In this season of beleaguered IT security for American political institutions, we all remember the recent attack against Arizona’s voter registration system. Last week Arizona Secretary of State Michele Reagan revealed that the breach owed itself to a spear phishing attack impersonating an employee.
Reagan added that the FBI is attributing this attack to a foreign entity, “most likely Russian,” she said. That reminds me, of course, of this summer’s stolen DNC emails and the fact that they are widely believed to be the action of one or more Russian Advanced Persistent Threats, which are known to obtain access commonly through spear phishing attacks.
These two breaches highlight the evolving nature of phishing. We know that Business Email Compromise (BEC) is enormously on the rise, so that’s getting a lot of attention. But the early months of 2016 were the season of spear phish aimed at W-2 information, and I’m betting that will be a bigger trend same time 2017.
Now we have seen repeated use of spear phishing aimed at the election. And I expect this time next year we’ll be talking about a new abuse of spear phishing that isn’t on the public’s radar today.