Phishing and Spear Phishing

No doubt you have heard the term "phishing", but perhaps you are not quite clear on what it is. More recently it seems we hear more about "spear phishing". What is the difference? How can you protect yourself?

Wikipedia has a great article on phishing that explains both terms, some of the history of the practice, including how it got its name, and many of the specific techniques used. Like many security related resources however, some of it can get fairly technical, making it difficult for some to understand what it means to them. The story of how the name "phishing" came about is fairly geeky and technical and relates to when the practice first became prevalent on America On Line. Regardless of how the name actually came about, I think it is a good metaphor for describing the practice. When I think of literal fishing, two methods come to mind, the kind of fishing I used to do with my dad, where we would drop a line in the water and hope something came along and took a bite, or the TV documentaries showing commercial fishermen casting these huge nets to pull in a large haul. Both of these images could be used to help explain the practice of phishing. The goal is to catch someone off guard and steal information from them, such as usernames, passwords, financial account information, real money, etc.

The dropping a line and waiting for someone to bite image aptly describes phishing because e-mail (or in some cases a phone call) are used to deliver the bait, and the bad guys are just hoping that someone takes it. A message might indicate that your account is about to expire. Or maybe you need to renew some information to keep receiving some benefits or services. Or perhaps there is something "you just have to see!" When you click the link suggested, instead of taking you to a legitimate web site, it takes you to a site where you enter the sought after information and the bad guys now have it. In many cases, both the e-mail and the web site might look very convincing. In other cases, opening a malicious attachment is the action desired, infecting your computer with mal-ware, which can then be used to gather more information from you or to enable your computer to be used to attack others.

The casting a wide net image also aptly describes phishing because that is generally how the bad guys operate, sending their e-mails to a wide audience, perhaps thousands or even millions of targets. The wider they cast the net, the more likely they are to get numerous victims to take the bait. The problem for the bad guys when it comes to phishing is that the larger the net cast, the harder it is to make the message look appealing. For example, if I receive an e-mail that my account at a bank needs renewed, but I don't bank there, I am not likely to take the bait. Many people who get the message will be a customer of that bank, but not everyone, and the more bogus e-mails someone receives, the more aware they become that they might eventually be a target of a phishing attack. Over time, as awareness increases, phishing can become less effective for some targets. It is still effective, so it keeps happening and there is still a need to alert, but the bad guys have, as they always do, changed their tactics to become more effective.

Spear phishing has become more prevalent in recent years. The difference between spear phishing and regular phishing, is that the spear phishing attacks are much more targeted. In literal spear fishing, you have to get up close and personal with your target, taking careful aim and striking at just the right time. Spear phishing is like that. The bad guys take the time to get to know their targets, the specific products or services they use, the timing of important events in their life, really as much as they can about them. The target of the attack is also much smaller, a small specific group of persons, or perhaps in some cases even directed at a specific individual, so the messages can be very personal and perhaps very relevant to what may be important to them at the time. The more targeted the bait, the more difficult to spot and the more likely someone will bite. A recent spear phishing attack targeted at executive level state employees has been in the news. A sample subject is "Annual Form - Authorization to Use Privately Owned Vehicle on State Business". Perhaps you can see how someone might be inclined to open the attached form. If their authorization isn't up to date, they may not get reimbursed for their expenses. In this particular attack, the CryptoLocker ransom-ware is the mal-ware embedded in the attached form, which was mentioned in a previous blog post.

So how can you protect yourself from phishing and spear phishing attacks? Learn how to spot the bait. If an e-mail looks suspicious in any way, it is safest to err on the side of caution. Be especially suspicious of e-mails that create a sense of urgency or require immediate action. E-mails with a generic salutation, such as "Dear Customer", are also a red flag.  Also watch out for e-mails with a lot of grammar or spelling mistakes. Legitimate businesses will usually proofread their communications carefully prior to sending them. Don't trust links or attachments. From your PC, you can hover your mouse over a link to see the actual target address. If it doesn't match what it displayed, this should raise an alarm. On a mobile device, previewing the link can usually be accomplished by pressing and holding the link, causing a popup to be displayed. Be careful though, it can be easy to accidentally click the link. As for attachments, only open ones that you were expecting is a good, safe practice. Also, don't be quick to trust the sender. Just because an e-mail indicates it is from a trusted friend, it doesn't mean that they actually sent it. The sender address can be forged, their computer may be infected with mal-ware, or their e-mail account could have been compromised (probably because they fell victim to a phishing attack). If you receive an e-mail from a friend that contains links or attachments, contact them by another means to verify they actually sent it.

By using common sense and being generally cautious when using e-mail, you can help protect yourself and others from becoming a victim of a phishing attack.