The phrase targeted attack looks to be redundant at first glance. Of course an attack is targeted. What good would it be without a target? But the reality is that until recently, most online attacks–phishing, malware, identity theft, bank fraud–were essentially scattershot affairs. Hackers threw their bait out there and took whatever came back, with no real plan.
That’s no longer the case. Now, many attackers do research, gather intelligence on their targets, figure out their preferences and habits and then go after them with specifically tailored attacks designed to give the attacker the best chance of succeeding.
Here’s how one such attack might work:
- A hacker buys a list of customer email addresses stolen from a health care company during a data breach
- He chooses some of the addresses and Googles them. His search turns up other online services for which the users have registered with the same email addresses. That gives him a better picture of what the users’ online presence is like, perhaps allowing him to find their Facebook, Twitter or other social networking accounts.
- The hacker then combs through the users’ data, looking for indications of what banks or credit card companies they use.
- He then crafts an email from a phony email address that looks as if it comes from the victim’s bank. The message may contain a link to a Web site that impersonates the user’s bank. The user clicks on the link, which takes him to a site that contains a hidden piece of malicious code that exploits a vulnerability in the user’s browser.
- The hacker’s malicious code installs a piece of malware on the user’s PC that has the ability to log keystrokes. Once the user realizes something was wrong with the hacker’s site, he goes to his legitimate bank site to check his accounts. When he enters his username and password, the hacker’s malware records them and sends them to the hacker.
- The hacker logs in to the victim’s bank account and transfers the money to an account he controls. Game over.
This is just one example of the kinds of attacks that are happening every day. Hackers have all the time in the world to do research on their targets and they only need to catch one person to have a good day.