What do RSA and Condé Nast have in common? They fell for some form of “spearphishing” recently that allowed them to be hacked or lose millions of dollars. So what is “spearphising”? Okay well “regular” phishing involves sending out mass emails to people purporting to be from their bank or credit card company and saying you need to do something or something has happened to your account. You click the link in the message and before you know it you’ve given your credit card number and other personal information to scammers.
Bad? Yes. Scattershot? Totally. That’s why you often see emails coming to you from banks you’ve never used or something like that. Scammers/spammers just fire off millions of emails and figure one or two might hit the mark. Spearphishing is different, it’s targeted at a person or few people at a company trying to get them to open up the gates for them.
The RSA hack, for example, started with sending emails with an Excel spreadsheet (containing more than just numbers) that appeared to come from someone within RSA. A spearphishing attack means the evil-doers are going to try to break in by being very, very specific in both the attack and target. You want to into the system? Learn the weakest links. Maybe an assistant opens all of an exec’s emails and if you pretend to be sending sales figures in a spreadsheet from another VP, then …
Maybe you want to target HR so you concoct a site that will gather network information and plant a little trojan in the process and to get the HR people to click you make it seem like some new policy site.
It only takes a moment. Just a little distracted or have the email come from a colleague. If you’re at a large company, you could easily pretend to be so-and-so from global or a sales office or branch office. It’s pretty easy to work off a sense of trust and exploit it.
PCWorld has some good tips and information this recent article:
The criminal art of spear phishing, email spoofing that aims to get the recipient to click on a bad link or attachment, has been around for years. But that doesn’t mean it’s become any less effective. According to figures from the U.S. Computer Emergency Readiness Team (US-CERT), which compiles information from federal, state and local governments, commercial enterprises, U.S. citizens and foreign CERT teams, phishing attacks accounted for 53 percent of all security incidents in 2010.
For all their advice, it’s really troubling, if you think about it, that we have to jump through these hoops if we get an email from Sue in marketing with a new press release. Do you know a Sue in marketing? Were you expecting a press release? It won’t be long before we’re all becoming paranoid nut jobs!
This, actually, is one of the benefits of eCrypt.me. Our system isn’t like corporate email that can be spoofed. Attachments are scanned and cleared before they can be encrypted. We work very hard at hardening our defenses from both active and passive attacks. We can be pretty sneaky ourselves, so we’re giving ourselves a run for our money.
In the end, regardless of how you communicate electronically, you do have to just be a little extra cautious. Keep those security updates patched, scan your emails for nasties, and double-check links before you click them. None of us want to get hooked.