What is Spear Phishing? Is My Company Vulnerable?
Beware of emails that look legitimate but redirect to strange links
News that the White House computers were breached by a spearphishing attack have brought a lot more attention to legitimate looking emails with a dangerous payload. While officials downplayed the danger of the attack because the computers affected are not part of the secure network associated with state secrets, any attack can be construed as dangerous because some of the most innocuous pieces of data can be used at a later time in order to gather intelligence, serve as cover for an attack on other computers, or as a way to introduce malware that might be able to spread from one system to another via thumb drives or dirty email attachments. In the same way that citizens during wartime were warned not to speak about troop movements and weapons development, even the most boring information in White House computers could be assembled to indicate where key people were at a certain time, what certain individuals are working on, and the morale of employess. Seemingly harmless items like gossip can often be used to build profiles on important diplomatic and military personnel. Likewise, a corporation subjected to a spearphishing attack might first see low level information taken in preparation for official looking attempts to crack "inner" areas which have valuable data, personal information, or technological secrets behind a better firewall.
Spearphishing is a targeted email attack that is designed to target people who are known to frequent specific online businesses. It is called "spear-phishing" because the targeting is much more precise and narrow, like the tip of a spear. . In the most recent case, spear-phishing is a suspected goal in the data breach for Epsilon, an online marketer with account information for several major banks, pharmacies, and retail electronics outlets. Although credit card data was not stolen, email addresses were compromised, and these addresses can be sold on the black market for more money because the purchaser knows that people have bought from specific stores in the past. Furthermore, the information gathered from spear-phishing can also beget more sophisticated phishing attacks on customers, who are more likely to trust a legitimate looking message from a retailer/bank with whom they are already doing business, since the fraudulent email may contain personalized information and customized salutations.
Some of the most common targets for spear-phishing (and standard phishing) attacks would be credit card numbers and account logins. For example, an attack may take the reader to a legitimate looking bank site and ask for login information, at which point the bank account username and password will belong to a hacker who can use that access to transfer funds, change account addresses, or and drain all kinds of money from the owner.
Notes and Special Information
Special note: Spear Phishing attacks are often complex so it is important to let your IT and security people know if you suspect one is underway. This will enable them to warn other employees.