36 Chambers – The Legendary Journeys: Execution to the max!

December 18, 2012

Mass Mailing Is Not Dead

Filed under: (In)Security — Kevin Feasel @ 6:00 pm

Help Net Security has an article arguing that spearphishing will replace regular phishing attacks very soon.  I strongly disagree, for the simple reason that these are two completely different mechanisms meant to achieve two completely separate goals.

The general idea of a phishing attack is to snare some number of people somewhere.  This is akin to fishing with a large net:  you don’t care so much about what you catch, but rather that you catch something.  Phishing attacks are meant to get some non-zero percentage of people to respond, typically as a means of taking over computers or probing for goodies (bank accounts, credit cards, etc.).  If you fail 99% of the time, you’re still fine, because you make up for failure through quantity.

Spearphishing, on the other hand, is much more targeted.  In this scenario, you know your targets and do extensive research on them.  The goal here is to attack a particular person or firm.  If you fail to achieve your goal here 99% of the time, you aren’t so fine:  this is much closer to a binary success-failure rather than the broad-based “make up for it in quantity” approach.

For this reason, I do not see spearphishing replacing regular phishing attacks.  Instead, I see them as complementary tactics that attackers will use depending upon their goals.

The Silver is the New Black Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 92 other followers