Online scammers go spear-phishin'

By Timothy L. O'Brien
The New York Times

Published: December 4, 2005, 4:45 PM PST

TalkBack E-mail Print TrackBack

About a year and a half ago, Amnon Jackont, an Israeli mystery novelist and Tel Aviv University history professor, became ensnared in a mystery of his very own: friends and students were receiving e-mail messages from him that he had never written.

A few months later, unpublished paragraphs and chapters from a book he was writing were plucked from his computer and began appearing on Israeli Web sites.

Jackont took his computer to the Israeli police last fall and was told to reformat it. But his problems persisted. So the police examined his computer more closely and discovered that a malicious program known as a Trojan horse lay hidden deep inside and had hijacked the machine from a remote location.

	For the latest breaking news, visit NYTimes.com Sign up to receive top headlines Get Dealbook, a daily corporate finance email briefing Search the jobs listings at NYTimes.com Search NYTimes.com: Today's News Past Week Past 30 Days Past 90 Days Past Year Since 1996

"When they followed the link they found a lot of goodies, but they wouldn't tell me anything," Jackont said. "All they told me was that they found something big, something that was bigger than just me being harassed."

In May, Israeli investigators opened their bag of goodies, disclosing that the Trojan horse on Jackont's computer had also galloped onto the networks of about 60 other Israeli companies, unleashing the biggest corporate espionage scandal in Israeli history. Prosecutors indicted members of three of the country's largest private investigation firms on criminal fraud charges in July. And some of Israel's most prestigious corporations are now under investigation for possibly stealing information from companies in such assorted fields as military contracting, telephony, cable television, finance, automobile and cigarette importing, journalism and high technology.

While the Israeli victims were diverse, they shared one thing in common: the Trojan horses that penetrated their computers came packaged inside a compact disc or an e-mail message that appeared to be from an institution or a person that the victims thought they knew very well. Once the program was installed, it whirred along surreptitiously, logging keystrokes or collecting sensitive documents and passwords before transmitting the information elsewhere.

"It's like the Yom Kippur War or Pearl Harbor in the Israeli business market because of the great surprise the victims had when the problem was exposed," said Haim Wismonsky, a senior prosecutor in the Tel Aviv district attorney's office who is overseeing the investigation. "It's OK to get information about competitors from the Internet or from former employees, but using Trojan horses is an entirely other matter."

People in many other countries, including the United States, have reason to feel queasy as well, say Internet security specialists and government agencies that monitor cyberfraud. Over the last few years, enticing offers wearing the friendly guise of e-mail solicitations have been at the center of well-publicized frauds known as "phishing," in which con artists troll online for valuable personal and financial information. In September, the Anti-Phishing Working Group, a coalition of corporate and law enforcement groups that track identity theft and other online crimes, said it had received more than 13,000 unique reports of phishing schemes in that month alone, up from nearly 7,000 in the month of October last year.

A new threat emerges
More recently, however, a hybrid form of phishing, dubbed "spear-phishing," has emerged and raised alarms among the digital world's watchdogs. Spear-phishing is a distilled and potentially more potent version of phishing. That's because those behind the schemes bait their hooks for specific victims instead of casting a broad, ill-defined net across cyberspace hoping to catch throngs of unknown victims.

Spear-phishing, say security specialists, is much harder to detect than phishing. Bogus e-mail messages and Web sites not only look like near perfect replicas of communiqués from e-commerce companies like eBay or its PayPal service, banks or even a victim's employer, but are also targeted at people known to have an established relationship with the sender being mimicked.

TalkBack E-mail Print TrackBack

Read more on this story's topics and companies

• Add to My News | Create an alert Security threats
• Add to My News | Create an alert Spam and phishing
• Add to My News | Create an alert Security
• Add to My News | Create an alert International governments

TalkBack

Did you know?

Select a tab below to set your default view.