Spear-phishing is creating a new era of cybercrime, according to Chris Dixon, a partner at venture capital firm Andreesen Horowitz – and in terms of its threat to enterprise, it’s comparable to a “super strain of bacteria.”
In a video interview with Business Insider, Mr Dixon said that the new wave of “targeted” attacks was the result of criminal organizations with large budgets, and that their attacks were very difficult to defend against.
“How easy is it to figure our your boss’s email?” Dixon said, “Very. Our defenses relied on looking for signatures and patterns – that doesn’t work. We have a super-strain of bacteria.”
“The intensity has increased dramatically. Because these [criminal] organizations are well-funded, they are creating custom attacks,” Dixon said. “In the Eighties, when you read about ‘hacking’, it was kids, vandals having fun. It’s becoming a really, really serious problemMy sense I get from talking to a lot of people in business, and might be happening more dramatically than the public realizes.”
ESET Senior Researcher Stephen Cobb argues in a We Live Security post that more training is key, saying, “More cybersecurity training is needed, and needed now!”
High-profile recent attacks such as the incident in which the New York Times home page was defaced with a message saying “Syrian Electronic Army was here” relied on phishing emails.
The “spear phishing” emails – targeted at specific people – were sent to a company in India, an IT contractor which worked for a company in Australia, Melbourne IT, which in turn registered the domain names for the New York Times, the Huffington Post UK and Twitter.
“It’s what happened with RSA,” says Dixon. “It’s a personalised attack – and it’s very, very common. I have talked to a lot of entreprneurs. We are technology investors, we are buying into start-ups that have potential solutions. Maybe we need to have coordination between governments and companies.”
In a blog post on its “New E-scams and warnings” page, the FBI’s Internet Crime Complaint Center warned this year that “The FBI has seen an increase in criminals who use spear-phishing attacks to target multiple industry sectors. Cyber criminals target victims because of their involvement in an industry or organization they wish to compromise.”
“Recent attacks have convinced victims that software or credentials they use to access specific websites needs to be updated. The e-mail contains a link for completing the update. If victims click the link, they are taken to a fraudulent website through which malicious software (malware) harvests details such as the victim’s usernames and passwords,” the FBI warns.
The scams are used to harvest data such as passwords, usernames and bank details, but cybercriminals also use them to “cause disruptions or steal intellectual property and trade secrets,” the FBI says.
Author Rob Waugh, We Live Security