Informazioni personali

Cerca nel blog

Translate

giovedì 21 aprile 2011

Spear Phishing: can it fool me?

An example of a phishing e-mail, disguised as ...

Image via Wikipedia

Recent articles in the news remind me that anyone can be fooled by a good scam. the problem is always the trust we gave to the communication we received. is not just a financial problem (you remember the Madoff scam?) but a problem that can hit anyone, even expert guys can fall.
The most recent was the hack occurs at Oak Ridge National Laboratory, but it is just the last of an infinite series. Also the RSA securID breach  was prepared with spear phishing.
What is spear phishing? Spear phishing is an e-mail spoofing fraud attempt that targets a specific organization, seeking unauthorized access to confidential data. It is, in other words, a targeted phishing build to capture trust of a specific organization or group of people.
Believe it or not it is highly effective but require some preparation. The mail has to be correctly formatted, and also the language used have to be the correct one. In other words it require a good knowledge of the target to be effective.
As for financial scams that usually are perpetrated by apparently honest and trustworthy gentlemen spear phishing (but also phishing in general) need to present as an official communication coming form a trustworthy source. If this can also mention private fact or internal knowledge it is more effective.
The way to collect those information is not so complicated: Facebook, as an example, is usually a great source of info, as well as LinkedIn and other social networks. But we can remember also blogs and forums.
The first step is gathering information, the more the better. this could partially explain why there have been recently so many theft of personal data, as in the Epsilon case. more data I have the easier and more effective will be to create my scam.
So even the most secure organization can be fooled. Can we protect ourselves?
Well education, DLP and a great email-security engine would be of use as well as some web protection since the liaison between mail and web is always strong.
but the best defense would be a little more awareness of the risk, and consider that anyone (yes me too) can be fooled.
cheers
Antonio