Most people know to ignore the e-mail overture from a Nigerian prince offering riches in exchange for a bank account number. That is a scam, plain to the eye.
But what if the e-mail appears to come from a colleague down the hall? And all he asks is that you add some personal information to a company database?
This is spear phishing, a rapidly proliferating form of fraud that comes with a familiar face: messages that seem to be from co-workers, friends or family members, customized to trick you into letting your guard down online. And it has turned into a major problem, according to technology companies and computer security experts.
On Wednesday, Google disclosed that it had discovered and disrupted an effort to use such pinpoint tactics to steal hundreds of Gmail passwords and monitor the accounts of prominent people, including senior government officials. Secretary of State Hillary Rodham Clinton said Thursday that the F.B.I. would investigate Google's assertion that the campaign originated in China.
Such tactics were also used in an attack on a company called RSA Security, which security experts say may have given hackers the tools to carry out a serious intrusion last month at Lockheed Martin, the world's largest military contractor.
The security specialists say these efforts are a far cry from more standard phishing attempts, which involve spraying the Internet with millions of e-mails that appear to be from, say, Citibank in the hope of snaring a few unfortunate Citibank customers. Spear phishing entails sending highly targeted pitches that can look authentic because they appear to come from a trusted source and contain plausible messages.
As such, the specialists say, the overtures are becoming very difficult for recipients to detect.
"It's a really nasty tactic because it's so personalized," said Bruce Schneier, the chief security technology officer of the British company BT Group. "It's an e-mail from your mother saying she needs your Social Security number for the will she's doing."
Mr. Schneier said the attacks are more like a traditional con game than a technically sophisticated intrusion. "This is hacking the person," he said. "It's not hacking the computer."
Continued : http://www.nytimes.com/2011/06/03/technology/03hack.html