TELECOM Digest OnLine - Sorted: Online Scammers Pose as Company Executives in 'Spear-Phishing'

Online Scammers Pose as Company Executives in 'Spear-Phishing'

NewsWire (
Wed, 17 Aug 2005 23:26:19 -0500

Online criminals trying to pry passwords and other sensitive
information out of companies have started using phony e-mails to pose as
powerful executives of the targeted organizations, experts said on

Known as "spear phishing," the technique is an ingenious wrinkle on
the "phishing" e-mail scams that try to trick consumers into giving up
bank-account information and other sensitive details that can be used in
identity theft.

Businesses are typically reluctant to publicly disclose when they
are the target of online attacks but online security company MessageLabs
said in June that it has seen the tactic grow steadily during the year
to the point where it now sees one to two spear phishing campaigns a

Rather than posing as a bank or other online business, spear phishers
send e-mail to employees at a company or government agency, making it
appear that the e-mail comes from a powerful person within the
organization, several security experts said.

"It works wonderfully if you're a bad guy," said Allan Paller, chief
executive of the SANS Institute, a nonprofit cybersecurity research

Unlike basic phishing attacks, which are sent out indiscriminately,
spear phishers target only one organization at a time. Once they trick
employees into giving up passwords, they can install "Trojan horses"
or other malicious software programs that ferret out corporate or
government secrets.

Spear phishing has emerged as one of several kinds of "targeted
attacks" that experts say have grown more common in 2005.

Though such attacks are difficult to trace, many compromised machines
seem to be reporting back to Internet addresses in the Far East,
according to a report by the United Kingdom's National Infrastructure
Security Co-Ordination Center.

Spear phishing can be devastatingly effective even among employees who
are aware of online threats.

At the U.S. Military Academy in West Point, New York, several internal
tests found that cadets were all too willing to give sensitive
information to an attacker posing as a high-ranking officer, said Dr.
Aaron Ferguson, a visiting faculty member there.

"It's the colonel effect. Anyone with the rank of colonel or higher,
you execute the order first and ask questions later," he said.

Cadets in more recent tests have been somewhat more likely to report
the messages as suspicious as awareness has grown, he said.

Employee education helps counteract the threat but these attacks
will remain rampant until e-mail verification schemes come into
widespread use, said Dave Jevans, chairman of the Anti-Phishing Working
Group, a group of banks and online retailers formed to fight the

Copyright 2005 Reuters Limited.

NOTE: For more telecom/internet/networking/computer news from the
daily media, check out our feature 'Telecom Digest Extra' each day at . Hundreds of new
articles daily.

Post Followup Article Use your browser's quoting feature to quote article into reply
Go to Next message: News Wire: "Computer Virus Writers at War, Security Firm Says"
Go to Previous message: Christine Kearney: "AOL Employee Found Guilty, Send to Prison in Spam Case"
Next in thread: mc: "Re: Online Scammers Pose as Company Executives in 'Spear-Phishing'"
May be reply: mc: "Re: Online Scammers Pose as Company Executives in 'Spear-Phishing'"
TELECOM Digest: Home Page