Don’t become a victim of spear phishing

Don’t become a victim of spear phishing
(USA  Today)

We have all heard about the sophisticated malware responsible for the wave of data breaches that began last year with Target and recently included Home Depot and JPMorgan Chase, but the question that many people fail to ask is how did the malware necessary to perpetrate these major data breaches get downloaded into the seemingly secure computers of major companies and government agencies?

The answer in almost every instance is the same. It is done through a technique called phishing. Phishing occurs when someone receives an e-mail that lures the person receiving the e-mail into downloading an attachment with malware or clicking on a link within the e-mail that automatically downloads keystroke-logging malware that enables the hacker to steal all of the information from the computer of the unwitting receiver of the e-mail. Generally among the information in the victim’s computers are the passwords and other keys required to open the company’s or agency’s data banks. Often in major data breaches, the phishing is aimed, as it was with Target, at a third-party vendor that works with and has computer access to the real intended victim.

At one time, phishing e-mails appealed to standard subjects that interest people at work with roaming minds, such as free video games, music or pornography. According to The Washington Post, the 2005 massive data breach of information broker LexisNexis was caused by a Florida police officer at work who clicked on a link in an e-mail promising pornography and ended up downloading malware that enabled the hackers to steal the police department’s password and login information to provide access to LexisNexis’ data banks.

Today, although those techniques are still used and still work, phishing has gotten more sophisticated. Often the e-mails are made to appear as if they come from upper-level management of the targeted company. LinkedIn, the popular social networking service site, is a source of information that can be manipulated to aid hackers in creating special phishing e-mails using the names of specific people within the company.

When phishing e-mails are done with this extra level of specificity of having the exact names of intended victims as well as precise names of people trusted by the victims, it is called spear phishing. Hackers will look up a company on LinkedIn and find profiles for individual employees of the company. Many of these listings include the employee’s e-mail address.

After viewing a few employee profiles a hacker can determine the protocol used for e-mails within the company, such as the initial of the first name, last name and company name, such as jsmith@companyname.com. Using this information, the hacker can send a legitimate-appearing e-mail to a company employee that looks like it comes from within the company, luring the real employee to either click on a tainted link or enter a username and password. This can be used to either directly install malware on to the company’s computers through the tainted link or get access through the user name and password of the victimized employee. From there it is an easy task to install malware to steal information from the company.

Phishing e-mails can be easily be made to appear as if they are coming from legitimate sources, such as banks, government agencies, insurance companies or myriad companies with which you do business. It takes little talent to create a counterfeit logo on an e-mail to make the e-mail look official. Identity thieves and hackers have a knowledge of psychology that would have made Freud envious and they know how to lure us into linking on malware infected links and download malware infected attachments. Although sometimes the target of these hackers is access to bigger fish, such as the company for which you work, sometimes the target is you personally.

One of the biggest fallouts from the recent hacking of JPMorgan Chase was the theft of e-mail addresses and names of JPMorgan Chase customers thus making those customers prime targets for spear phishing. JPMorgan Chase customers can well expect to receive e-mails that very much appear to come from JPMorgan Chase directed to them personally by name.

These e-mails may even appear to be sent in response to the recent hacking and warn the customer of new problems that require the customer to either click on a link for protection or provide information to receive personal assistance in protecting their account. Unfortunately, people clicking on these links or providing the requested information will end up becoming victims of identity theft.

The rule to follow is to never click on links in e-mails or download attachments unless you are absolutely sure that they are legitimate. The risk is too great. Also, never provide personal information in response to an e-mail that you receive. You cannot be sure that the e-mail is legitimate. Trust me, you can’t trust anyone. If you think that possibly the e-mail may be legitimate, call the company or agency at a telephone number that you know is correct to inquire about the e-mail. It may seem paranoid, but remember, even paranoids have enemies.

Steve Weisman is a lawyer, a professor at Bentley University and one of the country’s leading experts in scams and identity theft. He writes the blog www.scamicide.com and his new book is Identity Theft Alert.