The rise of Spear Phishing – Who got breached??
Lately, more and more spear phishing attacks were detected by multiple industry sectors, at an alarming increase in sophistication and frequency, posing a real threat mostly to the financial officers of these organizations.
According to a warning issued recently by the FBI, these attacks compromise companies and organizations of all sizes. They can come in the form of an email message which seems so credible that it lures the recipient to respond as directed, and sometimes even to perform actions which will lead to sensitive information theft or virus infection.
These emails are often containing data extracted from social networks, blogs or information obtained by previous attacks about the victims of these intrusions and this make them look so real that the recipient will not even think about questioning their source. Sometimes, the phishing email looks like it is sent out from the top management of the company or from its IT unit, requesting credentials information or even the performance of money transfers. There were attacks in which the attackers registered a similarly looking domain name as their target, with email services, which were so credible that no one thought about the option that it might be a spear-phishing attempt.
By latest report of Symantec, Internet Security Threat Report, at least one within five small businesses and one out of two large companies (with more then 2500 employees) is targeted with at least one spear-phishing email. The Government sector itself even isn’t an exception, with 16 percent of spear-phishing blocked during the last year. The most famous targets that got breached by spear phishing are RSA, HB Garry Federal and Operation Aurora.
If in the past the financial services were the ones most prone to security breaches, in these days with the rise of the spear-phishing, mining and manufacturing companies have also a lot to worry about these attacks, and in general, every company or organization which holds large masses of proprietary data and personal information.