'Spear phishing' hooks e-mail bait

The marriage between electronic mail spoofing and social engineering has resulted in a new, malicious tactic dubbed 'spear phishing', which security experts say can diminish users' trust in e-mail.The art of phishing is traditionally a two-pronged approach -- a Web site, usually one from the financial sector, is spoofed.

The marriage between electronic mail spoofing and social engineering has resulted in a new, malicious tactic dubbed 'spear phishing', which security experts say can diminish users' trust in e-mail.

The art of phishing is traditionally a two-pronged approach -- a Web site, usually one from the financial sector, is spoofed. Then, hundreds to millions of e-mail messages are distributed, inviting users to visit a particular Web page and provide information such as user names and passwords.

However, spear phishing is directed at a specific individual with the purpose of corporate espionage.

Alyn Hockey, director of global research and design at e-mail security firm Clearswift, said the spear phishing approach is relatively new but its impact could be significant because the attacks are well targeted.

Hockey explained that because spoofing the 'from' address in an e-mail is so easy, fraudsters are using the technique to try and fool corporate executives into replying to seemingly innocent requests for information from people they trust.

"If you work in a bank and I knew you were in a particular role, I could send you an e-mail message pretending to be someone you know in your company. You would innocuously think it was a genuine message and reply to it -- but it would actually come to me instead, not this person you think it is going to," he explained.

Earlier this year, IBM published a report that highlighted spear phishing as a growing threat. According to the report, IBM detected 35.7 million traditional phishing attacks in the first six months of the year. Spear phishing incidents were virtually unheard of last year but in June 2005, Big Blue detected around 600,000 attacks.

"Spawns of phishing threats such as 'spear phishing' increased more than ten-fold since January ... these types of 'customised' attacks have shown their potential to defraud businesses, steal identities and intellectual property and extort money, while damaging the brand and eroding customer trust," the report said.

Clearswift's Hockey agreed that spear phishing is not yet a widespread mode of attack.

"It is not happening a lot but it certainly has happened in some interesting circumstances. There has been some detection of this going on in UK government departments," said Hockey.

IBM found that almost half of all phishing-related attacks were sent to government departments. Manufacturing and the financial services industries came a close second, with around 30 percent of attacks directed at each of them.

James Turner, security analyst at Frost & Sullivan Australia, said that spear phishing isn't enough of a threat to drive people away from using e-mail altogether, but it should make people think twice before responding to unexpected e-mails requesting important information.

"To do good security as an individual you have to be aware ... does this e-mail make sense? Why is this person sending it to me? If your alarm bells start going off, you should say 'this person has just sent me an e-mail asking me for the password to this system; I will just give them a quick call'. It is the best way of authentication," said Turner.