‘Spear-Phishing’ Attacks Keep on Giving by Kim Zetter, wired.com
Oct 26, 2010
Report: ‘Spear-Phishing’ Attacks Keep on Giving
* By Kim Zetter Email Author * October 26, 2010 * 3:49 pm
The number of targeted phishing attacks against individuals has risen dramatically in the last five years from one or two a week in 2005 to more than 70 a day this month, according to a new report from computer security firm Symantec.
The industry most recently hardest hit by so-called spear-phishing attacks is the retail industry, according to Symantec’s MessageLabs Intelligence report. The number of attacks against retail exploded in September in particular, jumping to 516 attacks from just seven attacks a month for the rest of 2010.
The statistics are somewhat skewed, though, since most of the September attacks against retail were directed at a single company. Symantec counts each copy of a malicious e-mail received by an organization as a unique attack, even if it’s the same e-mail sent to multiple people at the same time. But the report illustrates that, five years after its invention, spear-phishing remains a trusted tool in the modern cyber criminal’s arsenal.
Unlike regular phishing attacks, which involve spamming a message to random users, spear-phishing targets specific individuals or small groups of employees at specific companies. The former are generally designed to steal banking credentials and e-mail passwords from users, while the latter generally focus on gaining access to a system to steal intellectual property and other sensitive data.
Spear-phishing attacks generally come disguised as e-mails that appear to come from trusted sources, such as a company manager or the company’s information technology department. They might contain a malicious attachment or a link to a malicious web site that the recipient is encouraged to click on to obtain important information about a company matter.
Once a recipient clicks on the link, his browser is directed to a malicious site, where malware is downloaded surreptitiously to his computer. The malware allows an attacker to control the victim’s computer remotely and steal log-in information for banking accounts or for protected internal company systems.
Spear-phishing is the tactic that hackers used to gain access to the internal networks of Google and about 30 other companies late last year. In those attacks, the hackers were able to root deep into the corporate networks to steal source code and other intellectual property.
Five years ago, spear-phishing targets included government entities, defense contractors, pharmaceutical and multi-national companies. Over the last year, smaller businesses have been targeted, with the likely intent of finding weak links in a supply chain, Symantec writes in its report. Usually between 200 and 300 organizations are targeted each month, with the specific industries varying.
The 516 retail attacks that Symantec recorded in September went to six organizations, but Symantec writes in its report that only two of these organizations appeared to be the main target of the attacks. One organization, which Symantec wont name, received 325 of those attacks, targeted at 88 employees. The attack came in three waves on September 15, 22 and 29 in the form of spoofed e-mails that appeared to come from executives in the company’s human resources and information technology departments. One e-mail contained an attachment purporting to be a confidential salary list; another e-mail that appeared to come from the company’s assistant vice president of human resources came with an attachment purporting to contain a list of new job openings at the company as well as information about the company’s “new bonus plan.”
“We want you to remember that a person referred by an employee will always have more chance of being hired,” the e-mail read.
The third e-mail came from the company’s IT security department with the subject line “Fwd: Critical security update” and a note that read in part, “we need your help to maintain the security of our network infrastructure.”
All of the spear-phishing e-mails came from two IP addresses — one in Argentina, the other in the U.S. — and contained grammatical and spelling mistakes.
Read More http://www.wired.com/threatlevel/2010/10/spear-phishing/#ixzz13VgLCO7D