Spear Phishing and Internet Security
Spear phishing is a cybercrime technique that lures victims into revealing passwords, credit card data, and other sensitive information by masquerading as a communication from a trusted entity. The spear phishing communication - usually an email - looks very much like a familiar email format sent by your bank, Facebook, or anyone from which you're accustomed to getting email. It may even include your name and other details which reassure you that this is someone I know. But beware, it's a wolf in sheep's clothing... |
What is Spear Phishing?
Spear phishing is a more dangerous cyber attack than typically "blind" phishing or spam attempts because they lull people into a false sense of security. Consumers are on their guard against spam from sources they don't know. But when an email seems to be from a trusted entity, or include personal details such as their name, people are more likely to do what it says.
A crude spear phish purportedly from your bank may tell you that your login information needs to be "verified" and instruct you to reply to the email with your username and password. That's a pretty easy phish to avoid; no bank ever makes such a request. But what if the email tells you to "log on securely to our server via this linkā¦"? Many people will do it without a second thought, and get caught without even knowing it.
Links in spear phishing emails don't take you to the Web pages they say they will. While the highlighted text indicating a hyperlink may read, "Chase Bank" or "Your Ebay account," the code underlying the link actually points to a Web page controlled by the phisher. When you go to that page, which is a copy of the legitimate one, you are asked to "log in" and that's how the phisher gets your username and password. Then you may get a message saying, "server overloaded, try again later" or some other brush-off. That's a fairly low-level technique; others are even more insidious and dangerous.
Customers of VioVet, a UK pet supplies dealer, received spear phish emails purportedly from the company, offering discount coupons if they clicked on a link in the email. The link took victims to a page which surreptitiously downloaded a malware program to their computers. The Trojan sniffed out sensitive information on the victims' hard drives and transmitted it to the bad guys. Victims never knew what was going on.
A Growing Problem
Spear phishing is on the rise for several reasons. Users are more alert to ordinary spam and blind phishing techniques, so bad guys have to get more subtle. Personal information that can make a spear phish convincing is more readily available to phishers as users post it on Facebook pages, Twitter, and other social media sites.
Also, trade in stolen customer email lists is on the rise, making it easier to build large-scale spear-phishing campaigns. You may have gotten an email in the past few days, alerting you that an email provider named Epsilon was hacked. Epsilon manages email communications for large companies, including many banks. And although it's "only" your email address that was stolen by the hackers, you should be especially on guard. If the bad guys know your email address, plus the fact that you do business with a certain bank, it's not too difficult in many cases to get your name, and possibly other identifying information from public sources. That gives them a powerful weapon which can be used to fool people who are not vigilant.
To protect yourself against spear phishing, you should pay closer attention to every email even if it's apparently from a trusted source, or a company you regularly deal with. If the email makes an unusual request, such as "verifying" login credentials, it may well be a phish. If you get a social media "friendship" request from someone you've never heard of, be on guard. You even have to look carefully at the link before you click.
Most browsers will display the URL of a hyperlink if you hover your mouse over it. Look for misspelled URLS that won't take you where they suggest they will. For example, faecbook.com is an entirely different domain from facebook.com. Even better, use a bookmark to reach the site in question, or key in the web address by hand.
Do you know anyone who has been victimized by spear phishing? Post your comment or question below...
|
|
Share this article with friends! |
|
Posted by Bob Rankin on 8 Apr 2011
| Need More Help? Try the AskBobRankin Updates Newsletter. It's Free! |
 |
Prev Article: Is the Internet Getting Safer? |
The Top Twenty |
Next Article: Microsoft Office 365 |
 |
|
Link to this article from your site or blog. Just copy and paste from this box: |
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter |
||
|
Copyright © 2005
- Bob Rankin - All Rights Reserved
Privacy Policy -- See my profile on Google. |
||
Article information: AskBobRankin -- Spear Phishing and Internet Security (Posted: 8 Apr 2011)
Source: http://askbobrankin.com/spear_phishing_and_internet_security.html
Copyright © 2005 - Bob Rankin - All Rights Reserved
Free
Most recent comments on "Spear Phishing and Internet Security"
Posted by:
Digital Artist
09 Apr 2011
If anybody ever fakes your website I am doomed. I always click the links from your email, yet I am very cautious about doing that from other emails.
Posted by:
francis reilly
09 Apr 2011
I received an e-mail from what I thought was a very good friend and I didn't get the language and the tenor of the body,so I ,stupidly,responded to it and got mixed up in a scam.I should have gone to my contacts list and e-mailed my friend directly.That would have solved the issue.
Posted by:
tony
09 Apr 2011
When I had a Yahoo mail account some years ago, I received an e-mail that looked to be from Yahoo. It said that they randomly choose a few Yahoo mail members to win some money and that I have won thousands of dollars! I was so excited. Wow! but I was suspicious as well so I contacted Yahoo and forwarded the e-mail for them. They replied that they have never sent such an e-mail.
Posted by:
Sara Dillinger
09 Apr 2011
What can you do if you are being used as the spear for spear phishing? Someone got hold of my contact list and has been sending emails in my name. This is a danger for people on my list who trust me and an annoyance for me as I have had to eliminate many people from my list (at their request - a shutting of the barn door after the cows have escaped. How can I protect my contacts and regain my good name?
EDITOR'S NOTE: The best thing I can suggest is to send emails to everyone on your list, explain what happened, and tell them to be aware. You could also start using a new address to send, and tell people to ignore ANYTHING from the old one.
Posted by:
Nellie Bandelier
13 Apr 2011
Do you include Mac when you list PC (personal computer?) items as free scans etc.?
Thanks,
Nellie Bandelier
nbandelier@bresnan.net
Posted by:
Mike
13 Apr 2011
I don't trust ANYBODY's site. I always check the link before clicking it. No, I'm not special nor am I unduly paranoid. It takes only moment and is nothing more than a simple habit. Same habit as checking both ways before stepping out into a street, which I see a LOT of adults who should know better not doing it.
I don't remember if it was Bob, or if it was Leo who explained about URL's. They're generated backwards, from .com, then the name of the site, such as chase.com, then a particular section of the site, such as login.chase.com. So if it says http://www.chase.reallychase.com, then it's not your bank.
Posted by:
Morphaiea
13 Apr 2011
I never use the links in an email claiming to have changes in one of my accounts. If the claim sounds plausible I go directly to the site in question to check it out.