Risk: High
First, there was Phishing and Pharming. Now there's Spear Phishing. What would they think of next?
Spear Phishing is a technique where the attackers target a single company or group (not the mass mailing of normal Phishing attack). An example could be an email to all.employees@xyz.com purporting to come from helpdesk@xyz.com saying, "There is a new security requirement to have passwords of at least 10 characters. Please go to the link below to update your password immediately." This is followed by a link to a dummy website where user IDs and 'old' passwords are captured. Thus entry to the company's network is obtained.
Rather than using the 'traditional' approach of casting their large nets far and wide, and then waiting to see who bites, Phishers are now sending more targeted emails to businesses.
Such emails are designed to appear as though they were sent by another member of staff at the same organisation, typically from the IT or HR departments. A number of recent surveys suggest that people are content to share their passwords in return for small rewards, such as bars of chocolate or pens. In the same way, a Phisher can try to persuade employees into revealing some private information, when perhaps they should know better. Moreover, there are still many businesses that also provide a rich harvest of personal email addresses on their website, which may then be easily spoofed. In a recent US example, a Phisher bluffed his way into the network of a port authority by spoofing an internal email address. Once on the inside, with an apparently genuine email identity, he was able to fool employees into revealing passwords for applications.
This sort of attack has been termed 'Spear' Phishing, designed to bamboozle unsuspecting 'colleagues' into revealing information that will give the perpetrator access into secure areas of corporate networks. By Spear Phishing one company at a time, a Phisher need only send emails to a single domain, spoofing the sender address and requesting usernames and passwords to validate some information, or providing a link to a spoofed version of the company's website or intranet, or perhaps that of a business partner or supplier.
Many people often use the same username and password for different applications or websites, and the Phisher may try and use that to their advantage in their social engineering. It is surprisingly easy to use existing spam-sending software to dynamically generate the target email addresses, for example by combining databases of first names and last names with letters and numbers. Furthermore, it would only take a few hundred such permutations to provide a valid email address in a large organisation.
Additionally, a sustained attack of this nature can quickly become a huge drain on the company's email server, sapping its resources as it attempts to handle several hundred or thousand connections for emails that can never be delivered to recipients that don't exist.
Nevertheless, a successful Spear Phishing expedition can reduce the effort required to break into a company's network without too much difficulty. Not only are the individual's details potentially compromised; it can also lead to theft of intellectual property and other sensitive corporate information. Spear Phishing is certainly set to be a growth area in Internet fraud techniques.