back to article New class of industrial-scale super-phishing emails threatens biz

Security watchers are warning of a surge of highly convincing spear-phishing emails sent in bulk. More than one in 10 recipients of these so-called longlining* messages click on links to compromised websites because the phishing email look utterly plausible, according to cloud-based security services firm Proofpoint. The …

COMMENTS

This topic is closed for new posts.
  1. Marcel
    Linux

    Spearfishing?

    Doesn't spearfishing imply it's a very targeted attack with personalised emails? Sending so many messages to so many companies sounds more like regular phishing.

    Since we will never solve the problem of users being misled and tricked to click a link, when will there be software that doesn't cause your computer to be p0wned only by clicking on a link?

    1. Ole Juul

      Re: Spearfishing?

      Something is fishy all right. They didn't even mention what kind of software one would have to run in order to make this happen.

      1. Anonymous Coward
        Anonymous Coward

        Re: Spearfishing?

        They didn't even mention what kind of software one would have to run in order to make this happen

        Adobe or java - bringing platform equality to a virus near you..

      2. Anonymous Coward 15

        Re: Spearfishing?

        @Ole- I'm sure Eadon will be along shortly to tell us.

    2. Roo
      Meh

      Re: Spearfishing?

      Possible sometime after we've worked out how to make computers self-aware. ie: Not anytime soon. In the meantime I think there is scope for improving the "are you sure" dialogue boxes. :)

      1. jubtastic1
        Terminator

        Re: Self aware

        The humans that click the links are arguably self aware, I think we can assume that by the time the average laptop has the combined IQ of six thousand PE teachers it will be just as easily fooled by the Hawking model the spammers are using to craft the spam.

    3. Anonymous Coward
      Anonymous Coward

      Re: Spearfishing?

      "when will there be software that doesn't cause your computer to be p0wned only by clicking on a link?"

      When the major browser vendors grow some fucking balls and disable software by default that is well known to be insecure. Want to use Java or Flash? Pop up an explicit warning that the software is dangerous to enable and that it should only be enabled on trusted sites.

    4. Fatman
      Linux

      Re: ...software that doesn't cause your computer to be p0wned only by clicking on a link?

      Yes, there is, and it is called Linux.

  2. Destroy All Monsters Silver badge
    Headmaster

    A question of style: scare quotes

    Dear El Reg,

    I do think the "longline" adjective should be within quotes as it is a term used by proofpoint (but it's not), whereas "drive-by downloads" and "rootkits" should not be within quotes (but they are) as these are standard, accepted terms.

    Yours faithfully etc..

    1. Elmer Phud

      Re: A question of style: scare quotes

      It would help people to understand also that 'trolling' doesn't actually refer to sub-bridge dwellers but another fishing reference.

      That of dragging shiny lures through the water , they sparkle and flash and grab the attention of the unwary.

  3. Anonymous Coward
    Anonymous Coward

    Spear or longline?

    When you go spear fishing you use a spear, similarly a long line is used for long line fishing.

    Your phish therefore, has to be one or the other.

  4. taxman
    Big Brother

    DMARC

    That's all.

    Why do so many companies use email systems where SPF is not used? That should help prevent these getting through to the PICNICs.

  5. Jess

    HTML email only?

    Presumably the nature of these emails is obvious to anyone using a plain text email client (or one configured that way.)

    1. Elmer Phud

      Re: HTML email only?

      When many have defaults running on most mail clients or just use webmail, they only want to see pretty pictures and not all the giveaway clues you see on 'text only, no preview'.

    2. Tom 13

      Re: HTML email only?

      Given the parameters, while I'd expect fewer clients who use plain text mail readers to be taken in, that's because I expect the people who use plain text mail readers are more technically aware than readers who use the default from the installer, which is typically HTML.

      The key bits here are that the messages are well written, highly variable, and are using initially clean websites for the phishing. So the filter oriented techniques which are the standard technical defenses don't work. If the rest of the message gets past your social defenses and you copy the link to a browser, you are just as likely to get infected. It's not the HTML message itself that provides the compromise, it's the website when you follow the link.

    3. koolholio

      Re: HTML email only?

      MIME type is included in most decent spam filters

  6. Anonymous Coward
    Anonymous Coward

    Hmm

    That might explain the plethora of "convincing looking" emails that I received over the weekend.

    As per usual, they were all responded to from a library computer, all links were followed and all user credentials and passwords were made up on the spot.

    If all IT chaps did this then a couple of things could happen.

    1. The library computers could be infected with Malware - not nice, but not my own PC

    2. The perpetrator might waste some time with false positives.

    3. If 2 happened then maybe cyber-plod could at least arrest someone

    1. AndyS

      Re: Hmm

      4. Libraries would stop letting members of the public use their computers.

    2. Chemist

      Re: Hmm

      "they were all responded to from a library computer,"

      If you really wanted to have 'fun' with this why not use a LiveCD distro ?

