Saturday, July 09, 2005

Spear Phishing

Rich Tehrani - Rich Tehrani


Phishing is just spam being used to trick people into revealing some information to the phisher, and relies very heavily on social engineering to succeed. By blocking spam effectively, the bait never reaches its target, and the opportunity for deception is crushed.
Phishers are now sending more targeted emails to businesses and these e-mails are designed to appear as though they were sent by another member of staff at the same organization, typically from the IT or HR departments. It seems that people will share their passwords fairly willingly via e-mail if the trust the source. It doesn’t hurt that this new breed of phisher promises treats to those who cooperate or threatens the employment of those who don’t.
In a recent US example, a phisher bluffed his way into the network of a port authority by spoofing an internal email address. Once on the inside, with an apparently genuine email identity, he was able to fool employees into revealing passwords for applications.
This sort of attack has been termed ‘spear’ phishing, designed to bamboozle unsuspecting ‘colleagues’ into revealing information that will give the perpetrator access into secure areas of corporate networks.
By spear phishing one company at a time, a phisher need only send emails to a single domain, spoofing the sender address and requesting usernames and passwords to validate some information, or providing a link to a spoofed version of the company’s website or intranet - or perhaps that of a business partner or supplier.
Many people often use the same username and password for different applications or websites, and the phisher may try and use that to their advantage in their social engineering.
It is surprisingly easy to use existing spam-sending software to dynamically generate the target email addresses, for example by combining databases of first names and last names with letters and numbers. Furthermore, it would only take a few hundred such permutations to provide a valid email address in a large organization.
Additionally, a sustained attack of this nature can quickly become a huge drain on the company’s email server, sapping its resources as it attempts to handle several hundred or thousand connections for emails that can never be delivered to recipients that don’t exist.
Nevertheless, a successful spear phishing expedition can reduce the effort required to break into a company’s network without too much difficulty.
Not only are the individual’s details potentially compromised; it can also lead to theft of intellectual property and other sensitive corporate information. Spear phishing is growing fairly quickly as a threat to corporations.

6 Comments:

Blogger JT said...

Great Blog! A real pleasure to read! Do you know that Traffic Portals will really boost your conversion rates and generate exclusively yours leads? We offer VOIP webinars - Marketing Courses Using Web Conferences about Traffic Portals I also have a website that talks about various high profile topics such as Retirement and includes an eBusiness Directory. I also would like to tell all of you reading this terrific blog about Retirement that should you be in need of a terrific host for a serious eCommerce Website that www.Kiosk.ws is Awesome Hosting value! They have the best online support team for all of your technical questions and a 3 minute emergency pager too. Looking to start your own affiliate program? They have an excellent script for you! They give you $70,000 dollars worth of software to build just about any type of e-commerce website you need! Go check it out if you get a chance. You can make more money than you spend and Create Free Will for Yourself! Again, Great Blog! Thanks. The info on Retirement Sooner was very informative!

8:36 AM  
Blogger My VoIp Solutions said...

I just came across your blog and wanted to drop you a note telling you how impressed I was with the information you have posted here.
I also have a web site & blog about network voip so I know what I'm talking about when I say your site is top-notch! Keep up the great work!

8:07 AM  
Blogger telekom said...

Hi,

We may share some interest part of telecommunications story or update, so visit my website **Telecom** site/blog. It pretty much covers Telecommunications Updates related stuff.

Have a nice day.
Otai

3:28 AM  
Blogger Chuck Reynolds said...

free sample credit repair letter MyOpp is the first portal to activate a complete portfolio of income streams with one click!free sample credit repair letter

5:25 PM  
Blogger anjali4india said...

Enjoy Vyke's cheap international phone calls using PC-to-Phone, WIFI enabled mobile phones, SIP devices or Callback. Get a free dollar when you sign up for free, and there is no hidden charges or extra cost, just pay-as-you-go calling and sms. Check it out on https://www.vyke.com/

4 US cent per call connection charge to free landline destinations with Vyke PC-to-Phone, Mobile VoIP and VoIP Phone. Check out the cheap rates to all other destinations on https://www.vyke.com/rates.jsf
Share your views with us.

Happy Calling!!

4:28 AM  
Blogger Henry Fernandes said...

It is a good move and will help all expats make calls to their home countries. Hope the internet cafes can get this service so that they will not opt for any illegal VOIPs in future.I just want to inform everyone to a new web site called VoIP Spear (www.voipspear.com) to measure your QoS. It's the Internet's best and most accessible QoS testing service.

5:43 AM  

Post a Comment

<< Home