FTC Used as a Spear Phisher

The Federal Trade Commission issued a press release this week warning consumers and businesses that hackers have used the agency's name and images in emails to trick users to install spyware that can steal sensitive and financial, proprietary or personal information from corporate networks or personal PCs. According to the release:

Consumers, including corporate and banking executives, appear to be targets of a bogus e-mail supposedly sent by the Federal Trade Commission but actually sent by third parties hoping to install spyware on computers. The bogus e-mail poses as an acknowledgment of a complaint filed by the recipient, and includes an attachment. Consumers who open the attachment to this e-mail unleash malicious spyware onto their computer. The agency warns consumers who get this e-mail that purports to be from the FTC:

* Don’t open the attachment.

* Delete the e-mail.

* Empty the deleted items folder.

The hoax e-mail is personalized, and contains the name of the recipient and their business.

This type of attack is known as "spear phishing," in which emails are addressed to specific person, making the message seem legitimate. Spear phishing, as opposed to simple phishing in which the same email is sent out to random email addresses with no personal touch, has increased to the point that it is considered one of the highest risks in information security. Spear phishing is harder to defend against because, unlike other threats that can be stopped by a firewall or a patch to a system, users must be educated to understand what to look for in an email that seems as it came from a legitimate source and has a personal feel to it.

Hat tip: fraudwar blog