Phishing is an ever-present danger on the Internet threat landscape. In my blog Dealing With Phishy Emails I wrote about what you can do to combat conventional phishing attempts. By “conventional” I mean those emails that use social engineering techniques to get you to click on links in the messages that would lead you to malicious websites where you are prompted to enter valuable personal data – credit card numbers, login credentials, etc.
As I pointed out before, these attacks are fairly easy to detect. Most browsers and email clients provide some measure of protection from them. And, of course, security solutions like Trend Micro Titanium do a pretty good job of combating phishing by keeping you away from known malicious websites.
But over the past year Trend Micro threat researchers have observed that spear-phishing is on the rise. According to Trend Micro security paper Spear-Phishing Email: Most Favored APT Attack Bait, “91% of the targeted attacks it collected data on between February and September 2012 involved spear-phishing tactics that dupe a victim to open a malicious file or Website.”
What Spear-Phishing Looks Like
Unlike conventional phishing that tries to snare victims in a wide net of mass emailings, spear-phishing targets individuals or groups within companies. The emails are designed to contain information relevant to the targeted people and to look as authentic as possible. In most cases, these emails don’t contain malware or any of the “phishy” qualities I talked about before. As a result, they usually pass through most spam and phishing filter software.
If you read about spear-phishing on security and business blogs, you may be led to think that such attacks are confined to people inside companies. But Trend Micro SPAM Threat Researcher Jon Oliver has shared with me some interesting examples of spear-phishing emails he has collected that will have you thinking otherwise. The first appears to be a notice from Verizon and the second seems to be a rather ominous note from the US Internal Revenue Service.
These emails look authentic don’t they? The email from the IRS is downright creepy. Many people would be tempted to click on the links in these fake emails, but doing so is far more deadly than it used to be. With the increasing circulation and use of malware toolkits in the cybercriminal underground, like the Blackhole Exploit Kit, all it takes is a single click on a link in a spear-phishing message and your browser loads malware that compromises your system.
How to Handle Spears Thrown Your Way
There is a very simple, low-tech solution to all of this. Never click on any links in emails that are sent to you. If you don’t click on the links, you won’t get redirected to malicious websites. It’s just that simple.
Instead, contact the parties who purportedly sent you the emails directly to verify your account status. Either call the organization in question by phone or type the web address (also known as a URL) into your browser. Use a URL that you know to be valid. Do not copy the one sent in any given email. Remember those may be the bad URLs and copying one of them into your browser has the same effect as clicking on the link.
If you feel you have to click on links in emails, make sure you only do so in emails that you are expecting. For example, when you sign up for a service in the cloud, like file sharing or social networking, the company typically sends you an email with a link back to the service website that you click on to confirm your identity. These confirmations normally arrive within a few minutes after you sign up, so you know that the sender is authentic.
When all is said and done, it pays to be cautious if you want to stay safe on the Internet. When in doubt, don’t click on links in emails that you receive. And follow along with us on Fearless Web and Trend Micro’s Security Intelligence Blog to stay up to date on the latest Internet threats.
I work for Trend Micro and the opinions expressed here are my own.