I am sure everyone has seen all of the year-end summaries declaring 2004 the year of the worm and what not. It was quite a ride at the beginning of the year with the Bagle / Netsky / Mydoom wars releasing multiple variants per day (and users dumb enough over and over again to open attachments called "details.txt" even on the 30th variant of the same damn worm).

But, did anyone see MessageLabs stats for phishing? I used a chart from their 2004 summary report in an article I wrote for last week's Processor Magazine. They showed a ten-fold increase from June to July and it stayed that high and continued to increase through the rest of the year.

At its root, phishing is just spam. if you block or filter the spam effectively the phishing bait never gets to the end user. Once the bait gets to the user's inbox though, phishing is 98% social engineering. There isn't much, if anything, you can do from a technology perspective to help users who are too ignorant or stubborn to understand not to click on links or open attachments in unknown messages. There are exceptions such as phishing attacks that automatically overwrite the HOSTS file or the fact that you can use technology to block access to known phishing web sites, but that is the 2% and blocking each phishing web site is about as effective as blocking each spam sender.

That brings me to "spear phishing". I already think 2005 might be the year of the phishing scam, but now instead of casting a large net across the entire Internet and seeing what kind of phish bite, more sophisticated attackers are learning to use phishing techniques to gain access to networks.

By sending an email designed to look as if it is from tech support or management or the human resources department or whatever of a given company to employees of that company, an attacker can get users to volunteer information that they should know better than to send via email. For instance, rather than sending an email to the whole world claiming to be Paypal and asking for usernames and passwords to "validate" the account database, an attacker can spear phish a single company by sending an email *only* to employees of that company, spoofed to appear as if it is from someone important or someone in support, and ask them for their username and password information to validate user accounts or something like that.

A successful spear phishing expedition would eliminate a couple steps of hacking a network. You wouldn't need to do as much of the recoinnasance and footprinting because you would be granted the keys to enter and work from within.

Any thoughts on the phishing epidemic in general or the concept of spear phishing? The problem with trying to defend against phishing is that the attack is social, not technical. It seems that the only thing that has any chance of working in the long run is user education.