spear phishing

According to an article in the New York Times, spear phishing attempts are not typically initiated by "random hackers" but are more likely to be conducted by "sophisticated groups out for financial gain, trade secrets or military information."

Here's one version of a spear phishing attack: The perpetrator finds a Web site for a targeted organization that supplies contact information for employees and other relevant data about the company. Using available details to make the message seem authentic, the perpetrator drafts an e-mail appearing to come from an individual who might reasonably request confidential information, such as a network administrator. Typically, a spear phisher requests user names and passwords or asks recipients to click on a link that will result in the user downloading spyware or other malicious programming. The message employs social engineering (fraudulent, non-technical) tactics to convince the recipient. If a single employee falls for the spear phisher's ploy, the attacker can masquerade as that individual and gain access to sensitive data.

Most people have learned to be suspicious of unexpected requests for confidential information and will not divulge personal data in response to e-mail messages or click on links in messages unless they are positive about the source. The relative success of spear phishing relies upon the details used: The apparent source is a known and trusted individual, information within the messsage supports its validity, and the request seems to have a logical basis.

At West Point in 2004, teacher and National Security Agency expert Aaron Ferguson sent out a message to 500 cadets asking them to click a link to verify grades. Ferguson's message appeared to come from a Colonel Robert Melville of West Point. Over 80% of recipients clicked the link in the message. In response, they received a notification that they'd been duped and warning that their behavior could have resulted in downloads of spyware, Trojan horses, and/or other malware.

IBM's Global Security Index research found that, in 2005, intercepted spear-phishing attempts rose from 56 intercepted attempts in January to over 600,000 in June.

Learn more about Email and Messaging Threats (spam, phishing, instant messaging)

Do you have something to add to this definition? Let us know. Send your comments to techterms@whatis.com

More resources from around the web: - A Wall Street Journal article explains more about spear phishing. - SearchOpenSource.com offers advice on how to combat spear phishing. - Microsoft.com compares spear phishing with ordinary phishing expeditions. - The New York Times describes a case of spear phishing.

FILE EXTENSION AND FILE FORMAT LIST File Extension and File Format List: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z #

RELATED CONTENT Messaging security risks have upper hand on solutions Spam, phishing and infected attachments continue to plague messaging platforms, despite sophisticated protection. What's the answer? Web-based attacks skyrocket, pirating sites surge, security firms say Reports highlight surge in spam as well as an increase in malicious Web pages attacking visitors with Trojan malware and downloaders. Pushdo botnet uses Facebook to spread malicious email attachment A phony message warns users that their Facebook password has been reset.

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary CAPTCHA  (SearchSecurity.com) A CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a test, used with challenge-response systems, that's... challenge-response system  (SearchSecurity.com)