Blog archive
Phishing expedition

Spear-phishing scourge: It's up to you, the user

Web browsers are getting better at detecting and blocking URLs associated with phishing sites, according to a recent test of leading browsers by NSS Labs,  but defending against social engineering will require educated users, not just better software, says one researcher.

“Technology has not been able to deal significantly with social engineering on a number of fronts,” said NSS research director Randy Abrams.

One of those fronts is spear phishing, and that is bad news for government, which has thousands of users and operates with more transparency than many other organizations. “That makes spear-phishing them significantly easier,” Abrams said. “Government is going to have to spend more on education.”

Before going on, some definitions: “Phishing” tries to get a victim to disclose sensitive personal or account information, including access credentials. This can be done in a variety of ways, including e-mails and phony websites, and often is done on a large, broadcast scale.

“Spear phishing” targets specific individuals, groups or organizations, usually using information about the victim that the attacker has gathered through open-source research or intelligence operations. Because there are a small number of intended victims, detecting spear phishing is more difficult.

A new report from TrendMicro found that 91 percent of targeted attacks from February to September 2012 employed spear-phishing, and that 65 percent of attacks were aimed at government, by far the most targeted sector.

NSS Labs’ most recent examination of browsers looked at how well four popular ones blocked known phishing URLs. Results ranged from 90 percent for Firefox 15, through 91 percent for Safari 5 and 92 percent for Internet Explorer 10. The best performer was Chrome 21 at 94 percent.

These sites are more difficult to shut down because they have become more nimble. The number of phishing URLs is growing, from 40,000 per month in 2011 to 50,000 per month in 2012, and at the same time their lifespan is shortening, to an average uptime of just 23 hours in 2012. This timing is important because it takes a while for browsers to “learn” that a site is malicious. More sites and shorter lifespans means more zero-hour attacks, and the zero-hour block rates for the browsers tested against brand new malicious URLs ranged from just 53.2 percent for Chrome to 79.2 percent for Safari. This means a growing window of opportunity for attackers.

The good news is that phishing, like almost all social engineering attacks, requires the victim’s cooperation. If the victim doesn’t fall for the fake e-mail or visit the malicious site, he’s safe. Unfortunately, many people who have been brought up using technology are too trusting and have not been taught to be critical, Abrams said.

“We haven’t made social engineering education part of our societal education,” he said. “Fundamentally we are probably two generations away from getting a grip on social engineering if we start now. And government doesn’t have two generations to wait.”

Posted by William Jackson on Nov 30, 2012 at 9:39 AM


  • FCW Perspectives
    human machine interface

    Your agency isn’t ready for AI

    To truly take advantage, government must retool both its data and its infrastructure.

  • Cybersecurity
    secure network (bluebay/

    Federal CISO floats potential for new supply chain regs

    The federal government's top IT security chief and canvassed industry for feedback on how to shape new rules of the road for federal acquisition and procurement.

  • People
    DHS Secretary Kirstjen Nielsen, shown here at her Nov. 8, 2017, confirmation hearing. DHS Photo by Jetta Disco

    DHS chief Nielsen resigns

    Kirstjen Nielsen, the first Homeland Security secretary with a background in cybersecurity, is being replaced on an acting basis by the Customs and Border Protection chief. Her last day is April 10.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.