Credit: outdoorcanada via pixabay
Phishing emails have been the scourge of the computer world for decades, defeating even our best efforts to combat them. Most of us can easily spot them by their subject lines and delete without even opening. If we’re not entirely sure and end up opening them, we can immediately identify a phishing attempt by its overly formal greetings, foreign origins, misspellings, and overly solicitous efforts to send us millions of unearned dollars or to sell us dubious products. Most of the time, phishing attempts are a minor menace we solve with a Delete key.
Enter spearphishing: a targeted approach to phishing that is proving nefariously effective, even against the most seasoned security pros. Why? Because they are crafted by thoughtful professionals who seem to know your business, your current projects, your interests. They don’t tip their hand by trying to sell you anything or claiming to have money to give away. In fact, today’s spearphishing attempts have far more sinister goals than simple financial theft.
Here’s a look at what sets today’s most sophisticated spearphishing attempts apart -- and how to keep from falling prey to their advances.
The attack is handcrafted by professional criminals
Traditionally, phishing emails have been created by low-end scammers who have opted for the buckshot approach: slap together a sloppy message and spam en masse. You’re bound to get someone. In fact, the more obvious the phishing attempt, the better, as this would ensure ensnaring the most gullible of dupes.
Somewhere along the way this changed. Professional criminals and organized crime realized that a lot of money could be made by sending out better spam. Brian Krebs’ 2015 bestseller "Spam Nation" traces the rise of professional criminal gangs in Russia that made tens of millions of dollars each year and supported multiple large companies, some of which pretended to be legitimate and were traded on stock exchanges.
Then nation-states got in the game, realizing that a handful of thoughtfully crafted emails could help them bypass the toughest defenses, simply by targeting the right employees. Today, the vast majority of advanced persistent threats (APTs) gain their first foothold inside victim companies by sending a few emails.
Today’s professional Internet criminals work 9-to-5 days, pay taxes, and get weekends and holidays off. The companies they work for often have dozens to hundreds of employees, pay bribes to local law enforcement and politicians, and are often seen as the employer of choice in their region. Working for companies that break into companies in other countries is often proudly worn as a patriotic badge.
Sign up for Computerworld eNewsletters.