Criminal spear phishing attacks are on the rise, so much so that the FBI and Internet Crime Complaint Center issued a warning about them.
Spear-phishing more often than not begins with a targeted email that contains a malicious attachment threat tries to get the victim to open it. Often, the FBI said, e-mails contain accurate information about victims obtained via a previous intrusion, or from data posted on social networking sites, blogs, or other websites. This information adds a veneer of legitimacy to the message, increasing the chances the victims will open the e-mail and respond as directed.
"Recent attacks have convinced victims that software or credentials they use to access specific websites needs to be updated. The e-mail contains a link for completing the update. If victims click the link, they are taken to a fraudulent website through which malicious software or malware harvests details such as the victim's usernames and passwords, bank account details, credit card numbers, and other personal information. The criminals can also gain access to private networks and cause disruptions, or steal intellectual property and trade secrets," the FBI stated.
The FBI notes that to avoid becoming a victim, keep in mind that online businesses, including banks and merchants, typically will not ask for personal information, such as usernames and passwords, via e-mail. When in doubt either call the company directly or open your computer's Internet browser and type the known website's address. Don't use the telephone number contained in the e-mail, which is likely to be fraudulent as well.
A recent story by our sister site, the IDG News Service said that 91% of targeted attacks start with spear- phishing email, according to Trend Micro. Trend Micro said five key target organizations including government ministries, technology companies, media outlets, academic research institutions and non-governmental agencies.
Threats are not new and IT departments have already seen various kinds of advanced persistent threats (APTs) or malware-based espionage attacks that have been around for years. Recent years have seen "noisier" campaigns within the security community, and now are learning to combat the emerging new and smaller campaigns.
Check out these other hot stories: