"Then they go to Facebook, MySpace, Twitter – any social network or forum or other site that could give them information about that person that could be used against them. If they can find pictures the person, or a friend of the person posted on Facebook, the email could look like it came from a friend named in the pictures and be labeled 'Pictures from the picnic,' with a malicious payload in the attachments or at the URL the picture links point to," Srivastava said.
"With enough research on someone with some amount of information about themselves online, an email can very convincingly look like it came from a friend. The idea is not to raise any suspicions," he said.
Often just the research is enough to turn up enough information to open the firewall a crack – spoofing the email of an employee well enough to get someone inside the firewall to open the message and launch a file or click a link that turns out to contain malware that lets the cracker in.
Anti-virus designed to catch malware coming in through email might not catch it being downloaded from a link clicked from inside, a fake application "update" or other vector, according to a March report from NSS Labs showing even good antivirus systems fail when the malware tries to come in through several different entry points.
Cyveillance, among other services that all depend on extensive, real-time examination and analysis of online scams, runs an anti-phishing anti-spam service designed to identify potential high-risk email by looking not at the falsified email address, but the request inside the message.
"You have to look at the links and evaluate the level of risk based on whether it is asking that secure information inside the firewall be sent outside using links or sites that may not be secure," he said.
Successful spear-phishing is not just Google searching and manipulative email-writing, either.
When members of Anonymous hacked HB Gary – the highly regarded security company whose CEO had bragged he was going to bring down the leaders of the hactivist group – they started with a SQL injection attack on HB Gary's web site, and the low-security content-management system used to run the site.
The SQL injection let Anonymi download the user database from the CMS – including email addresses and hash-encrypted passwords for employees.
If all HB Gary's employees had used long or difficult passwords, the Anonymi would have been stuck for weeks trying to decrypt the passwords using rainbow tables.