CIOIN

It’s official. Hackers are no longer interested in breaking into your company’s network. Why would they when they can spear phish one of your employees into opening the front door for them?

The recent spate of spear phishing attacks started in March 2011 with RSA. It was followed by Epsilon, and JP Morgan Chase, Sony, and Oak Ridge National Laboratory in April, and Lockheed Martin in May. Citi Group, Gmail, and The IMF became victims in June. All were attacked using spear phishing.

Some analysts say the trend started earlier. “The current trend of targeted cyber attacks really started to escalate from early 2010 and in the last 18 months we have seen more malware developed than the previous 20 years combined,” says Michael Sentonas, VP and CTO, Asia Pacific, McAfee.

Many blame social media sites for arming cyber criminals. “Hackers are increasingly adopting social media sites to gather profile information, and impersonate friends to launch attacks,” says Hugh Thompson, program committee chairman for the RSA Conference. “And people’s ability to choose what to trust is blurred because attackers have an abundance of personal information that they use to lend credibility to an attack.”

The numbers point to the same conclusion. According to the Data Breach Investigations Report 2011, cyber criminals are relying increasingly on personal touch with victims, with 78 percent of hacking cases involving in-person contact.

“While lots of companies have social media policies, I'd be willing to bet that over 95 percent of them never do any real digging to see what is out there,” says Shane MacDougall, principal partner at Tactical Intelligence.

MacDougall is currently preparing for a Social Engineering contest to be held at the DEFCON, the world's longest running hacking conference. “Just by trolling LinkedIn and Facebook I've been able to identify over 15,000 employees at my target company, with many of them inadvertently leaking information that I am sure will let me successfully penetrate them on the day of the contest.”

“The reality is, you can train your employees over and over again, but like the shirt at DEFCON says, "there's no patch for human stupidity,” says MacDougall.