Phishers Are Improving Their Chances of Success with Targeted Attacks
by Paul A. Henry - Vice President of Secure Computing - Monday, 10 April 2006.
Phishers are using a lesson learned from virus and worm writers to improve their chances of success. Over time virus and worm authors discovered that is was not necessarily the malicious payload of their craft that was alerting the internet community that trouble was on the way. It was the “Internet noise” they created while looking for vulnerable hosts. This noise resulted from increased traffic to specific ports or in bandwidth-crippling floods of attempted connections to every single host within a large subnet or domain.

Hackers soon learned for example that if a worm took advantage of a Windows IIS IV web server vulnerability the hacker should simply attack only known Windows IIS IV machines. This dramatically reduced the noise and there by reduced the ability of the internal security community to understand quickly what was going on and develop the necessary countermeasures in a timely manner.

Those involved in Phishing attacks have realized that reducing the tell-tale “noise” from mounting a targeted attack is not rocket science, it is simply a logical evolution. Why risk spamming a mass audience and creating “noise” on the Internet when you can reduce your exposure by simply focusing on a select target group of addresses that have a high probability of success.

Who would be a better candidate for having an account at a bank than perhaps a bank employee?

I had an opportunity to meet with security experts from a number of financial organisations at a conference I was speaking at recently. They noted that in the past year that Phishers were actually getting better at writing the emails they used in their attacks. Previously, in many cases the poorly written spam emails from Phishers would quickly blanket an entire country, with a relatively small percentage of recipients having a probability of actually even having an account at the specific Bank. The language/grammar was often poor and clearly not written by a native speaker. The large address pool used and the speed at which the emails were being broadcast were easy triggers for filters that would bring immediate attention and alert the internal security community.

The quality of the emails in terms of spelling and grammar which was previously a dead giveaway has markedly improved, limiting a previous tell-tale sign of a Phishing email.

More importantly, it was noted that for the past 6 months Banks have seen more and more Phishing emails directed at their own employees. The Phishers appear to have recognized that by limiting the spam emails to employees of the Bank by reducing the size of the pool of address and by also slowing the rate at which the emails were sent, they could potentially reduce the chances that the Phishing emails would trigger alerts and therefore increase their chances of success. Thankfully the Banks I have spoken to have already taken a sound, layered approach to security and made the adjustments necessary to fend off this new targeted methodology from malicious Phishers.

Targeted Phishing is an evolution of the art and is easily pulled off:

Creating a list of prospective victims within an organization is easy. Freely downloadable tools like “Atomic Harvester” are available on the internet that allow anyone to scour the Internet in search of email addresses on web pages and in news group postings for any given domain (i.e. * in order to develop selection of high probability targets. Further, inadequately protected mail servers allow a phisher to easily harvest an organization’s entire email address directory by simply using a common command “Expand” that returns all of the individual email addresses used in common email group alias such as or


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th