News

'Spear phishing' latest ploy to steal data

Consumers wary about protecting data stored on their computers should get used to hearing the term "spear phishing."

Consumers wary about protecting data stored on their computers should get used to hearing the term "spear phishing."

It's the latest and most ingenious method yet to deliver malicious software that gives criminals control of a person's computer, with a tactic that involves developing emails which are personalized, contain nuggets of information familiar to the target, and appear to come from a trusted source.

Spear phishing is a new and highly effective variation of phishing schemes that have been around for years. In spear phishing, highly personalized emails appear to come from a trusted source. ((iStock))

Spear phishing went mainstream over the holiday season when dozens of government employees in the U.S. and other nations were lured into downloading a malicious program.

"[It was] essentially a malware-laced email that made it look like a season's greetings from the White House," security blogger Brian Krebs told CBC News. "[The email] invites the folks to download an e-card, essentially a zipped-up executable file that if you run lets the bad guys take control of your system remotely."

'It is something that folks are just waking up to.' —Brian Krebs, security blogger

Krebs, who wrote about the story on his website KrebsonSecurity, said about two gigabytes of documents were downloaded to a server in Belarus. A number of government employees and contractors who work in cybersecurity matters fell for the ruse.

"It is something that folks are just waking up to," he said.

FBI warns consumers

The FBI describes spear phishing as a "rising cyber threat you need to know about."

The agency says criminals need some inside information on their targets to make the emails look legitimate. That's often done by hacking into an organization's computer network, but can also be achieved by combing through social networking sites, blogs, and other websites.

The recent theft of customer email lists from companies such as McDonald's and Honda leave their customers vulnerable to spear phishing attacks. ((Seth Perlman/Associated Press))

The recent theft of customer email lists from Honda and McDonald's are examples of how cybercriminals can gain access to that kind of personalized information, Krebs told CBC News in an interview.

"If you have a brand and you have a list of customers, by the way who have asked to get communications from this brand, and they're OK with it and they're expecting it — that's really dangerous in the hands of somebody who wants to do targeted attacks," he said.

"I think we're only going to see more of this."

The computer security firm Symantec reports that spear phishing emails accounted for 6.3 per cent of the estimated 95.1 billion phishing emails in 2010. The tactic was unheard of prior to 2005.

The difference between regular phishing and spear phishing is the sophistication of the ploy, Krebs notes. On a regular phishing expedition cybercriminals flood the internet with spam emails. The targeted spear phishing approach gets much better results with far fewer emails.

Krebs says there's only one way to ensure you don't become a victim.

"The easiest way to stay out of trouble with respect to this type of thing is just to have a healthy sense of wariness."