I'll admit that I was first drawn to this by its clever name, but spear-phishing attacks, phishing attacks targeted toward specific corporations, are increasing, according to studies by IBM and Greenview Data. If traditional phishing attacks cast a wide net by spamming thousands of random e-mail addresses, then spear-phishing attacks target a select few. It's harder to pull off, but spear-phishing, if done right, brings in even more money than traditional phishing--and often goes unreported. Why is that? Well, for one thing, targeted companies and organizations would lose a far more valuable asset if they went public: Trust.
Phishing attacks
We've all been solicited by fake eBay and Citibank requests for additional personal information. I get occasional an e-mail from eBay advising me to update my account; I don't have an eBay account. If I right-click and View Source (the link enclosed within such an e-mail), I'll see not an eBay destination but a numerical Internet address in Estonia or somewhere else. The phisher hopes to lure me in with the threat of my account being closed or worse, hoping that I'll provide personal information on the bogus Web site that'll allow the phisher to engage in identity theft. In other words, I'd be giving the attacker all he or she needs to make me a victim.
 |
Spear-phishing, if done right, brings in even more money than traditional phishing--and often goes unreported.
 |
|
Since first reported in late 2003, phishing attacks have been rising, although the numbers flattened out and even started to fall in the late summer of 2005. I think that's because we're all suspicious. Fact: Most banks never send e-mail to their customers.
Where spear-phishing differs
Spear-phishing relies upon an older, time-honored cracker skill: patience. Spear-phishing is not for the quick-money artistes; rather, successful spear-phishers first develop a deep understanding of their quarry before they move in. Targets tend to be government agencies, industrial corporations, and financial institutions, with a handful of universities thrown in. They'll start with a low-level someone within the target organization, learn the appropriate jargon, study the way e-mail recipients are grouped, then craft e-mail with an embedded Trojan horse, sending it to a select few. All it takes is one person opening the attachment or clicking the link provided to infect an otherwise secure network. The victim's passwords are stolen. Often this cycle is repeated, with the attacker moving higher and higher within an organization's structure, looking for the most sensitive data. After a spear-phisher has compromised a network, he or she then installs a root kit, which allows the attacker to access protected systems unnoticed.
Damage can be measured in a number of profitable ways. One Israeli company is alleged to have spear-phished a competitor in order to learn trade secrets. Another spear-phishing attack involved a university credit union, resulting in the potential loss of personal information for its customers. Finally, a spear-phisher might obtain a sensitive document (say, upcoming quarterly financials), then ransom it.
|
Remember, when in doubt about an e-mail's veracity, always pick up the phone and call the party requesting the personal information.
|
|
You might think that the new antiphishing applications hitting the market will protect you, but not from most spear-phishing attacks. Most antiphishing sites and tools rely on blacklisting known phishing sites. Spear-phishing targets a small sample group of victims. Unless a spear-phishing site gets reported or displays telltale signs of a forgery, it won't be blocked.
Solutions?
Inherently, spear-phishing attacks are really social engineering attacks, and the best solution is education. Teaching your staff how to suspect corporate e-mail, even if it comes from a "trusted" authority, is a good thing. A few companies have hired security experts to spear-phish their own organizations, looking for weak links, then educating the employees who fell for such tactics. Remember, when in doubt about an e-mail's veracity, always pick up the phone and call the party requesting personal information.
Companies, too, can stop sending out links within IT, HR, and accounting-related e-mail; rather, refer employees to an intranet, password-protected home page. Companies should also use secure Web forms rather than e-mail to transact personal information such as social security numbers and the like.
But does this mean we'll start to mistrust e-mail in general? I've seen some discussion of that online, but I don't think so. Remember the dire predictions about spam one year ago? Spear-phishing is yet another growing pain for the Internet. But with education, we'll get through it.
Have you seen evidence of spear-phishing in your workplace? If so, how did your company handle it?
