authentic, the perpetrator drafts an e-mail appearing to come from an individual who might reasonably request confidential information, such as a network administrator. Typically, a spear phisher requests user names and passwords or asks recipients to click on a link that will result in the user downloading spyware or other malicious programming. The message employs social engineering (fraudulent, non-technical) tactics to convince the recipient. If a single employee falls for the spear phisher’s ploy, the attacker can masquerade as that individual and gain access to sensitive data.
Most people have learned to be suspicious of unexpected requests for confidential information and will not divulge personal data in response to e-mail messages or click on links in messages unless they are positive about the source. The relative success of spear phishing relies upon the details used: The apparent source is a known and trusted individual, information within the messsage supports its validity, and the request seems to have a logical basis.
Education is perhaps the chief weapon against spear phishing. As an experiment, New York’s chief information security officer sent mock phishing e-mail messages to about 10,000 New York state employees. The messages looked like official notices, asking the recipients to click on Web links and provide passwords and other personal information. With the first run of the e-mail, 75 percent of the employees opened the e-mail, 17 percent followed the link and 15 percent entered data.
Recent related articles: