Phishing and Spear Phishing

In case you have no idea what phishing is, Wikipedia defines it as ”the act of attempting to acquire information (and sometimes, indirectly, money) such as usernames, passwords, and credit card details by masquerading as a trustworthy entity.”

Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse, defines ‘spear phishing’ as:

“Spear phishing is when a criminal sends you an email that sounds and looks like it’s from a company you have an existing relationship with,” Stephens said. “For example, a spear-phishing message might address you by name.

Alternatively Spear phishing is an attack predicated on targeting a specific person, or group of people with a malicious email that encourages them to open an attachment.

Phishers tend to send an email pretending to be someone or some business you recognize and, as the definition above states, get you to reveal private data. Usually, if you’re reasonably suspicious, these attempts are easy to spot and avoid being taken in but often we click on the email out of natural curiosity.

Recently I received a direct message on Twitter from a follower:

Hey this person is making up dreadful posts that are about you http://xxxx????

The idea that someone would be making up “terrible posts” about me seemed far-fetched but that someone would inform me in this way was even more of a give-away. But not so for the link which takes you to a Web site, via a couple of redirections and looks exactly like the Twitter login page with the message “Your session has timed out, please re-login.”

If you just came from Twitter by clicking on the link in the direct message you might well think that such a thing was normal and provide your login credentials which would be, given that the site is in China and obviously fraudulent, a very bad idea.

The link resolves to (I recommend you DO NOT visit this link, there may be other exploits involved) and while the root of the site,, is identified by Chrome as a phishing site and a warning immediately displayed, the full link is not identified!

What happens to the information that is collected in this manner is certainly not being used for your benefit. Your personal information could be used for many reasons and one of them could be to ensnare more victims.

The more sophisticated and alluring these phishing attacks become the more people will get tricked. Remember that whilst the current messages are poorly written they are effective. To quote the Sergeant from Hills Street Blues “be careful out there”.