The successful use of phishing emails to breach secure organizations like Oak Ridge National Laboratory and EMC's RSA security division is a stark reminder of the serious threat posed by a type of attack that was previously dismissed as low-tech.
The Oak Ridge lab last month disclosed that sophisticated data-stealing malware had infiltrated its networks. The breach originated in a phishing email sent to about 570 employees. The email was disguised to look like a memo about benefits changes written by the lab's HR department. When a handful of employees clicked on the embedded link in the email, malware was downloaded to their computers.
Such emails now appear to be the preferred method for breaking into corporate networks, said Anup Ghosh, founder of security firm Invincea.
"You only need a very low click-through rate to establish several points of presence inside an organization," Ghosh said. "If you have 1,000 employees in your organization and you train them all on not opening untrusted attachments, you'll still have someone doing it. This is not a problem you can train yourself out of."
Exacerbating the problem is the growing sophistication of phishing campaigns.
Organized cybercrime groups are using convincingly crafted emails to target high-level executives and employees within the organizations they want to attack. In many cases, the phishing emails are personalized, localized and designed to appear as though they originated from a trusted source.
Increasingly, information from social networking sites such as LinkedIn and Facebook is being used to make the targeted phishing attacks harder to detect, said John Pescatore, an analyst at Gartner. "With all the personal information and friends lists people expose on those sites," he added, "it is not that hard to craft a very personal-sounding email."
This version of this story was originally published in Computerworld's print edition. It was adapted from an article that appeared earlier on Computerworld.com.