If you consider yourself a proficient internet user, you probably know to watch out for phishing attempts — massive
email efforts to get you to hand over personal financial information
like a credit card number or to click on a website link that could allow
malware to steal information from your computer. They usually come in e-mail messages
riddled with spelling errors and terrible formatting.
Now comes a new, more subtle and more dangerous threat: spearphishing. Spearphishing
is often aimed at tricking specific individuals into opening a malicious file. It
could be, for instance, a boobytrapped PDF file or Word document which,
when opened, secretly and silently installs spyware onto your
computer.
Spearphishing is increasingly being used by totalitarian governments seeking to spy on individuals and to infiltrate computers belonging to government agencies in other countries. Sophisticated criminal organizations have also started using the technique to obtain valuable financial information.
Once installed, the malicious spyware code opens a backdoor, giving hackers remote access to all the files on your
computer, as well as the ability to capture every keystroke, to steal
passwords, and to read everything on your screen.
But why would an anyone be fooled into opening such an email? The information in the email is crafted to
look and sound just right enough so that it can dupe
someone into clicking on a link or opening an attachment in an email and
for their computer to become compromised.
For instance, imagine
you were a reporter covering human rights abuses in China. I simply send
you an email (with a boobytrapped attachment), forge my 'from' address
so you believe that the email has come from a human rights group, and in
the body of the email tell you that attached you'll find shocking
details of human rights abuses in China. If you click on the link or the attachment, I can then read all the information on your computer, including the identities of dissidents who may be supplying you with information.
Similarly, if you were a
military supplier, I might make my email appear as though it came from a
sister company or another supplier and use the access to your computer to gain vital military intelligence.
Some experts say that company employees and individuals who use cloud-based, shared document apps like Google Docs can be sitting ducks for spearphishing attempts. In the first place, Google
Docs is a very convenient way to fool end users into
divulging passwords, because it is such a trusted source. Also, Google Docs connections are
HTTPS encrypted, and cannot be filtered by Web-filtering gateways to
scan for malicious content.
While spearphishing may currently be used by governments and sophisticated criminal organizations against specific targets, we can expect large-scale hackers to begin using this technique to harvest financial data and other sensitive information from members of the general public. The best precaution is to examine messages--especially those carrying attachments or containing links--very closely, to make sure you are viewing the entire file name of an attachment before clicking on it, to make certain that messages from people you know are genuine, and to be especially careful of messages from people you do not know.