      1. Anonymous Coward
        Anonymous Coward

        Re: Hmm

        Possibly because anyone booting their own OS in a library is liable to be chucked out PDQ by any member of staff at least half on the ball.

        How do the staff know what you're booting? The most common Linux live CD that I boot is for data erasure, I wouldn't want someone screwing with my installed OS. I'd certainly kick someone out for booting something I haven't specifically checked out on my systems, were I in charge and very much doubt that I'd have the time to check out random punter's personal OSes. That said, I would probably download a linux CD myself from the ditributer's web site and allow someone to use that.

        1. Chemist

          Re: Hmm

          "Possibly because anyone booting their own OS in a library"

          I wasn't suggesting anyone should boot another OS on a library computer - I'd assume they'd have disallowed that in any case. The OP seemed to suggest that he used a library computer to specifically deal with this sort of e-mail, not for all their computing.

  7. Tom 35

    super-phishing emails threatens biz

    according to cloud-based security services firm Proofpoint.

    Now you just have to buy our service...

    Thanks for the ad Reg.

    1. Marcel
      Thumb Down

      Re: super-phishing emails threatens biz

      All the scary security news of last few years comes from marketing departments of security firms. Firms like Symantec and McAfee pump out these things on a daily basis. I think news sites should start to filter this kind of "news".

  8. This post has been deleted by its author

  9. koolholio
    Holmes

    Its all rather old news repeated really

    Since the days of SMTP authentication implementation, I think these sorts of 'tales' have existed, they just seem to be multiplying :-(

    Proofpoint and Sophos should mention something that people shouldnt already know... shouldnt, because don't doesn't quite apply for most users.

    Reverse DNS lookups mixed with SPF and DKIM and a relatively strict spam score would also aid in authentication.

  10. Lost In Clouds of Data
    Devil

    Guess I'm not important enough

    All the spam emails I get are written in such awful English that it stands out like a sore thumb. "Please respectfully download ours new security softwares to protect yours account" is hardly something I'd expect from the FDIC.

    Or am I giving the FDIC too much credence here? :D

    1. Destroy All Monsters Silver badge
      Big Brother

      Re: Guess I'm not important enough

      Those guys that secretly close banks on Friday 16:00?

      Yes.

  11. Anonymous C0ward

    Makes it worse...

    when legit companies use bit.ly etc to link to their own site.

  12. LaeMing
    FAIL

    I got a phish email on Friday.

    On my work account.

    And on my work account alias.

    And on work's all_staff address.

    Love that targeting.

  13. Anonymous Coward
    Windows

    Industrial-scale super-phishing emails?

    "New class of industrial-scale super-phishing emails threatens biz"

    Is this the same as the old-fashioned stuff, as in your 'computer' can be compromised by opening an email attachment or clicking on a URL?

    Who is going to save us from all this adobe browser apple android java linux open source pdf malware?

  14. Shannon Jacobs
    Holmes

    Live and let spam = DEATH TO EMAIL

    See how well filtering has worked? The spammers have made so much money that they can now refine their targeting in search of bigger phish. So far they had just been playing in the shallow end of the pool, but you've probably seen some of the excellent pitches at Facebook and LinkedIn users. Lord save us from the spam-lovers at Yahoo, and several recent rounds of spam have been bypassing the supposedly wonderful spam filtering from the google of increasing EVIL.

    Why doesn't ANYONE offer an email system that the spammers hate and fear?

    Wasting my breath and keystrokes, but I'll repeat the OBVIOUS suggestion: Some email system should have integrated INDUSTRIAL-STRENGTH anti-spammer tools. EVERY part of the spammers' infrastructure should be targeted and ALL of the spammers' accomplices should be pushed to bankruptcy. ALL of the suckers who feed the spammers should be protected from the idiocy. Heck, let's even protect the corporate victims whose reputations are abused by the spammers.

    Imagine a multi-round spam-fighting tool that would analyze the spam with increasingly refined targeting. Would you be willing to spend a few minutes and donate a bit of your intelligence to help shut down the spammers and prevent them from profiting? Of course you don't have to, but if it was easy enough for more people to do it, we can surely cut the spammers away from their extremely limited supply of suckers.

    However, I think that some of the spam would get your goat and you would want to help stop it. Do you have children? Would you like to hammer on a spammer who targets children? What if you are actually a high-level executive who might be a legitimate target of spear phishing? Would you like tools to help you recognize the scam and shut it down? Maybe you work for a company that gets abused by spammers and you'd like to take a few shots at them?

    A horse? No. I would give my kingdom for a BIG anti-spam hammer. (Okay, so I don't have a kingdom, but it's not like I'm Shakespeare.)

This topic is closed for new posts.

Other stories you might like