‘Spear Phishing’ Attacks Challenge Common ID Theft Defenses

A few years ago, most phishing scams worked by sending out millions of e-mails to unassuming bank customers in the hope that they could be tricked into revealing their financial information to hackers.

March 1, 2010
Sponsored by ProtectMyID.com

Emails purporting to be from the nation’s biggest financial institutions were sent to millions of random email addresses on the assumption that some percentage of them would be customers of that bank who would be tricked into providing the financial information the hackers were after.

Soon, however, both consumers and spam filters got wiser. Most of us know that our banks and credit card issuers will never send us an e-mail requesting personal or account information. And our e-mail spam filters know it too: most e-mail software filters are able to identify and remove simple phishing attacks like these.

But the hackers’ tactics are evolving and trawling with wide nets that are being replaced by trolling with carefully baited lines, sometimes with lures like a fly-fisherman’s, carefully designed to attract one very specific type of fish.

These “spear phishing” attacks exploit known relationships to target a specific group of people with a more devious and convincing request for information or access.

Spear-Phishing Attacks Specific Targets

A spear-phishing attack might go after employees of a company with an e-mail that looks like an internal communication or something from a vendor with an established relationship to the company or focus on the members of a club, parents of children attending a particular school or even just people with something notable in common, like senior executives at large corporations.

Whatever the group, the spear-phishing attack leverages information the criminals have already obtained to create a message precisely designed to get around spam filters and fool the people receiving them because they appear nothing like those generic phishing e-mails we’ve all learned to recognize and discard.

They may even personalize the e-mails with the intended victim’s name, title and other details — often readily available from public sources like company Web sites, professional associations or social/professional networking profiles. This personalization, like the pretense of a trusted relationship, is designed to trick the recipient into opening the e-mail.

‘Drive By Downloads’ Make the Scams More Dangerous

Simpler phishing scams often depended on their victims to supply the information the fraudsters were after, asking them to click a link in the e-mail that would take them to a Web page on which they could enter the “required” information.

In a spear-phishing attack, the objective is to just get you to take some action that downloads “malware” onto your PC without your knowledge, which will then deliver sensitive information like IDs and passwords back to the hacker over time.

In one 2008 spear-phishing attack, about 20,000 senior executives at major corporations were targeted with personalized e-mails purporting to be a federal grand jury subpoena. If they followed the official-looking e-mail’s instructions to install a browser add-on to read the details of the subpoena, identity-stealing code was downloaded onto their PCs. They were never asked to provide any sensitive information.

Spam Filters Aren’t Effective Against Spear Phishing

Unfortunately, you’re likely to be on your own in identifying a spear-phishing attack. The security consulting firm PacketFocus recently released the results of spear phishing experiment. Researchers sent phony e-mails to participants in the experiment, with an invitation from “Bill Gates” to join his network on the professional networking site LinkedIn. To the researchers’ surprise, the fake requests made it through the recipients’ spam filters every single time.

How Can You Protect Yourself?

Luckily, the same tactics you use to protect yourself from regular phishing attacks apply to spear phishing too. Don’t trust e-mails claiming to be from any organization you have a relationship with that ask you to provide sensitive information. If you think the request might be legitimate, type the URL you know into your Web browser or call the organization at a number you already have rather than clicking a link or calling a number in the e-mail and don’t open attachments or download files unless you’re confident of the source.

But with criminals devising ever trickier ways to phish for people’s financial information, an identity theft protection product like ProtectMyID.com may be your next best line of defense. In the unfortunate event you’re unwittingly caught in a spear phishing scam, the product’s monitoring and alerts will help you identify unauthorized use of your Social Security number, credit cards and debit cards and help you recover both your good name and any stolen funds.