Spear Phishing through Blogs

This post is a warning about a dangerous attack vector against bloggers and blog readers by hackers and spammers, an attack which is very likely to appear in the near future. While I realize that my warning might even expedite the timetable, it's just a matter of time IMHO before someone puts the two and two together. Maybe someone already has.

Spear phishing is a phishing attack which is custom tailored to an individual. The potency of spear phishing lies in personalized content containing information only a very small number of people or companies would know. Usually, it's some shared knowledge or experience like a person's recent e-Bay bid on a laptop. A personal email mentioning the bid would make the potential victim assume the sender is the seller. True? Not always.

Spear phishing is typically not very scalable because each attack has to be personalized. With blogs, however, spear phishing attack is scalable.

The danger is that the relationship betweeen bloggers and between a blogger and his readers is strong, persistent, and public. Using the information readily available, hackers and spammers can:

  1. send personalized messages to a blog's commenters, posing as the blogger and using words mentioned in their comments.
  2. send personalized message to a blogger, posing as one of the frequent commenters and using words mentioned in blog posts and comments.

I don't think further details are needed so I'll just stop here.