By now, many people have at least heard about the practice of scamming consumers, known as “phishing” (see: Common Identity Theft Scams: “Phishing”). This involves sending out fraudulent emails for the purpose of accessing personal information. This information is then used for identity theft. However, as with most criminal activity, processes become more sophisticated as time goes on. The latest innovation in phishing scams is known as “spear phishing”.
Originally, the term “phishing” was used to indicate a scam where fraudulent emails were used as bait. Once the bait was taken, the victim was lured into the scammer’s “net”. With spear fishing, the victim is directly targeted. This can be viewed the same as a fisherman who uses a spear to directly target a single fish as opposed to those using a net. With spear phishing, each fraudulent email is customized for its recipient.
In a spear phishing email, the recipient’s name and some other piece of personal information is contained. Instead of the generic “your account has been compromised” email, unique mails are sent.
An example was a recent incident where corporate executives received fraudulent emails. The emails stated that the executives were being sued. This new type of scam made it easy for the executives to be tricked into clicking on the link enclosed in the email. From there, the identity theft scam would begin.
Here is another example:
Dear Mr. Sam SmithIUP Account Owner,
We are currently revising our email data base and e-mail login center. We are in the process of deleting all inactive IUP email accounts in order to create more space for our new accounts. To prevent your account from being deleted, you will need to update the account below so we will know that it is a currently used account.
CONFIRM YOUR EMAIL IDENTITY HERE
E-mail username: ____________
E-mail password: ____________
This notice is from the IUP email messaging center
Thank you for using IUP!
Warning Code: VX7G77AAJ
IUP Email Team
Spear Phishing emails will contain a link that leads to a fake website. The website is designed to collect personal information to be used for identity theft. This process has become extremely sophisticated. So much so that even experienced security professionals have difficulty determining that it’s a scam. This is due to the authentic look of the fake website.
Another method of attack involves a spear phishing email that contains a downloadable file. These files will appear to come from a legitimate source. However, the file will contain a malware program. Once this program is downloaded, it will seek out personal information on your computer. This information is then collected and transmitted to the criminal once the victim is online.
Spear phishing is more difficult to catch than standard phishing. This is due to the extra effort and time on the part of the criminals. Research is involved in order to gain access to bits of personal information. These bits of personal information are needed to create a convincing email. It also requires extra effort to put together the fake websites. However, the payoff is generally much larger than with a simple phishing scam.
In October of 2008, a popular social networking site, LinkedIn, was targeted for a spear phishing attack. Approximately ten thousand users received emails that attempted to lure them into the scam. This particular scam involved downloading software that was designed to collect personal information. Brian Krebs, of the Washington Post, first reported the story. In his blog post, he mentioned that the email recipients were addressed directly by name. This made the emails look authentic.
Additionally, the message was sent from the domain “firstname.lastname@example.org” with a subject line reading “Re: business contact.”
The email stated: “We have exported the list of business contacts that you have asked for.” The message then asked the recipient to open the attachment that was purportedly the list of business contacts that the user had requested. But instead, it loaded a malicious software program to steal data such as passwords and usernames from the victim’s computer.
Even though this form of attack is very sophisticated, there are some things to keep in mind. Most spear phishing attacks are aimed at upper class individuals and corporate employees. Even so, one should always be on their guard.
Opening an attachment from a stranger is always a bad idea. Even attachments that seem to come from family members or friends can be suspect. A criminal can send you a message that may appear to come from a trusted source. So, only open an attachment that you are actually expecting. In any case, always scan an attachment for viruses, as well.