鱼叉式网络钓鱼是 common type of cyber attack in which attackers take a narrow focus 和 craft detailed, targeted email messages to a specific recipient or group. 这就要求攻击者研究他们的目标,找到重要的细节,让他们的信息看起来可信——所有这些都是为了欺骗和诱骗有价值的目标点击或下载恶意的有效载荷, or into initiating an undesired action such as a wire transfer.
Spear phishing attacks may target just one organization at a time, or even specific teams within one organization. When spear phishing attacks get even more granular, they often go after the biggest possible targets with a laser focus, such as C-level executives or senior managers; this kind of hyper-specific phishing attack is colloquially called a whaling phishing attack.
While, on the other h和, st和ard phishing attacks 以影响尽可能多的目标为目标,假设一些用户可能会成为诡计的受害者. 这些类型的攻击更为普遍,潜在的攻击者只需较少的努力和输出就可以破坏目标, 而不是试图对高级管理人员或特定组织进行网络钓鱼.
When a criminal sends a phishing email, they cast as wide a net as possible in the hopes of making a catch. 要做到这一点, 他们发送垃圾邮件,试图说服不知情的用户点击恶意链接或附件, often while pretending to be from a legitimate source, all in hopes of obtaining sensitive information or valuable credentials.
长期以来,网络钓鱼攻击一直很普遍,因为它们的部署成本很低, yet still effective enough to be lucrative. But as email security becomes more sophisticated, common phishing tactics are becoming easier to flag, 即使是那些到达预定目的地的网络钓鱼邮件也不足以有效地欺骗警惕的用户.
因此,攻击者正在采用新的策略,使他们的网络钓鱼邮件更可信. 最初的网络钓鱼方法——广泛撒网——正在让位于专注于使用真实细节来使潜在受害者相信其合法性的方法. Spear phishing is just one term for this attack style.
Enterprises are especially susceptible to spear phishing attacks, 因为他们公司的很多数据通常都可以在网上免费获得,攻击者可以在没有任何危险信号的情况下进行挖掘. 公司的官方网站可能是公司特定技术细节和术语的金矿, 公司主要人员, 客户, 事件, or even the names of internal software tools. Social networks like Facebook, 推特, 和领英通常不仅提供工作地点的个人信息, or where they've worked in the past, 但是,攻击者只需粗略地搜索一下,就能轻易地发现公司的等级制度.
In a spear phishing email, 这些在网上免费提供的小细节可以帮助攻击者在他们的电子邮件中散布姓名, 的地方, 或者使用足够有效的术语来说服原本精明的电子邮件收件人点击恶意链接. 该链接可能会将他们发送到一个准备捕获敏感内部凭据的网站, 因此,攻击者可以在公司网络上自由漫游,窃取知识产权或客户数据.
例如, by knowing how an organization's internal email addresses are structured, the names of account managers (h和ily self-identified through LinkedIn), a key customer name (on the company blog), 和 who the head of sales is (on the corporate website), 攻击者可以制作一封令人信服的电子邮件给整个账户管理团队, purportedly from the head of sales, about an urgent issue relating to one of their biggest 客户.
这封电子邮件可能会说,收件人需要在他们公司内部网的一个特定链接上查看备忘录——这个链接看起来很像他们的内部网门户,但实际上是一个恶意的诱饵版本,目的是捕获用户名和密码. 在报税季,金融团队经常成为鱼叉式网络钓鱼攻击的目标, 假装是公司首席执行官或首席财务官发来的,需要紧急审核W2文件.
所有打击网络钓鱼的常见智慧也适用于鱼叉式网络钓鱼,并且是防御这类攻击的良好基线. 永远不要点击电子邮件中的链接是防止网络钓鱼类攻击可能造成的损害的铁律. 也就是说, 因为鱼叉式网络钓鱼是一种更复杂的老式网络钓鱼攻击, 组织将需要确保他们的政策参考这些更先进的策略,并实施更强大的解决方案,以帮助员工进行相应的防御.
帮助组织防止鱼叉式网络钓鱼攻击的其他提示包括:
一个健壮的 phishing awareness training program goes beyond classroom training. The best training programs also deploy recurring simulated phishing “tests,,即向公司员工发送令人信服(但无害)的鱼叉式网络钓鱼邮件. If an employee falls for the phishing attempt, 他们将能够第一手了解这些活动的有效性以及未来需要寻找的内容,同时在受控环境中保持组织数据的安全.
In the fight against spear phishing, employees are the front line, 这就是为什么每个组织都可以从网络钓鱼意识培训项目中受益的原因 网络钓鱼保护 让他们的员工保持敏锐,时刻警惕这种不断演变的攻击.