Spear Phishing


Latest news:

November 14, 2013:
Several new targeted email fraud scams have come down the pike in recent weeks, resulting in millions of dollars being shipped offshore before it is discovered that the sender was not legitimate. The White House has been hit on some of its non-secure computer systems by a sophisticated spearphishing attack alleged to come from China.Linkedin is new tool of speaphishers.


Email Spoofing:

In the latest attack coming primarily from China, executive emails are being spoofed and messages are saying to wire big funds to accounts immediately. Normally these emails will go to a CFO or someone who is financially responsible who can send money.

What is Spear Phishing? Is My Company Vulnerable?

Beware of emails that look legitimate but redirect to strange links

Spear PhishingNews that the White House computers were breached by a spearphishing attack have brought a lot more attention to legitimate looking emails with a dangerous payload. While officials downplayed the danger of the attack because the computers affected are not part of the secure network associated with state secrets, any attack can be construed as dangerous because some of the most innocuous pieces of data can be used at a later time in order to gather intelligence, serve as cover for an attack on other computers, or as a way to introduce malware that might be able to spread from one system to another via thumb drives or dirty email attachments. In the same way that citizens during wartime were warned not to speak about troop movements and weapons development, even the most boring information in White House computers could be assembled to indicate where key people were at a certain time, what certain individuals are working on, and the morale of employess. Seemingly harmless items like gossip can often be used to build profiles on important diplomatic and military personnel. Likewise, a corporation subjected to a spearphishing attack might first see low level information taken in preparation for official looking attempts to crack "inner" areas which have valuable data, personal information, or technological secrets behind a better firewall.

Spearphishing is a targeted email attack that is designed to target people who are known to frequent specific online businesses. It is called "spear-phishing" because the targeting is much more precise and narrow, like the tip of a spear. . In the most recent case, spear-phishing is a suspected goal in the data breach for Epsilon, an online marketer with account information for several major banks, pharmacies, and retail electronics outlets. Although credit card data was not stolen, email addresses were compromised, and these addresses can be sold on the black market for more money because the purchaser knows that people have bought from specific stores in the past. Furthermore, the information gathered from spear-phishing can also beget more sophisticated phishing attacks on customers, who are more likely to trust a legitimate looking message from a retailer/bank with whom they are already doing business, since the fraudulent email may contain personalized information and customized salutations.
Some of the most common targets for spear-phishing (and standard phishing) attacks would be credit card numbers and account logins. For example, an attack may take the reader to a legitimate looking bank site and ask for login information, at which point the bank account username and password will belong to a hacker who can use that access to transfer funds, change account addresses, or and drain all kinds of money from the owner.

How do you prevent spearphishing? Outside of expensive (and questionable) authentication protocols for emails, the need to have controls in place, and extra steps before sending large sums of money, are ways to stop fraud in its tracks. For example, in the most recent spearphishing example an email purportedly from a CEO says to immediately wire large sums to an unknown source. A simple phone call to the CEO for amounts over a few thousand dollars, or to changed account numbers, may be all it takes. Employee education is also critical, since workers should be trained to look for misspellings, odd vocabulary, or other indicators that a message may not be real. A lot of the pretexting and social engineering that goes along with spearphishing is designed to take advantage of trust or authority, so a verification process for any unusual activity may break down a sophisticated attack.

Notes and Special Information

Special note: Spear Phishing attacks are often complex so it is important to let your IT and security people know if you suspect one is underway. This will enable them to warn other employees.