鱼叉式钓鱼攻击

当罪犯发送网络钓鱼邮件时, 他们把网撒得尽可能宽，希望能捕到鱼. 要做到这一点, they send spam-y emails to try to convince unwitting users to click a malicious link or attachment, 通常是假装来自合法来源, 都是为了获取敏感信息或有价值的凭证.

Phishing attacks have been pervasive for so long simply because they are cheap to deploy, 但仍然有效，有利可图. 但随着电子邮件安全变得越来越复杂, 常见的网络钓鱼策略越来越容易被发现, 和 even those phishing emails that do arrive at their intended destination are no longer effective enough to fool wary users.

As a result, attackers are employing new tactics to make their phishing emails more believable. Original phishing methods—casting a wide net—are ceding ground to methods that focus on using real details to convince their potential victims of their legitimacy. 鱼叉式网络钓鱼只是这种攻击方式的一个术语.

鱼叉式网络钓鱼的目标是谁?它是如何工作的?

企业尤其容易受到鱼叉式网络钓鱼攻击, as so much of their company data is usually freely available online for attackers to mine without raising any red flags. Official corporate websites can be a gold mine of organization-specific technical details 和 jargon, 公司主要人员, 客户, 事件, 甚至是内部软件工具的名称. 像Facebook这样的社交网络, 推特, 和 LinkedIn often not only offer the personal details of where someone works, 或者他们过去工作过的地方, but with just a cursory search attackers can easily reveal the corporate hierarchy.

在鱼叉式网络钓鱼邮件中, these little details available freely online can help an attacker sprinkle their email with names, 的地方, or terms that lend enough validity to convince an otherwise savvy email recipient to click a malicious link. That link may send them to a website ready to capture sensitive internal-only credentials, thus allowing the attacker to roam freely on the corporate network 和 steal intellectual property or customer data.

例如, 通过了解组织内部电子邮件地址的结构, 客户经理的名字(通过LinkedIn很方便地自我识别), 关键客户名称(在公司博客上), 谁是销售主管(在公司网站上), an attacker could craft a convincing email to the entire account management team, 据说是销售主管说的, 事关他们最大的客户之一的紧急事件.

The email could say that the recipients need to review the memo on their corporate intranet at a specific link—a link that very well looks like their intranet portal but is actually a malicious decoy version set up to capture usernames 和 passwords. Financial teams are often targeted during tax preparation season with spear phishing attacks, pretending to be sent from company CEOs or CFOs needing urgent W2 paperwork reviewed. 

如何防止鱼叉式网络钓鱼攻击

All of the common wisdom to fight phishing also applies to spear phishing 和 is a good baseline for defense against these kinds of attacks. Never clicking links in emails is an ironclad rule to preventing much of the damage phishing-type attacks can create. 也就是说, since spear phishing is a more sophisticated version of a plain old phishing attack, organizations will need to ensure their policies reference these more advanced tactics 和 implement stronger solutions to help educate employees to defend accordingly.

Additional tips to help organizations prevent spear phishing attacks include:

• Remind employees to always be wary of emails with unsolicited attachments 和 links at all times, 和 send reminders of spear phishing dangers especially around sensitive 事件 (e.g. 在重大公告之后)或一年中的某些时候(例如.g. 报税季节).
• Deploy threat intelligence solutions that use open-source 和 commercial threat intelligence feeds to track 和 block actively in-use phishing 和 spear phishing campaign links in real time.
• Implement 网络钓鱼意识培训计划s to keep good security practices against spear phishing top of mind for employees all year round.
• Enable your employees to report suspected phishing messages so that your team can stop spear phishing campaigns currently underway against your organization.

一个健壮的 网络钓鱼意识培训计划 超越课堂培训. 最好的培训项目还会定期部署模拟网络钓鱼“测试”,” in which convincing (yet harmless) spear phishing emails are sent to your organization’s employees. 如果员工落入网络钓鱼的圈套, they’ll be able to learn first-h和 just how effective these campaigns can be 和 what to look for in the future—all while keeping organizational data safe in a controlled environment.

在打击鱼叉式网络钓鱼的斗争中, 员工是第一线, which is why every organization can benefit from 网络钓鱼意识培训计划s focused on 网络钓鱼保护 to keep their employees sharp 和 on the lookout for this ever-evolving attack.