Found this ZDNet article talking about a recent study on spear-phishing, which doesn’t sound good at all:
A recently conducted ethical phishing experiment impersonating LinkedIn by mailing invitations coming from Bill Gates, has achieved a 100% success rate in bypassing the anti-spam filters it was tested against.
(Have yet to read the articles and papers in detail, but I thought I’d share it first.)
Phishing and (its deadlier cousin) spear-phishing have been out in the wild for a very long time already, but they continue to be effective against users because:
- “Some” users don’t exhibit caution &/or common sense when clicking on links, allowing themselves to be manipulated into giving away their credentials
- Others who’re careful, can never be vigilant all the time
Security has always relied on the combination of both people and technology in order to be effective. In the past, technological vulnerabilities meant that programs were the main target for the malicious, but as technology improves, the human user is often the weakest link in the chain, and hence the many attacks relying on human silliness/carelessness.
There are plenty of efforts in making it easier to detect/prevent the phishing attack on the user, but it is still very much an arms race (the race to list the bad sites versus churning these sites out as fast as possible). And even if it were possible to flag out ALL phishing sites somehow, as long as people could retain full use of their computers somehow (we tend to not like systems where we don’t know/have control on what’s happening, like Windows…), there would be always the group that clicks “Allow” when prompted “Danger! Would you like to allow action?”.
For now, keep the common sense when using the computer. Don’t just happily do something (like logging in) whenever a seemingly legit page asks you for it. Pause and think first.