June 02, 2011, 5:15 PM — The most frequent comment I see on stories reporting some new dramatically successful phishing attack is from an overly nearly well-informed technophile who thinks people who fall for phishing schemes are just stupid.
Despite a success rate so high it's become standard operating procedure for Chinese military and government cyber-espionage groups, people who respond to phishing emails are treated like they're one walker-assisted step above the elderly shut-ins who send money to help Nigerian princes and ministers of finance mysteriously down on their luck.
If only the stupid fell for phishing scams the successful attacks against companies with sophisticated security – Google, Lockheed Martin, HB Gary, PayPal, various other U.S. military and intelligence agencies – would have been able to shut down the breaches quickly. Others with security at least as good -- CitiBank, Bank of America, AOL, Western Union, – wouldn't have to send out alerts every 10 minutes warning people that they weren't sending out alerts, so don't mail in your usernames and passwords.
Phishing works, for the same reason grifting works – given a set of facts that seem to fit all their expectations and experience, and the opportunity to either help out a co-worker or profit from something that's very little trouble for them, most people will take the risk.
Phishing emails are addressed to far too broad an audience to really fool anyone into thinking an email is from a friend or coworker.
Spear-phishing is different. Spear phishers use the same kind of research, target identification and individually designed approach spymasters use in trying to identify, approach and successfully recruit foreign nationals into betraying the interests of their country.
The goal isn't to find a weakness and exploit it – through blackmail, bribery or what have you. It's to find some specific person and present them with an email that has all the information they need to support their assumption that it's a perfectly legitimate request from someone they know.
Spear-phishers "first look for who could be the high-value targets of an enterprise – Human Resources personnel who might have access to passwords or personal data, a system administrator who is listed on LinkedIn with a detailed resume describing what he does for the company," according to Manoj Srivastava, chief technical officer at security-software company Cyveillance.