Spear Phishing

By

This article was published by ComputorEdge, issue #2437, 2006-09-15, as a feature article, in both their print edition (on pages 18-19) and their website.

The next time you hear someone mention what sounds like "spearfishing", but it is in relation to the Internet, then it is quite possible that they are not talking about harpooning aquatic creatures using hand-wielded spears or spear gun shafts. Instead, they are likely referring to a new type of phishing, known as "spear phishing".

By now, most Internet users are familiar — some intimately — with the most common ways of getting ripped off online. Many of these nefarious methods fall under the category known as "phishing", so named because the perpetrators are fishing for confidential information that they hope to use against their victims: full name and birthday, online usernames and passwords, Social Security number, bank account numbers, and credit card data.

Phishing schemes typically appear to their intended victims first in the form of phony e-mail messages, supposedly sent from financial institutions, and often warning that the individual's account needs to be updated in order to avoid the account being frozen or closed. These messages often have alarming subject lines such as "Important alert from your bank".

All phishing e-mail messages contain links to phony websites, designed to look and behave just like legitimate financial sites, and thus convince their victims to enter their access information. Simply logging into one of these fake sites then provides the crooks with enough data for them to then log in to the real site, but posing as the victim. They will then proceed to transfer money out of the account, into their own, and possibly record any additional confidential data they find.

Focused Phishing

While the standard forms of phishing must be proving effective enough for the miscreants to continue utilizing them, they all suffer from one weakness: generalization, or, more to the point, over generalization. Because these e-mail messages are blasted out to as many people as can be found on the spammers' lists, they necessarily lack the specifics that one normally sees in a handcrafted message sent from any person or organization. To maximize their applicability, the only specific details that the phisher will include in such a message is the name of a financial institution. They must do this because the phishing website must appear identical to that of a particular bank or credit card company.

Even though the conventional phishing e-mail messages are made as general as possible, they still do not apply to most recipients, because the average recipient does not have an account at whatever financial institution has been chosen. But this matters little to the fraudsters, because, like spammers in general, it's just a numbers game to them. They only need a small portion of their messages' recipients to respond, in order to turn a profit.

Spear phishing takes a different approach: The initial message is targeted at a single person or set of people, such as the employees of a company. By focusing the attack on a handful of individuals, or just a single one, the phisher can include more specific information, thus making the message appear far more legitimate. In addition, by incorporating the recipient's name and/or organization name in the message, it greatly reduces the chances that the phishing message will be flagged as spam by the victim's e-mail program or service.

Spear Phishing in the Wild

One of the best ways to avoid falling prey to scams of any sort — including those on the Internet — is to be aware of how people have been ripped off in the past, or how they have come close.

A friend of someone I know in the publishing business, was victimized by a spear phisher when she received an e-mail stating that she could take advantage of a "second chance offer" on an eBay item for which she had unsuccessfully bid. She sent a check for the amount, more than $400, but never received the promised item. When informed of what had happened, eBay claimed that there was nothing that they could do, since the spear phishing message never went through the eBay system; it had been sent directly to her from the scammers.

One poster on Slashdot (www.slashdot.org) detailed two separate phishing attempts, both of which show how these attacks are becoming more clever and refined. In the first one, he received a message purportedly from eBay, offering to deposit $20 into his account for completing a short survey. After he took the survey, the phisher requested his credit card number, supposedly to send him the $20. He realized immediately that it was a scam, concluding that eBay would never ask for that, and could instead credit the money to his account with PayPal (owned by eBay).

In the second, more elaborate phishing attack, he received a personalized letter from Canada, with a check from a U.S. bank for over $90,000, which he had supposedly won. He was instructed to send almost $2000 to pay the taxes. This one could be tempting, with the prize check in hand, but he realized that it would bounce. He contacted the authorities to report the fraud, but was flabbergasted to learn that they would only act if he were to follow through on the fraud and actually lose the money!

Don't Get Stuck

All of the solid advice that pertains to phishing in general, also applies to spearfishing and any other variants. Never disclose personal or confidential information, including financial, in response to an e-mail message. This is true regardless of how legitimate or official the message appears, or the name and e-mail address listed in the "From" field (which can be forged), or how much personal information of yours that the message contains. While it may be clear that the message was handcrafted for your eyes, that still does not make it legitimate or safe.

If you have any question as to the authenticity of any notification, regardless of how it was sent to you — via e-mail, telephone, instant messaging, or snail mail — you can contact the organization in question. But do not use the method as instructed by the original notification. Instead, call the company's toll-free customer support number that they sent to you when you opened your account, or type the company's Web address into your browser.

Always keep in mind that e-mail and the Internet have made it much easier for online miscreants to "reach out and touch someone". E-mail messages and websites can be faked. Thus, there is no way for you to be completely sure that they are legitimate messages and sites controlled by the companies that you trust, or instead cleverly disguised scams perpetrated by those who want to harpoon and fillet your wallet.

Copyright © 2006 Michael J. Ross. All rights reserved.

Content topics: