Spear phishing attacks will soon be "devastating"

Targeted phishing attacks are becoming increasingly common as security controls tighten, according to a new report.

Security researcher Dana Lane Taylor of stopabuseonline.org has warned about the potential for future phishing attacks to take place even from within the organisation's IT infrastructure. Despite being a "spaghetti coder at best", Taylor believes it would be easy for her to use cross-site scripting (XSS) and SQL injection attacks to potentially reroute the standard login page of a company to send details directly to the malicious party.

"I would then specifically target people inside the organization who are likely to have access to databases that contain sensitive data," Taylor said.

Phishing is the practice of trying to obtain sensitive information such as usernames, passwords or bank details from individuals by pretending to be a trusted sender. Phishers would traditionally send out huge volumes of spam email, pretending to be a Nigerian banker, for instance, or a friend with an interesting photo, and then wait to see if one or two people out of all the thousands would take the bait. Hence, phishing.

However, this unsophisticated type of scam has increasingly given way to a more advanced technique. Now fraudulent emails are being directed at a specific organisation, or even a specific individual within that organisation, using information available on social media and other public spaces. This approach is known as "spear phishing" due to its targeted and specific nature.

Taylor warned that once more sophisticated techniques become widespread among phishing scammers, "phishing attacks will become devastating attacks."

One test at West Point military academy in the States showed that 80 per cent of 500 cadets would follow the link in an email if it appeared to come from a colonel at the academy. The link told them that they had been duped, and warned them against such risky behaviour.

The report comes just as LinkedIn users have been struck by a sophisticated and widespread phishing attack, and soon after the Social Engineering Capture The Flag (SETF) contest at DEF CON exposed just how frequently companies are still falling for social engineering attacks.

Taylor has urged companies and organisations to take these vulnerabilities "very seriously."

Image: Flickr (myprontopup)