By Bob Rankin
What is Spear Phishing?
Spear phishing is a more dangerous cyber attack than typically “blind” phishing or spam attempts because they lull people into a false sense of security. Consumers are on their guard against spam from sources they don’t know. But when an email seems to be from a trusted entity, or include personal details such as their name, people are more likely to do what it says.
A crude spear phish purportedly from your bank may tell you that your login information needs to be “verified” and instruct you to reply to the email with your username and password. That’s a pretty easy phish to avoid; no bank ever makes such a request. But what if the email tells you to “log on securely to our server via this link…”? Many people will do it without a second thought, and get caught without even knowing it.
Links in spear phishing emails don’t take you to the Web pages they say they will. While the highlighted text indicating a hyperlink may read, “Chase Bank” or “Your Ebay account,” the code underlying the link actually points to a Web page controlled by the phisher. When you go to that page, which is a copy of the legitimate one, you are asked to “log in” and that’s how the phisher gets your username and password. Then you may get a message saying, “server overloaded, try again later” or some other brush-off. That’s a fairly low-level technique; others are even more insidious and dangerous.
Customers of VioVet, a UK pet supplies dealer, received spear phish emails purportedly from the company, offering discount coupons if they clicked on a link in the email. The link took victims to a page which surreptitiously downloaded a malware program to their computers. The Trojan sniffed out sensitive information on the victims’ hard drives and transmitted it to the bad guys. Victims never knew what was going on.