A Spear Phishing Scam Stole Data of 15,000 Computer Users

Two gangs of criminals have reportedly seized data from an estimated 15,000 computer users over the 15 months, from February 2007-April 2008, using 'spear phishing' or targeted e-mail assaults, according to Researchers at Verisign, the vendor for e-mail security.

Verisign, which traced the origin of 66 of these incidents since February 2007, believes that the two masked crime gangs are responsible for 95% of the attacks. Aside this, in May 2008 alone, more than 2,000 PCs were compromised via spear phishing e-mails purportedly from the US Internal Revenue Service, according to Verisign.

As already known, conventional phishing attacks involve wide distribution of fake e-mails in the hope that some victims would be tempted to visit certain phony Websites. However, in spear phishing attacks, the e-mails that carry personal information like the victim's full name or even that of his employer are sent to specific groups of people.

Additionally, in the Verisign tracked attacks, victims are tricked into opening malware-laced attachments or visiting malware-laden Websites so that a backdoor component could be created onto the victim's system to enable the attackers to steal information. The spear phishing campaign carried out rather unsteadily during the initial months of 2007 soon gathered momentum.

Moreover, according to Matthew Richard, Director of Verisign's iDefense Rapid Response Team, the attacks peaked during March-April 2008, as reported by PCWorld on June 5, 2008. Richard added that the con men have used sophisticated techniques both in their delivery methods and in their handling of the stolen data. He said that the entire lot of e-mails essentially targets business organizations in one form or the other.

Further, the e-mail employed several social engineering tactics to make victims trust the sender of a message. It addressed to a particular individual and the information in the message was apparently harvested from personal databases such as designation and direct phone number generally not available to the public.

In a similar way, according to SecureWorks, the Internet security company, a recent large-scale phishing campaign is sending a hoax US Tax Court notification e-mail to company executives for monetary gains due to which 600 people have already been victimized.

Related article: A New "Blackmailing" Variant Creeps Around…

» SPAMfighter News - 6/17/2008