Phishphloods: Not all Phishing is Spear-Phishing


You don't need more advice from me on avoiding phishing following the Epsilon fiasco: Randy, among others has posted plenty of sound advice, and I put some links to relevant articles here, though I don't know of anyone who's published a list of the whole 2,500 or so companies that are apparently Epsilon's customers, though comment threads here and here seem to be going in that direction. (Hat tip to Randy Knobloch.)

One thing that we do know is that Dell Australia has added itself to the list (another hat tip to Parvinder Walia), and that Paul Ducklin has not unreasonably cast doubt on whether Epsilon can be sure that only names (first names only, according to some sources) and email addresses were accessed. Still, the security community has done its best to prepare you for any additional phloods of phish (as if there aren't plenty of phish in the sea already).

One of the odd side-effects of this affair, though, is the widespread assumption that there will be more spear-phishing. Well, that depends on your definition of spear-phishing, I suppose. Any phishing that results directly from this attack is going to be a little more targeted in that people will receive phishing mail that seems to come from organizations with which they actually have some sort of relationship.

But is it worthwhile for the scammer to target more precisely in that way? Spam is cheap: the punt gun approach (fire a pound or two of shot in the general direction of the flock and pick up anything that drops) is probably good (or bad) enough. Even if there's more information available than name and email address, allowing more accurate social engineering, that still takes more research on the scammer's part to make real use of it.

If the scammer is aiming for a very specific target, as may have happened in the case of RSA, that's different: you don't want to over-expose a cute 0-day exploit, because the more people receive it, the faster it's likely to be detected by AV. But that's nearer to the phishing technique sometime referred to as whaling, though in the case of the RSA breach, the targeted individuals seem to have been fairly low in the hierarchy.

Author David Harley, ESET

Follow us

Copyright © 2015 ESET, All Rights Reserved.