"Spear phishing" is another type of phishing attack where attackers target a specific group of Internet users, for example employees of a particular financial institution, in an attempt to steal their access credentials. Criminals often use automated phishing tools, spam engines, and botnets in their phishing attacks. Despite extensive efforts by software vendors to improve the security of their products, phishing is still a serious threat to the security of online transactions. Victims of phishing attacks suffer financial losses, and must spend time and money rebuilding their credit and good name.

Zombies and Botnets
Compromised computers with installed malware remotely controlled by cybercriminals are usually referred to as zombies. A botnet is a group of zombies controlled by a particular hacker or criminal group. The owners of zombie computers are not usually aware that their computers have become part of an illicit network and a tool in the hands of cybercriminals.

Botnets have become a very important and extremely dangerous weapon in the cybercriminals' arsenal because of their concentrated power, which criminals can use to perpetrate various malicious acts on the Internet. Botnet attacks are growing in number, sophistication, and power. Microsoft considers botnets to be the top Internet threat of 2007. To deploy botnet software, hackers typically use automated tools that exploit known security vulnerabilities in popular software products and the complacency of users who fail to install the latest security updates or who visit unsafe Web sites infected by malware. For example, a hacker's robot can scan the Internet in a predefined address range probing each computer it finds for known vulnerabilities, weak passwords susceptible to guessing, or for backdoors opened by malware already present on the computer. Once the robot succeeds in gaining control over vulnerable computers, it will install malware that the robot owners will later use to steal information; for spam and DDoS attacks; or to temporarily store illegal, malicious, or stolen files.

Hackers often deceive users into downloading software to their computers as a part of a seemingly innocent software package, such as a screen saver, game, or some utility program. Sometimes hackers attempt to lure unsuspecting users to visit Web sites that will attempt to install malware on their machines by exploiting Web browser vulnerabilities or inadequate security settings. Since Internet users have become more cautious, hackers have started using compromised legitimate Web sites for the dissemination of malware. To deploy malicious code, cybercriminals often use extensive spam campaigns utilizing automated spam engines that leverage the tremendous computing power of botnets to send millions of emails within a very short period of time making it practically impossible to trace those spam e-mails back to their true originators. Botnets also enable cybercriminals to perform with ease other operations that require tremendous computing power, such as generating unique images for millions of spam e-mails in order to avoid spam filters or breaking encryption and recovering messages, passwords, or data. This computing power poses a very serious threat to the security of online transactions that rely on encryption for ensuring integrity and confidentiality. Written by James M. Sheehan, Special Agent in Charge, Criminal Division, FBI Los Angeles.