/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow UsWASHINGTON: Online criminals trying to pry passwords and other sensitive information out of companies have started using phony e-mails to pose as powerful executives of the targeted organizations, experts said on Wednesday.
Known as "spear phishing," the technique is an ingenious wrinkle on the "phishing" e-mail scams that try to trick consumers into giving up bank-account information and other sensitive details that can be used in identity theft.
Businesses are typically reluctant to publicly disclose when they are the target of online attacks but online security company MessageLabs said in June that it has seen the tactic grow steadily during the year to the point where it now sees one to two spear phishing campaigns a week.
Rather than posing as a bank or other online business, spear phishers send e-mail to employees at a company or government agency, making it appear that the e-mail comes from a powerful person within the organization, several security experts said.
"It works wonderfully if you're a bad guy," said Allan Paller, chief executive of the SANS Institute, a nonprofit cybersecurity research organization.
Unlike basic phishing attacks, which are sent out indiscriminately, spear phishers target only one organization at a time. Once they trick employees into giving up passwords, they can install "Trojan horses" or other malicious software programs that ferret out corporate or government secrets.
Spear phishing has emerged as one of several kinds of "targeted attacks" that experts say have grown more common in 2005.
Though such attacks are difficult to trace, many compromised machines seem to be reporting back to Internet addresses in the Far East, according to a report by the United Kingdom's National Infrastructure Security Co-Ordination Centre.
Spear phishing can be devastatingly effective even among employees who are aware of online threats.
At the U.S. Military Academy in West Point, New York, several internal tests found that cadets were all too willing to give sensitive information to an attacker posing as a high-ranking officer, said Dr. Aaron Ferguson, a visiting faculty member there.
"It's the colonel effect. Anyone with the rank of colonel or higher, you execute the order first and ask questions later," he said.
Cadets in more recent tests have been somewhat more likely to report the messages as suspicious as awareness has grown, he said.
Employee education helps counteract the threat but these attacks will remain rampant until e-mail verification schemes come into widespread use, said Dave Jevans, chairman of the Anti-Phishing Working Group, a group of banks and online retailers formed to fight the problem.