Spear-Phishing - New Angles On An Old Game

It usually doesn't take long for emerging trends in business IT security to reach the point at which a new name for a given phenomenon is required to set it apart. A relatively recent variation on the familiar e-mail phishing scams that targets small cells within a particular enterprise rather than millions of random people has reached that point. Last week, BusinessWeek reported on the growing phenomenon of "spear-phishing" and, while they charge for that information, we don't think you should have to pay to keep your sensitive information private. A New Scam? ...Not really. If you know how phishing works, you already know how spear-phishing works. The difference lies only, as you might have guessed, in the skill and more focused target of the scammer. "Regular" phishing relies on casting a wide net knowing that, out of the millions of people who receive the e-mails, only a few will invariably respond. But spear-phishing relies more on the ability of the scammer to win the trust of a small group of people for at least long enough to grab all the sensitive information she can. Different groups may be targeted, but the scheme seems to be most effective at targeting small groups within some large business enterprise network, and so this form of phishing has some characteristics that set it apart. Spear-phishing e-mail can be more difficult to catch because Subject and From headers are going to carry familiar text and because its circulation doesn't attract the attention of large clearinghouses of known scam information. Target e-mail addresses may be gathered from corporate directories, web sites and telephone conversations rather than from spammers dealing in huge lists of working addresses. The e-mails themselves may appear to be actual corporate documents but often carry trojan-horse keystroke-logging programs or links to fake websites set up to look like the real thing. The scammers could well be disgruntled former employees, vendors or others who have had access to the physical premises. And while some are using such techniques to target non-corporate groups like participants in eBay auctions, the goal of most spear-phishing scams is to collect sensitive commercial data. Central to the success of a spear-phishing scheme is the artful use of what has come to be called "social engineering". Kevin Mitnick, notorious hacker turned security consultant (http://www.antiphishing.org) and the Trusted Electronic Communications Forum (http://www.cafeid.com), we maintain a one-stop shop of up-to-date resources and information on every aspect of Internet security and identity protection. If you think you've already been a victim of some form of phishing attack, a great place to start undoing the damage is at the Internet Fraud Complaint Center (