Spammers get personal with 'spear phishing' attacks

A new study by Cisco Systems Inc. found an alarming increase in the amount of personalised spam, which online identity thieves create using stolen lists of email addresses or other poached data about their victims, such as where they went to school or which bank they use.

Unlike traditional spam, most of which is blocked by email filters, personalised spam, known as "spear phishing" messages, often sail through unmolested. They're sent in smaller chunks, and often come from accounts the criminals have set up at reputable web-based email services. Some of the messages are expertly crafted, linking to beautifully designed websites that are bogus or immediately install malicious programs.

Cisco's annual security study found that spam is growing quickly - nearly 200 billion spam messages are now sent each day, double the volume in 2007 - and that targeted attacks are also rising sharply.

More than 0.4 per cent of all spam messages sent in September were targeted attacks, Cisco found. That might sound low, but since 90 per cent of all emails sent worldwide are spam, this means 800 million messages a day are attempts at spear phishing. A year ago, targeted attacks with personalised messages were less than 0.1 per cent of all spam.

The latest attacks include text-message spam, emails trying to trick business owners into coughing up credentials for their Google advertising accounts, or personalised "whaling" emails to executives claiming that their businesses are under investigation by the FBI or that there's a problem with their personal bank account.

As the world's largest maker of networking gear, Cisco is in a unique position to study the traffic flowing through its customers' networks, which include the biggest internet providers and corporations. The latest study was based in part on the company's ability to monitor 30 per cent of all web and email traffic through its hardware and software and a network of companies that contribute data.