Let’s all go spear phishing

The legal definition and enforcement of cybercrime is something which nowadays we take for granted. The concepts and principles contained in international conventions such as the Council of Europe's Convention on Cybercrime have trickled down to the majority of developed and developing countries' legal statutes. But the continuously developing technology and the ways in which it can be used maliciously are now stretching the definitions of cybercrime and legal scholars and countries alike are rushing to their drawing boards to come up with legal interpretations for cyberwar.

This latest rush to formulate legal answers to the developing doctrine for cyberwar has escalated in the recent weeks due to the widely reported incidents where a number of gmail accounts have been hacked.

According to Google, a group of unidentified Chinese hackers from the city of Jinan phished several credentials belonging to senior US government representatives, Chinese political activists, journalists as well as other individuals predominantly in South Korea. The recent gmail attacks in China are perfect proof that cybercrime is constantly evolving. These phishing attacks were not targeting credit card details but much more important information such as international affairs or military secrets through the monitoring of the contents of the emails themselves. The Chinese government however has officially denied any involvement in the gmail incident.

The standard widely used form of phishing is that scam attack that is wide in its application and which normally attacks millions of random users under the veils of an email sent from some Nigerian prince or long lost cousin. But cybercrime (or cyberwar) is evolving. Behold the spear phishing attack, a targeted email attack only directed towards an elective few users and where the scammer sends phishing emails to a small group of people, normally a company or a specific governmental department or branch.

Unlike standard phishing attacks, spear phishing attacks normally hide within what looks to be a genuine email, sometimes even coming from a recognised email address. The recipient however would unfortunately be totally unaware the email sender information would have been faked or spoofed. Spear phishing also distinguishes itself from traditional phishing techniques in the sense that whilst in traditional phishing scams the objective of the perpetrator is to steal information from individuals, such as credit card or banking details, spear phishing attacks have as their primary scope the obtaining of access to a company's computer system. Spear phishing does not attack individual users but targets individuals to be able to gain access to a bigger whole, the organisation. Such attacks have become an 'epidemic' according to security consultants blaming the huge amounts of data that can be found on the net such as on Facebook and Twitter which make it easier for perpetrators to target their attacks, choose their victims wisely and easily influence and convince their targets that the email they are receiving is genuine. We always thought that there could be nothing wrong in opening an email we receive from a colleague or friend. Now we will need to think twice due to the unfortunate reality that such email might not be coming from our colleague or friend after all.

Following the gmail incident, US Secretary of State Hilary Clinton has stated that the allegations made that China was behind this attack was a very serious allegation and that the FBI was already investigating.

More recently, the latest victim of spear phishing has been the computer system of the International Monetary Fund. Again, security experts claimed that the attack may have been backed by a nation state due to the sophisticated nature of the attack and the resources needed to develop it in what have been termed as an Advanced Persistent Threat (APT). Many again have pointed their fingers towards China where hacking remains a popular hobby with numerous websites offering inexpensive courses and teaching programmes to learn the basics of hacking.

Meanwhile, The Pentagon recently stated that it is presently preparing plans that will categorise cyber-attacks as acts of war. US officials also recently stated that in future a US president could consider economic sanctions, cyber-retaliation or a military strike if key computer systems were attacked, especially when such computers would be controlling real world installations such as electrical power stations. These plans were also being expedited due to the recent hacking attacks suffered by US defence contractor Lockheed Martin in May. The Wall Street Journal also quoted a military official as saying: "If you shut down our powergrid, maybe we will put a missile down one of your smokestacks."

Whilst in all cases it will be very difficult in these attacks to determine whether such acts were committed by nation states or individuals, the reality of cyber espionage and cyberwar has reached unparalleled heights.

Albert Einstein once claimed that he did not know with what weapons World War III would have been fought. Perhaps we now know that cyber-weapons will surely be an essential part of any arsenal used.