Spear phishing is increasing, according to researchers with Verisign's iDefense Rapid Response Team.
Though it shares most of the name, spear phishing and a third variant, whaling, are significantly different from traditional phishing. The older (can it be called "old school?") phishing involves sending out thousands or even millions of generic e-mails in hopes of fooling a small percentage of people. Spear phishing and whaling take the opposite approach: The criminals research the victims and include enough information to make the e-mails appear legitimate.
The definitions are a bit unsettled, but spear phishing is discrete from whaling. Spear phishing blankets a group of people with something in common, such as employees of a particular company or people who work in a specific industry. Whaling aims for top executives, often by name and with specific information that suggests the messages' authenticity. All these definitions are amorphous and flexible, however.
iDefense, according to this PCWorld.com story, has tracked 66 spear phishing attacks since February 2007 and believes that 95 percent were the product of two groups. The attacks stole data from an estimated 15,000 people during that time. An iDefense spokesman said the groups were perfecting their methods, with the most successful of the attacks launched in April.
The National Post from Canada provides a couple of examples of such exploits. One was launched against thousands of corporate executives who received e-mails that purported to be subpoenas from the U.S. District Court in San Diego. Each named the recipient and demanded that he or she appear in front of a grand jury in a civil case. At some key point in the presentation, the target had to click on a link -- which downloaded a Trojan horse into his or her machine. The writer also said that the spear phishers recently have targeted about 90 university systems.
Indeed, academia seems to be magnet for cyber criminals. This Daily Bruin piece provides background on a series of spear phishing attacks against UCLA. The school's director of IT security said the initial attacks occurred around the winter break and are increasing every month. An initial warning at Bruin OnLine, which contained an option to change passwords, itself looked like a phishing attempt and was abandoned.
There is a lot an organization can do to fight various forms of phishing. Information Security Short Takes offers several preventative steps: use e-mail digital signatures; educate assistants, advisors and executives; train personnel on what to look for; run social engineering penetration tests; and provide fall back security measures.
There is no shortage of bad people online trying to get information that will enable them to do things that they shouldn't be able to, and that undoubtedly will hurt people and the companies for which they work. The first step in combating phishing, spear phishing, whaling or any other aquatic-sounding exploit is to train employees to exercise caution.