I sometimes get asked how a spear phishing or targeted phishing attack can happen. In other words, people want to know how the hackers get the list of email addresses specifically tied to an organization to send the targeted email to. Well, a good example was recently reported that I thought illustrated this well.
Aetna recently announced a data breach of an employement application website. The attackers were able to gain access to at least 65,000 current or former employees information. Additionally, they got information on 450,000+ individuals who had applied to Aetna over some number of years.
The perpetrators then sent targeted emails that asked the individuals to go to a website (link provided) to fill out some more specific information to continue the process of their employment application. Of course the website was false and meant to gather sensitive information from the individuals.
While this is very clever it illustrates how easy it is to perform targeted phishing attacks. Also, this shows more intelligence behind the attack. The attackers knew what they got and how to effectively use the information.
