'Spear Phishing' Attacks Use Targeted Bait
Sunday April 20, 2008
The standard approach to a phishing attack, or phishing scam, is sort of the equivalent of trawling the ocean with a very large net. You will get some fish, some trash, some dolphins, a sea turtle or two, and a bunch of kelp and seaweed. If you want to catch a specific fish though, you need a more targeted approach, like a harpoon or spear. Translating back to computer terms, a spear phishing attack is a much more targeted attack. Rather than creating an email directed at Paypal users, then sending it out to 20 million email addresses that may or may not even be aware of what Paypal is, a spear phishing attack targets a much smaller pool of potential victims, but a pool where the victims are much more likely to fall for the scam. For example, rather than sending out an email to 20 million people and hoping that the attack will apply to some percentage of them, an attacker could direct an attack at a list of known bank customers, increasing the likelihood of successs. Recently, attackers took that a step farther and targeted a list of 20,000 known CEO's and powerful business people with an attack likely to get their attention. With an estimated success rate of 10%, attackers were able to obtain confidential information and account credentials for 2,000 of them.
Comments
These targeted attacks will definitely pose serious problems for enterprises. I think there is more than a financial incentive in these attacks but also that of corporate espionage. It just brings to mind the claims from congrss that chinese attack their computers! A very good approach in thwarting these attacks is to be able to identify them in their various forms.You did not provide ways of doing that in your blog post but what’s your take on this: Identifying Targeted Attacks ( http://www.internetevolution.com/author.asp?section_id=670&doc_id=156701&F_src=flftwo)