6 Reasons Why Spear Phishing Will Increase
Written by Paul Mah on April 21, 2011
It is clear from recent reports that spear phishing is on the increase. It is in this context that I spell out six reasons why this is no short-term trend, and highlight why incidences of spear phishing will only continue to accelerate.
1. Effectiveness of spam filters against traditional spam
Spammers have tried practically every trick in the book over the years, including the use of image spam, creative misspelling of words, and even resorted to the use of email attachments. Modern spam filters have the benefit of borrowing from all the lessons learnt since the invention of electronic mail, and employs a plethora of advanced technologies such as cloud-computing to eliminate them. Indeed, one may almost be tempted to consider the problem of spam as one that has already been overcome on some days. As you can imagine, spammers are forced to adopt sophisticated spear phishing techniques in order to reach their victims.
2. Trend of data compromises
There has been an ongoing trend of data compromises in which email and personally identifiable data have been stolen. To name just a few here, the Epsilon data breach saw hackers gaining illicit access into the company’s system and presumably making away with email addresses and contact details of these clients. Beyond five financial organizations that were affected, drug giant GlaxoSmithKline PLC have also issued a warning to customers that their email addresses, names, and the “product website” on which they have registered with the company – may have been stolen.
It is important to remember that not all businesses opt to come clean on data breaches. Moreover, the average hackers endeavor to erase their tracks after gaining what they came for. The bottom line: A wealth of stolen information is floating around out there available for exploitation.
3. Availability of personal data on social networks
The explosion of social networks has made it easier than ever to acquire specific information on a targeted victim. The deterrence factor of having to manually obtain the pertinent data could also be alleviated by the use of software that taps into the APIs (Application Programming Interface) offered by most social networks.
4. Recent spear phishing successes
I wrote about some cyber crimes involving spear phishing and emails recently. This includes Operation Aurora, which is a series of concerted cyber-attacks conducted against high profile organizations, as well as the HBGary email breach. Operation Aurora saw specially crafted phishing emails sent to selected victims and laced with either a new malware, or embedded with a URL link to drive users to malware-laden sites. The HBGary case, on the other hand, saw a teenage girl posing as a senior executive from the company. Via email, she successfully persuaded a system administrator to rescind certain firewall restrictions which served to critically impair the security vendor’s defenses. It is clear that spearing phishing have played pivotal roles in the past – and barring a paradigm shift in how the majority of users validate the authenticity of incoming emails – will almost definitely continue to work in future.
5. Rewards for spear phishing can be far greater
While spear phishing takes more effort to put together, they are offset by their comparatively larger reward. For example, fellow blogger Jamie Campbell last week wrote about how a spear phishing attempt netted a cool $8 million from media giant Condé Nast. The alleged perpetrator apparently established a bank account for a company called “Quad Graph” to spoof the real company which was named “Quad/Graphics.” The scammer then fabricated a spear phishing email instructing Condé Nast to redirect payments for Quad/Graphics to the fake bank account; an attached (and prefilled) Electronic Payment Authorization form no doubt added authenticity to the entire scam. The misappropriated funds were recovered, though a staggering $8 million was actually transferred to the Quad Graph account over a period of about six weeks prior to federal authorities getting wind of the operation.
6. It is often harder to defending against spear phishing
So how can businesses and users defend themselves against spear phishing? The surprising answer according to a new study titled “Why do people get phished?” is that merely enforcing more computer literacy training is not enough. Interestingly, the solution appears related to ensuring that employees are given regular updates and news of the latest phishing scams. You can read more about this study in my article last week titled Heavy Email Users More Susceptible to Phishing Scams.
Do you agree that spear phishing will only increase in the months and years to come? Feel free to chip in with your comments below.
Loading ...
It’s a more frightening prospect to be sure. Spamming is typically akin to unsolicited phone calls whereas spear phishers are like run-ins with real live con men. These people are dedicated themselves to making a scam pay off for them, not just writing some code and letting it run on its own. I think spear phishing will definitely increase, but the cunning and subterfuge it takes to make it work successfully will keep it from being a mainstream threat.
The availability of personal data on social networks is the number culprit why phishing is on the rise.
Facebook and Twitter users, especially the Generation Y and Z groups, are typically the ones who gets victimized. For one, they openly share their email addresses, home addresses, and telephone / cellphone numbers. Anyone who visits their page can get that without restrictions.
Moreover, Facebook walls and posts are easily traceable and can be searched easily.
Hi Shawn, I agree that the availability of personal data on social networks can make spear phshing much easier; I’m in fact writing a follow-up on spearing phishing now