Hackers, Phishers Going for Quality over Quantity

Carl Weinschenk

The past few months have been characterized by hackers, phishers and other miscreants narrowing their attacks. For instance, the criminals who hacked TJX's stystems spent 17 months methodically executing the heist. This is the antithesis of generalized and comparatively primitive attacks that security folks spend most of their time worrying about.


The exploit described in this CIO Update piece works at a very different level, but it likewise shows a refinement in the overall thought process. The story outlines what one of the sources quoted refers to as "Starbucks Stalking." A public hotspot is staked out near a big company's office and a regular customer -- an employee of the company -- is targeted. When the time is right, the crook grabs his or her laptop and scrams. The data on the stolen laptop can then be used in spear phishing and other attacks that are more likely to succeed than generalized mass delivery phishing e-mails.


This gradual change in strategy is being played out as the phishing landscape may be changing. Phony e-mails always have been assumed to be a big problem, but not as big as what is suggested in a recently released University of Indiana study. The university's School of Informatics estimates that 14 percent of phishing targets may respond to phishing e-mails. That's an astronomical number. The study, which was reported upon in PC World, points to research from Gartner that pegs the number at a more familiar 3 percent. The finding hopefully is an outlier.


Still, the prospect that the rate of phishing success has been under-reported -- coupled with more effective approaches -- is disturbing. What's also disturbing is that phishers, hackers and others are perfecting their crafts and narrowing their targets.

Add Comment      Leave a comment on this blog post
Apr 29, 2007 6:13 AM John Herron John Herron  says:
I never believed the rate of response to phishing messages was even 1%, at least not in the past 2-3 years. But in the past 2 months I've had 3 people approach me saying either they or their spouse tried to login to what they thought was their banks site based on a phishing message. These three all caught on quickly and notified me so we were able to mitigate the damage pretty quick. But now I wonder about how many people don't catch on and are too embarrassed to discuss the matter after the damage is done. Perhaps I've been giving people too much credit and the number really is in the 3-7% range but I still can't believe its near 14%.John Herron at:http://NIST.org Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.