‘Spear-Phishing’ Attacks Keep on Giving by Kim Zetter, wired.com
Oct 26, 2010
Report: ‘Spear-Phishing’ Attacks Keep on Giving
* By Kim Zetter Email Author
* October 26, 2010
* 3:49 pm
The number of targeted phishing attacks against individuals has risen
dramatically in the last five years from one or two a week in 2005 to more
than 70 a day this month, according to a new report from computer security
firm Symantec.
The industry most recently hardest hit by so-called spear-phishing attacks
is the retail industry, according to Symantec’s MessageLabs Intelligence
report. The number of attacks against retail exploded in September in
particular, jumping to 516 attacks from just seven attacks a month for the
rest of 2010.
The statistics are somewhat skewed, though, since most of the September
attacks against retail were directed at a single company. Symantec counts
each copy of a malicious e-mail received by an organization as a unique
attack, even if it’s the same e-mail sent to multiple people at the same
time. But the report illustrates that, five years after its invention,
spear-phishing remains a trusted tool in the modern cyber criminal’s
arsenal.
Unlike regular phishing attacks, which involve spamming a message to
random users, spear-phishing targets specific individuals or small groups
of employees at specific companies. The former are generally designed to
steal banking credentials and e-mail passwords from users, while the
latter generally focus on gaining access to a system to steal intellectual
property and other sensitive data.
Spear-phishing attacks generally come disguised as e-mails that appear to
come from trusted sources, such as a company manager or the company’s
information technology department. They might contain a malicious
attachment or a link to a malicious web site that the recipient is
encouraged to click on to obtain important information about a company
matter.
Once a recipient clicks on the link, his browser is directed to a
malicious site, where malware is downloaded surreptitiously to his
computer. The malware allows an attacker to control the victim’s computer
remotely and steal log-in information for banking accounts or for
protected internal company systems.
Spear-phishing is the tactic that hackers used to gain access to the
internal networks of Google and about 30 other companies late last year.
In those attacks, the hackers were able to root deep into the corporate
networks to steal source code and other intellectual property.
Five years ago, spear-phishing targets included government entities,
defense contractors, pharmaceutical and multi-national companies. Over the
last year, smaller businesses have been targeted, with the likely intent
of finding weak links in a supply chain, Symantec writes in its report.
Usually between 200 and 300 organizations are targeted each month, with
the specific industries varying.
The 516 retail attacks that Symantec recorded in September went to six
organizations, but Symantec writes in its report that only two of these
organizations appeared to be the main target of the attacks. One
organization, which Symantec wont name, received 325 of those attacks,
targeted at 88 employees. The attack came in three waves on September 15,
22 and 29 in the form of spoofed e-mails that appeared to come from
executives in the company’s human resources and information technology
departments. One e-mail contained an attachment purporting to be a
confidential salary list; another e-mail that appeared to come from the
company’s assistant vice president of human resources came with an
attachment purporting to contain a list of new job openings at the company
as well as information about the company’s “new bonus plan.”
“We want you to remember that a person referred by an employee will always
have more chance of being hired,” the e-mail read.
The third e-mail came from the company’s IT security department with the
subject line “Fwd: Critical security update” and a note that read in part,
“we need your help to maintain the security of our network
infrastructure.”
All of the spear-phishing e-mails came from two IP addresses — one in
Argentina, the other in the U.S. — and contained grammatical and spelling
mistakes.
Source: wired.com
Read More
http://www.wired.com/threatlevel/2010/10/spear-phishing/#ixzz13VgLCO7D