Click here to receive your FREE subscription to Campus Technology
News
Hoax Subpoena E-Mails Shine Light on 'Spearphishing'
4/25/2008
Last week, hundreds of executives at some of America's most well-known companies received e-mails that they probably didn't want to get--even if those messages weren't a hoax.
It was revealed Wednesday that as many as 2,000 top managers at high-profile corporations nationwide received e-mail messages early in the week that looked like an official subpoena from the Uited States District Court in San Diego, CA.
Though this hoax could have been worse, it still brings attention to the growth of a certain modus operandi among many of the world's most sophisticated hackers: targeted attacks under the guise of a friendly overture.
"As phishing attacks go, this one has been comparatively small. By some estimates, the Monday wave tricked about 2,000 people and the second attack on Wednesday scammed another 100," said Andrew Storms, director of IT security operations at San Francisco, Calif.-based nCircle Network Security. "Though, despite the small numbers here, this attack does highlight the new trend of 'spearphishing.' Spearphishing is the term used to denote a highly targeted and incredibly customized version of the daily-seen phishing attack."
Since the incident, the real federal court for the Central District of California has posted an advisory on its Web site alerting users of the nature of the attacks and admonishing them to report such incidents. Even the IT security think tank SANS Institute got in on the act with notes on its homepage urging users who receive subpoenas via e-mail to take them immediately to the company's in-house counsel, private lawyers or federal law enforcement.
Security patches that guard against such attacks have also been relatively prevalent in recent Patch Tuesday releases, more evidence that phishing is a concern that isn't going away.
It All Started with Spam
Security experts say that at its roots, phishing is merely an appendage of an
age-old confidence scheme where curious, interested or greedy parties are reeled
in (hence the term "phishing") and their privileged information
stolen.
Like many others, Don Leatham of Scottsdale, Ariz.-based Lumension Security traces the method back to the days of AOL, when dialing up to get on the Internet sounded like fingernails scratching a chalkboard and the pages loaded slowly.
"The history can go way, way back," said Leatham, who is Lumension's director of solutions and strategy. "The electronic, network version of this con is typically traced back to the early '90s when access to online services like AOL, Genie and CompuServe were fairly expensive."
However, today's attacks are more targeted and less random. They're less like fishing and more like hunting with a spear through the water--the water being the network, in this case. Thus, spearphishing attacks are tailored e-mails that include some level of personalized data from a trusted Web address that has been hacked and configured to invite specific individuals.
Recommended Reading
- RIAA Outsources Fingering of Students Who Share Music Illegally
The RIAA is outsourcing the hunt for music thieves. Its largest target currently is those who operate from within colleges and universities, a move that has piqued the attention of Educause.
- Microsoft Expands Education Footprint in Asia Pacific Region
Microsoft Chairman Bill Gates announced new partnerships to extend accessibility and computer literacy in the Asia Pacific region during a speech in Jakarta at a government leader gathering earlier this week.
- IT Struggling Over Security, Compliance
IT pros are having a hard time balancing security, software patch management and IT auditing with a host of other duties, according to a survey released Monday by Shavlik Technologies.
- Toronto College Upgrades Network with Gigabit Ethernet Wireless Links
Toronto-based George Brown College has gone public about its deployment of six BridgeWave GE60 wireless links to upgrade its campus-wide network.
- Gates Highlights R&D at CES08, Unveils Microsoft Touch Wall
Microsoft's Chairman Bill Gates spent a lot of time Wednesday talking about "empowering the workers" at the Microsoft's 12th annual CEO Summit 2008 in Redmond, WA, where he gave a keynote speech. However, Gates wasn't talking about political revolutions or even pay raises for office workers before the CEO crowd. Instead, he was referring to new software technologies that can better enable collaboration, social networking and decision-making on the job.
- Vista Vulnerability Study Puts Microsoft on Defensive
Microsoft and some independent security researchers had the blogosphere buzzing Wednesday over a series of denunciations after one company claimed that the Vista operating system was more vulnerable to malware and other exploits than previous operating systems.
