2011 – The year of spear phishing And spear phishing
An odd title for a blog post but something that has been on my mind for a while now. We get a fair amount media requests for comments or perspective on phishing stories. This is a good thing. It’s nice to have recognition in your field. Of course 2011 was no shortage of phishing related news. (What’s up RSA, I’m looking at you. I’ve noticed you frequent our website a lot. How about a demo. Couldn’t hurt?)
In 2011, the term “spear-phishing” shifted gears a bit. Once reserved to define highly targeted and personalized email attacks against organizations, the taxonomy of phishing is changing again. The term spear-phishing being applied to consumer/fraud/ based phishing.
First, some of the defacto high profile spear-phishing events in 2011:
But something new has been brewing. Massive data breaches of big consumer organizations with millions of users became more common place. It first started with the Epsilon compromise, then we had Sony, and now the Steam breach putting 35 million gamers at risk.
As the trade journalists made the rounds, the security experts commenting talked about how these data breaches will lead to more spear-phishing incidents of consumers. What they mean by that is instead of the consumer Bob receiving a generic phish:
“Dear Citibank Member, There is something wrong with your account. Please read the attached statement to verify charges.”
Attackers can now cobble a bit of personal information into the phishing email to make the bait look more believable: (See Pretexting: Wikipedia )
“Dear Bob Dobolina, I ran into a mutual friend of ours in Charleston SC,. He said you were into video games. Check this out …..”
Ok, I’ll tip my hat to the use of some personalized information somewhat resembling what we’ve been calling a spear phish. But this is in no way resembles the effort and sophistication used by advanced threats against our most trusted institutions. They are facing attackers armed with department names, locations, org charts, contract names, names of sub-contractors, and whatever else they can scrape together to increase the chances of a successful mission.
I chose the word mission for a reason. The first of its kind DARPA meeting last week a stone’s throw away from the PhishMe offices started to cast light in not-so-vague terms about what organizations have been dealing with for quite some time.
Spear Phishing v.s Spear Phishing. There is a difference.
p.s. Don’t even get me started on whaling.