Spear-Phishing - New Angles on an Old Game

by Trevor Zion Bauknight

Published on this site: July 20th, 2005 - See more articles from this month...

It usually doesn't take long for emerging trends in business IT security to reach the point at which a new name for a given phenomenon is required to set it apart. A relatively recent variation on the familiar e-mail phishing scams that targets small cells within a particular enterprise rather than millions of random people has reached that point. Last week, BusinessWeek reported on the growing phenomenon of "spear-phishing" and, while they charge for that information, we don't think you should have to pay to keep your sensitive information private.

A New Scam?

Not really. If you know how phishing works, you already know how spear-phishing works. The difference lies only, as you might have guessed, in the skill and more focused target of the scammer. "Regular" phishing relies on casting a wide net knowing that, out of the millions of people who receive the e-mails, only a few will invariably respond. But spear-phishing relies more on the ability of the scammer to win the trust of a small group of people for at least long enough to grab all the sensitive information she can.

Different groups may be targeted, but the scheme seems to be most effective at targeting small groups within some large business enterprise network, and so this form of phishing has some characteristics that set it apart. Spear-phishing e-mail can be more difficult to catch because Subject and From headers are going to carry familiar text and because its circulation doesn't attract the attention of large clearinghouses of known scam information. Target e-mail addresses may be gathered from corporate directories, web sites and telephone conversations rather than from spammers dealing in huge lists of working addresses. The e-mails themselves may appear to be actual corporate documents but often carry trojan-horse keystroke-logging programs or links to fake websites set up to look like the real thing. The scammers could well be disgruntled former employees, vendors or others who have had access to the physical premises. And while some are using such techniques to target non-corporate groups like participants in eBay auctions, the goal of most spear-phishing scams is to collect sensitive commercial data.

Central to the success of a spear-phishing scheme is the artful use of what has come to be called "social engineering". Kevin Mitnick, notorious hacker turned security consultant (http://www.mitnicksecurity.com), made the term famous with his seminal book on the subject The Art of Deception: Controlling the
Human Element of Security. Briefly, social engineering is the art of winning the trust of a mark through familiarity, charm, feigned exasperation, the use of proper jargon and so on. Once convinced that the scammer is who he is pretending to be, the mark will reveal some useful bit of information that can then be exploited.

The textbook example of spear-phishing goes like this: A group or an individual obtains, through social engineering or physical or electronic access, some corporate document that can be used to convince even knowledgeable insiders to enter usernames and passwords at a faked extranet site or to open an attachment that contains a keylogging trojan-horse program. The e-mail goes to a small group within the corporate network and a much higher percentage of recipients respond because the source appears to be legitimate internal corporate communication. Armed with a few working logins, the spear-phisher accesses corporate intellectual property, personnel files or other sensitive data, which can fetch a high price on the black market.

Avoiding the Spear

It's probably true that no institution or enterprise is secured against all the possible variations on the phishing scheme, but there are several steps you and your business can take to guard against becoming a victim.

Business data security starts at the top and should permeate all levels of your IT structure. Establish policies of information exchange that preclude the ability of a spear-phisher to obtain key bits of data, such as internal documents, to which she is not entitled and don't veer from those policies under any circumstances. Eliminate unnecessary traces of former employees and turn off their electronic and physical access to your business properties. Above all, don't attempt to communicate with employees the same way the spear-phishers will try, such as through e-mail bearing links to internal websites or attached documents.

The most effective thing you can do to prevent your business from turning into a shallow pond is to keep informed and pay attention to things like abnormally slow computers, strange entries in e-mail logs (especially source-IP addresses that don't match those on your internal networks) and unusual patterns of website traffic.

Several groups have set up shop on the Web to provide you with as much up-to-date information as possible. We recommend, especially, the website of the Anti-Phishing Working Group (http://www.antiphishing.org) and the Trusted Electronic Communications Forum (http://www.tecf.org/). Here at Cafe ID (http://www.cafeid.com), we maintain a one-stop shop of up-to-date resources and information on every aspect of Internet security and identity protection.

If you think you've already been a victim of some form of phishing attack, a great place to start undoing the damage is at the Internet Fraud Complaint Center (http://www.ifccfbi.gov/index.asp). Local law enforcement is another excellent place to turn. If your customers' or employees' personal information is compromised, by all means notify them immediately of the potential trouble so that they can take the steps necessary to keep themselves safe from exploitation.

As businesses become more and more dependent upon the Internet and its protocols for both public and internal communications, it becomes more and more important to keep an eye on emerging trends like spear-phishing. But the best thing to keep in mind is that these sorts of problems aren't new and they rely on some of the oldest forms of deception known to man. Social engineering is as old as bureaucracy, and there's little reason to suggest that we're getting any better at dealing with it.

Trevor Bauknight is a web designer and writer with over 15 years of experience on the Internet. He specializes in the creation and maintenance of business and personal identity online and can be reached at [email protected]. Stop by http://www.cafeid.com for a free tryout of the revolutionary SiteBuildingSystem and check out our Flash-based website and IMAP e-mail hosting solutions, complete with live support.