Spear Phishing

9 SearchSecurity g

Posted by Margaret Rouse WhatIs.com

c s o n

Spear phishing is an e-mail spoofing fraud attempt that targets a specific organization, seeking unauthorized access to confidential data. As with the e-mail messages used in regular phishing expeditions, spear phishing messages appear to come from a trusted source... (Continued)

Email and LOOKING FOR SOMET HING ELSE? messaging T e chnique s f or gat he ring re quire me nt s in Agile scrum threats 0 SOA t re nds: From microse rvice s t o appde v, what t o e xpe ct in 2015 se condary st orage RELAT ED T OPICS Email Security Guidelines… e T ECHNOLOGIES Phishing + Show More

1 Spear phishing is an e-mail spoofing fraud attempt that targets a specific organization, seeking 2 unauthorized access to confidential data. Spear phishing attempts are not typically initiated by "random hackers" but are more likely to be conducted by perpetrators out for financial gain, trade f secrets or military information.

As with the e-mail messages used in regular phishing expeditions, spear phishing messages appear to come from a trusted source. Phishing messages usually appear to come from a large and well-known company or Web site with a broad membership base, such as eBay or PayPal. In the case of spear phishing, however, the apparent source of the e-mail is likely to be an individual within the recipient's own company and generally someone in a position of authority.

Visiting West Point teacher and National Security Agency expert Aaron Ferguson calls it the "colonel effect." To illustrate his point, Ferguson sent out a message to 500 cadets asking them to click a link to verify grades. Ferguson's message appeared to come from a Colonel Robert Melville of West Point. Over 80% of recipients clicked the link in the message. In response, they received a notification that they'd been duped and warning that their behavior could have resulted in downloads of spyware, Trojan horse s and/or other malware.

Most people have learned to be suspicious of unexpected requests for confidential information and will not divulge personal data in response to e-mail messages or click on links in messages unless they are positive about the source. The success of spear phishing depends upon three things: The apparent source must appear to be a known and trusted individual, there is information within the message that supports its validity, and the request the individual makes seems to have a logical basis.

Pro+ E-Handbook Features 7 The transformation of wireless network security

E-Zine x 2014 Security 7 Award Winners

Enjoy the benef its of Pro+ E-Zine membership, learn more and x Security Readers' Choice Awards 2014 join.

Here's one version of a spear phishing attack: The perpetrator finds a web page for their target organization that supplies contact information for the company. Using available details to make the message seem authentic, the perpetrator drafts an e-mail to an employee on the contact page that appears to come from an individual who might reasonably request confidential information, such as a network administrator. The email asks the employee to log into a bogus page that requests the employee's user name and password or click on a link that will download spyware or other malicious programming. If a single employee falls for the spear phisher's ploy, the attacker can masquerade as that individual and use social engineering techniques to gain further access to sensitive data.

This was first publishe d in March 2011

m Continue Reading About spear phishing

A Wall Street Journal article explains more about spear phishing. ∙ SearchOpenSource.com offers advice on how to combat spear phishing. ∙ Microsoft.com compares spear phishing with ordinary phishing expeditions. The New York Times describes a case of spear phishing. RSA SecurID breach began with spear phishing attack ∙ qGlossary

'spear phishing' is part of the:

Email and messaging Glossary Internet applications Glossary Malware Glossary Network security Glossary Security management Glossary

View All Definitions

Related Terms Operation Phish Phry

Operation Phish Phry is a cybercrime investigation carried out by the United States Federal Bureau of Investigation (FBI), the ... See complete definitionq

Rock Phish

Rock Phish is both a phishing toolkit and the entity that publishes the kit, either a hacker, or, more likely, a sophisticated ... See complete definitionq

whaling

Whaling is a type of fraud that targets high-profile end users such as C-level corporate executives, politicians and celebrities. See complete definitionq

m Dig deeper on Email and Messaging Threats (spam, phishing, instant messaging)

ALL N E W S GE T ST AR T E D E V ALU AT E MAN AGE PR OBLE M SOLV E 3

Spear phishing attack led to ICANN Targeted Cyber Attacks 2compromise 2

Copy of Security Readers' Choice Security Readers' Choice Awards 2Awards 2014: Email security 22014: Email security products products

z 0 comments Oldest 5

Share your comment

E-Mail [email protected]

Username / Password

Username

Password

By submitting you agre e to re ce ive e mail from Te chTarge t and its partne rs. If Comment you re side outside of the Unite d State s, you conse nt to having your pe rsonal data transfe rre d to and proce sse d in the Unite d State s. Privacy

-ADS BY GOOGLE

Best Load Balancing & SSL arraynetworks.com/ Not affected by Heartbleed, lowest SSL TPS cost & Robust Feature Set. Latest TechTarget resources SearchCloudSecurity

CLOUD SECURITY CSA to closely monitor enterprise A2cloud data privacy issues in 2015 NETWORKING

CIO

CONSUMERIZATION

The Cloud Security Alliance says cloud data privacy has ENTERPRISE DESKTOP emerged as a top issue for industry amid Microsoft's battle with the U.S.... CLOUD COMPUTING

COMPUTER WEEKLY An introduction to Docker and its 2effect on enterprise cloud security

Docker provides improvements for application virtualization, but what does it mean for security? Expert Ed Moyle offers an intro ...

About Us Advertisers Reprints Contact Us Business Partners Archive

Videos Corporate Site Events

Photo Stories Experts E-Products

Guides Shon Harris CISSP training