Most of us know about phishing by now. Those annoying emails coming from a bank you don’t even do business with, telling you in poor grammar and spelling to update your account settings by visiting a website with a strange looking URL. The more clever ones, such as the genuine-looking messages posing as eBay or PayPal customer support, have lured many people into exposing their account credentials and still pose a significant threat to the uninformed.

New web browser anti-phishing tools expose fake URLs, but the best defense still is simply not clicking email-embedded URLs, and always going directly to a vendor’s website by typing the URL in the browser, especially for login pages and account authentication.

Spear-phishing is a narrowly focused variant of phishing. Rather than bottom trawling the Internet by sending massive numbers of generic messages, spear-phishers gather detailed personal information readily available via Google and Social Networking sites, to craft convincing emails that can trick even seasoned professionals into opening tainted email attachments or visiting fake websites.

Roger Matus wrote an interesting blog post about a particular spear-phishing attack on a Booz Allen Hamilton executive.

“Its authors knew enough about the ’sender’ and ‘recipient’ to craft a message unlikely to arouse suspicion. Had the Booz Allen executive clicked on the attachment, his every keystroke would have been reported back to a mysterious master at the Internet address cybersyndrome.3322.org, which is registered through an obscure company headquartered on the banks of China’s Yangtze River.”

Targeted phishing attacks on senior executives are now also referred to as Whaling (you’ve got to love the lingo). The case highlights how common exploitive internet techniques are being perfected and used for sophisticated corporate and military espionage attacks. The stakes are high and it is important to train and inform senior executives proactively about these risks. Executives in non-technical fields may be especially vulnerable. Worse, the fear of potential embarrassment may delay the discovery of a problem.

Technorati Tags: phishing, spear phishing, whaling, email risks, electronic espionage

If you are new here, you may want to subscribe to my RSS feed. An RSS Subscription will deliver new Blog posts automatically to your computer.
Thanks for visiting!