IE 11 is not supported. For an optimal experience visit our site on another browser.

Dastardly ‘Spear Phishing’ Targets Companies and Governments

Cybercriminals are employing a new complex and effective phishing scam to gain access to personal information of employees of the world’s largest companies and even government officials, according to a top security analyst.
/ Source: TechNewsDaily

Cybercriminals are employing a new complex and effective phishing scam to gain access to personal information of employees of the world’s largest companies and even government officials, according to a top security analyst.

The attacks, called "Spear Phishing," begin with an e-mail addressed to employees at an e-mail service provider (ESP). Often including the recipient’s name and address in the body of the e-mail, the message, like many scams, attempts to trick the recipient into believing it comes from a trusted source.

"The idea is to make the message seem legitimate and hand-crafted to the recipient," Brian Krebs, editor of KrebsonSecurity.com, told SecurityNewsDaily.

With the confidence of the recipient won, the hacker than lures the victim into opening a corrupted link in the e-mail – often in the guise of an image – which redirects users to a page that “attempts to silently install software designed to steal passwords and give attackers remote-control over infected systems,” Krebs said in a blog post.

Spear phishing attacks, as opposed to traditional, non-targeted phishing scams, are proving to be dangerously effective.

Krebs told SecurityNewsDaily that the percentage of people who fall for traditional phishing scams is between 1 and 3 percent. "When you move to targeted, spear-phishing attacks, typically the haul is much higher, in the range of 20-30 percent, sometimes more."

He continued: "As with regular phishing attacks, the attackers inject an element of urgency: Act now or there could be dire consequences (your account is closed, you miss a deadline, your boss will fire you, etc.) But aside from their targeted nature, one reason that spear phishing attacks are more successful is that instead of asking the recipient to give up information, spear phishing attacks usually are an attempt to plant malicious software on the user's PC. Hence, they tend to rely on getting the user to click a link or open a file, something most users don't think twice about doing dozens of times a day."

As spear phishers build bigger, more detailed databases of victims, Krebs told SecurityNewsDaily that hackers using these types of attacks "will be limited only by their imagination and the caliber of targets."

These targets, he said, could penetrate the highest levels of government. According to a Dec. 4 New York Times article, Chinese hackers used this technique against five U.S. State Department employees in June 2009, during climate change talks between the United States and China.

"Spear phishing is a present and constant threat to high-value targets in the U.S. and other governments, as they are a prime target of this type of attack," Krebs told SecurityNewsDaily. "Spear phishing is likely to remain a very effective threat for intelligence gathering going forward for some time."