Spear Phishing

Phishing is just spam being used to trick people into revealing some information to the phisher, and relies very heavily on social engineering to succeed. By blocking spam effectively, the bait never reaches its target, and the opportunity for deception is crushed.

Phishers are now sending more targeted emails to businesses and these e-mails are designed to appear as though they were sent by another member of staff at the same organization, typically from the IT or HR departments. It seems that people will share their passwords fairly willingly via e-mail if the trust the source. It doesn’t hurt that this new breed of phisher promises treats to those who cooperate or threatens the employment of those who don’t.

In a recent US example, a phisher bluffed his way into the network of a port authority by spoofing an internal email address. Once on the inside, with an apparently genuine email identity, he was able to fool employees into revealing passwords for applications.

This sort of attack has been termed ‘spear’ phishing, designed to bamboozle unsuspecting ‘colleagues’ into revealing information that will give the perpetrator access into secure areas of corporate networks.

By spear phishing one company at a time, a phisher need only send emails to a single domain, spoofing the sender address and requesting usernames and passwords to validate some information, or providing a link to a spoofed version of the company’s website or intranet – or perhaps that of a business partner or supplier.

Many people often use the same username and password for different applications or websites, and the phisher may try and use that to their advantage in their social engineering.

It is surprisingly easy to use existing spam-sending software to dynamically generate the target email addresses, for example by combining databases of first names and last names with letters and numbers. Furthermore, it would only take a few hundred such permutations to provide a valid email address in a large organization.

Additionally, a sustained attack of this nature can quickly become a huge drain on the company’s email server, sapping its resources as it attempts to handle several hundred or thousand connections for emails that can never be delivered to recipients that don’t exist.

Nevertheless, a successful spear phishing expedition can reduce the effort required to break into a company’s network without too much difficulty.

Not only are the individual’s details potentially compromised; it can also lead to theft of intellectual property and other sensitive corporate information. Spear phishing is growing fairly quickly as a threat to corporations.


  • Robin
    September 1, 2005 at 2:53 pm

    Now you can fight back against these Phishers. Just enter the Phishers URL in http://www.PhishFighting.com and watch as 100’s or 1000’s of fake entries are continuously sent to the Phishers website. They won’t be able to distinguash between real entries and the fake ones. Join the fight against Phishers.

  • VoIP Blog - Tehrani.com
    January 13, 2007 at 7:38 pm

    Network Security and Home Based Agents

    I am at a good friend’s house today and they have a problem with their laptop. My friend is a lawyer and while we debate the merits of the Cisco vs. Apple iPhone case I am also helping fix their…

  • Frank Paolino
    December 22, 2008 at 2:00 pm

    Interesting article. Three years later, I am starting to see these attacks. They will only continue to grow, as the Phishers find more creative ways to lure users in.
    Here is a hypothetical example, about Trust and Social
    Networks: The New Frontier of Phishing:

Leave Your Comment


Share via
Copy link
Powered by Social Snap