This is the second article on this subject. The last article described some examples of hackers targeting certain employee’s.
Spies, hackers and others use what is called socialengineering to manipulate people into revealing confidential information. Thesetypes obtain this information after a careful reconnaissance on the victim theyare targeting.
We make ourselves easy targets by posting tons of information about ourselves and our jobs online. Blogs and Linkedin are veryuseful resource for criminals. Most people share information about the rolesthey have at work, which can be used to determine a corporate or IT department structure. This makes it easy for the bad guys to create a message that looks like it is from the targets boss.
Hackers included traps in targeted emails, like redirecting to a webpage with malware designed to get the employee to enter there password.In the RSA attack I mentioned in the last post, they took advantage of anunknown vulnerability in Adobe Flash that allowed a virus to be placed on their computer system.
These attacks are what are called a targeted version of phishing. Phishing emails are the ones that look like they are from your bankor from the IRS. They typically are misspelled and are easy to spot and ignore.A new type called spear phishing is a more targeted email. It contains the names of coworkers and company-specific information and may be sent from colleaguesemail accounts.
Some of the most educated users can fall victim to this attack.The hacker group anonymous broke into the security firm HBGary, Inc, because of emails that it sent to an executive from a compromised email account, askingfor user names and passwords.
This is why sending passwords in emails are very bad idea.Hackers could gain access to your account and see passwords in your email box.They could also trick you into sending those passwords, something you never intended. Never send your passwords overemail, a better idea is verbal communication or send an encrypted email that only the party you are sending the email to can access. (Don’t leave passwordsin voicemail either).
Also, verify that the email you received is really from the person. If the email seems funny, call the person first before responding.
You should also use a good complex password and change it every 30-90 days. This will help prevent your account from being compromised.
Finally, you can also send your users to security trainingthat will include phishing training. Better end user education will help prevent attacks such as this. I will have one more article in this series… Ihope this helps you to provide better security to your company.