spear phish vs. spear phish
An odd title for a blog post but something that has been on my mind for a while now. We get a fair amount media requests for comments or perspective on phishing stories. This is a good thing. It’s nice to have recognition in your field. Of course 2011 was no shortage of phishing related news. (What’s up RSA, I’m looking at you. I’ve noticed you frequent our website a lot. How about a demo. Couldn’t hurt?)
In 2011, the term “spear-phishing” shifted gears a bit. Once reserved to define highly targeted and personalized email attacks against organizations, the taxonomy of phishing is changing again. The term spear-phishing being applied to consumer/fraud/ based phishing.
First, some of the defacto high profile spear-phishing events in 2011:
But something new has been brewing. Massive data breaches of big consumer organizations with millions of users became more common place. It first started with the Epsilon compromise, then we had Sony, and now the Steam breach putting 35 million gamers at risk.
As the trade journalists made the rounds, the security experts commenting talked about how these data breaches will lead to more spear-phishing incidents of consumers. What they mean by that is instead of the consumer Bob receiving a generic phish:
“Dear Citibank Member, There is something wrong with your account. Please read the attached statement to verify charges.”
Attackers can now cobble a bit of personal information into the phishing email to make the bait look more believable: (See Pretexting: Wikipedia )
“Dear Bob Dobolina, I ran into a mutual friend of ours in Charleston SC,. He said you were into video games. Check this out …..”
Ok, I’ll tip my hat to the use of some personalized information somewhat resembling what we’ve been calling a spear phish. But this is in no way resembles the effort and sophistication used by advanced threats against our most trusted institutions. They are facing attackers armed with department names, locations, org charts, contract names, names of sub-contractors, and whatever else they can scrape together to increase the chances of a successful mission.
I chose the word mission for a reason. The first of its kind DARPA meeting last week a stone’s throw away from the PhishMe offices started to cast light in not-so-vague terms about what organizations have been dealing with for quite some time.
Spear Phishing v.s Spear Phishing. There is a difference.
Aaron Higbee
p.s. Don’t even get me started on whaling.
One technique they use is placing the malicious attachment inside of a password protected ZIP file. It works like this: the attacker zips the malicious file, then puts the password for the ZIP file in the body of the email. They do this because they know our email security tools can’t see what is inside the protected ZIP file.
