The past few months have been characterized by hackers, phishers and other miscreants narrowing their attacks. For instance, the criminals who hacked TJX's stystems spent 17 months methodically executing the heist. This is the antithesis of generalized and comparatively primitive attacks that security folks spend most of their time worrying about.
The exploit described in this CIO Update piece works at a very different level, but it likewise shows a refinement in the overall thought process. The story outlines what one of the sources quoted refers to as "Starbucks Stalking." A public hotspot is staked out near a big company's office and a regular customer -- an employee of the company -- is targeted. When the time is right, the crook grabs his or her laptop and scrams. The data on the stolen laptop can then be used in spear phishing and other attacks that are more likely to succeed than generalized mass delivery phishing e-mails.
This gradual change in strategy is being played out as the phishing landscape may be changing. Phony e-mails always have been assumed to be a big problem, but not as big as what is suggested in a recently released University of Indiana study. The university's School of Informatics estimates that 14 percent of phishing targets may respond to phishing e-mails. That's an astronomical number. The study, which was reported upon in PC World, points to research from Gartner that pegs the number at a more familiar 3 percent. The finding hopefully is an outlier.
Still, the prospect that the rate of phishing success has been under-reported -- coupled with more effective approaches -- is disturbing. What's also disturbing is that phishers, hackers and others are perfecting their crafts and narrowing their targets.