Several sources are reporting massive issues from the recent email scam. US-CERT even has a warning called “spear phishing attack“. My favorite write up so far has been in The Register. They used the phrase “whaling expedition” to describe events:
About 2,000 executives took the bait on Monday, and an additional 70 have fallen for the latest scam, Richard said. Operating under the assumption that as many as 10 percent of recipients fell for the ruse, he estimated that 21,000 executives may have received the email. Only eight of the top 35 anti-virus products detected the malware on Monday, and on Wednesday, only 11 programs were flagging the new payload, which has been modified to further evade being caught.
Those are staggeringly poor numbers that nicely illustrate the problem with malware detection strategies. User education is the bedrock of security, while technology is usually just a tool. Like using a hammer, if someone suddenly puts screws in front of you and you do not know what defines a nail, and/or you rely on the vendor to figure it out for you…oops, I guess I need a fishing analogy.