In a spear phishing campaign, an attacker sends a fake email message containing a malicious link or attachment to a targeted victim. The email is typically designed to appear like it came from a trusted source and tries to persuade the recipient to click on the malicious link or open the malicious attachment. In many cases, the phishing emails are personalized, localized, and contains content designed to convince the recipient, of the authenticity of the sender.
Often, all it takes for an attacker to gain a foothold in an otherwise secure network is for one phishing email recipient to click on a malicious link or attachment. The real danger with such attacks is that they are highly targeted and persistent in nature, Miller said. "Any time you see such attacks they are of the highest concern," he said. "Shotgun attacks don't care about the victim so long as they hit any target."
Anup Ghosh, founder of the security firm Invincea, said that despite heightened awareness, phishing remains a major problem. And contrary to popular perception, spear phishing attacks are not always targeted at just a handful of highly placed individuals within an organization, he said.
In many cases, attackers target large swathes of individuals within an organization with carefully worded fake email missives. "All they want is one beachhead on the network," he said. "Once inside there are little controls to stop an attacker from moving from one machine to another."
Sign up for Computerworld eNewsletters.