Breaking news this week told us of government officials being targets of so-called spear phishing attacks on their Gmail accounts. The attacks were traced back to Chinese internet addresses and may have led to the disclosure of significant amounts of government and personal data. The attacks were described as 'spear phishing' as they targeted particular groups of people using email language designed to gain trust or look legitimate. This is in contrast to the typical phishing attack where the bait is more general in nature, say "we have an important message from your bank, please log in here and confirm the transaction".
We are all becoming more savvy about not believing phishing emails. If you get a message saying it is from your bank, you probably will be a little suspicious and hopefully log in to the bank by going to the bank's website itself instead of following a link (). The difference in spear phishing attacks is that it appears to be legitimate by perhaps saying it is from a friend or co-worker and it uses language that you would encounter in the course of a normal conversation with that person.
The Guardian newspaper quotes the text of one of the emails sent to senior government officials:
One example "spear phishing" email had the title "Fw: Draft US-China Joint Statement" and contained the text: "This is the latest version of State's joint statement. My understanding is that State put in placeholder econ language and am happy to have us fill in but in their rush to get a cleared version from the WH, they sent the attached to Mike."
If the user followed the link, the hacker would attempt to gain their password and either hijack the account or secretly monitor the mail going forward. Google notified the users and helped to secure the accounts, but it seems that a significant amount of information was compromised.
Phishing is a form of 'social engineering'. This means that it isn't just computer code that attacks your computer. This is when someone tries to trick you into compromising your own privacy. As we know, con games have been used for centuries, this is just a case of using a con to get you to give up electronic keys or private information instead of actual cash or property.
There is now news that similar attacks were launched against several large businesses, Hotmail and Yahoo! Mail users. Trendlabs explained in a threat report that web-based mail servers were targeted and hackers used vulnerabilities to gain access to passwords even without getting user input, such as in the case of Hotmail just by previewing the email a user was vulnerable.
The attacks are getting more sophisticated, and the bad guys are adapting to the defenses thrown up to defend users. There are still things you can do to outsmart a phisher or spear phisher. The best defense is to read suspiciously. Even in our region where we are used to jargon, acronymns and stilted bureaucratic speech, the paragraph above appears to be 'phishy'.
Look again at the quoted text above. It is like they randomized the language from a couple of memos, which in fact may have been what they have done. Or they could have used a program like Google translate to attempt to recreate inside the beltway English. Whatever the tools used, it doesn't sound right. If you get an email that looks 'off' don't take it at face value. Maybe shoot a separate email to 'Mike' asking if he was working on a joint statement for State, or pick up the phone to ask the same.
You should also follow basic security steps like keeping your software updated and having anti-virus software installed and updated. If you get an email like this at work, have your IT department take a look at it. If you do find yourself falling for the bait and clicking on a malicious link, get suspicious if they ask for your password or other private information. Close your browser and run a virus scan and be aware if unusual things start to happen with your computer. If your password has been disclosed to a third party, change it on other sites but first make sure that your computer has been scanned and any malware or virus removed.