Up Close and Personal: The Insidious Spear-Phishing Threat

Carl Weinschenk

A nasty trend in security during the past year or so is the targeting of specific companies and executives with phishing e-mails that appear legitimate. These sophisticated attacks -- sometimes called spear phishing -- have led Symantec to introduce a specialized program called Managed Threat Analysis, according to internetnews.com.


The story says the program features an in-depth assessment of the client's infrastructure and security standing. Specific steps aimed at countering the threats are offered. The story doesn't mention the cost of the service, which likely will be steep.


Earlier this week, a nasty spear-phishing incident made news in Idaho. In a court filing, a vice president of legal affairs for grocery chain Supervalu said that in February and March, the company received fraudulent e-mails from people saying they were with American Greetings and Frito-Lay, two company suppliers. This Computerworld story said the e-mails asked the company to send future payments to new bank accounts. Believe it or not, Supervalu made several deposits, totaling more than $10 million, to the bogus accounts.


Those running spear-phishing operations (spear phishermen?) also imitate internal e-mail. Hackers posing as members of the IT department, for instance, will ask for passwords. This is insidious, this Government Executive story says, because these criminals invariably do their homework and provide enough information to targets to lull them into a sense of security. If successful, the criminal may be able to use the password or other information to gain access to the entire network. The writer says spear phishing is one of the biggest problems in both the government and private sector. The danger is compounded by the fact that spam filters, patches and firewalls are ineffective in stopping spear phishing, simply because there usually is nothing amiss about the e-mail.


This Dark Reading piece deals with vulnerabilities on MySpace, Facebook and LinkedIn, a business-oriented networking site. The dangers are different in each of the three, the writer concludes. She says LinkedIn can provide a social engineer -- a hacker who beats targets with cleverness instead of code -- with "a treasure trove of information" for spear phishers and other criminal activities.


Indeed, organizational information that in the past was confidential typically is offered with little security. This data can be particularly damaging, since it facilitates savvier and more clever attacks. However, fewer features on LinkedIn makes it safer than MySpace or Facebook, the reporter concludes. MessageLabs saw a big rise in spear phishing-type spam between May 2007 and the previous year, according to this posting at Jeff Hayes' Security Blog. Although the number of spear-phishing e-mails was a tiny percentage of the total the company scanned, the report says the level of information they contained was "alarming." These messages often carry malicious executable files.


This suggests that there are two kinds of spear phishing: those that seek to trick the receiver into contaminating the corporate network, and those trying to gain password and other information for subsequent attacks. Educating employees to treat all e-mails with skepticism is the best way to combat this threat, and companies clearly must redouble their efforts.

Add Comment      Leave a comment on this blog post

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.