Spear Phishing
PHISHING EMAILS. We’ve all had them. “Enter your bank details at *insert link here* for a tax rebate/PPI claim/windfall from your long lost great-great-uncle’s savings. We are become more and more aware of these attempts to rob us, especially now that millenials, who are wiser to these threats, are starting to become so prevalent in the adult population. On top of this, anti-phishing software is becoming better as cybersecurity moves forward, meaning we are less exposed in the first place. As such, the ‘phishermen’ are having to adapt. Their solution – spear phishing.
Spear phishing is when we receive emails or other communication, similar to other phishing, but with information targeted very specifically at us [1]. This is done through information that we make publicly available, for example on social media. However, it raises more questions than just social media privacy issues. With increased data sharing, are we putting ourselves at a real risk from a threat that most of us haven’t even heard of?
If a parent received an email from their child, say a college student, explaining that because they went to some concert last week they are now a bit short on cash, and could their parents lend them some until their next student loan installation comes in, with the bank details in the email, it’s hard to think that 100% of recipients would check that information. However, the email could have come from a fake account with, say, just one character different in the email address, and the information about the concert publicly available on the student’s Instagram!
Another serious issue that surrounds this “next-generation” phishing method is that with increased sharing of data, we are becoming more exposed. The security of data sharing is of course a huge topic, one which I don’t have the time to delve into here! But there are of course more risks associated with it. Should there be some kind of a data breach, where more sensitive data is obtained by criminals, this leaves us very exposed. I myself have experienced this recently, with a friend from university messaging me during the holidays to ask if he could borrow some cash as his parents were abroad and he still hadn’t been paid for the month. As it turned out, his Facebook account had been “hacked”, and the bank details were false. Fortunately, I didn’t transfer any money as I called him to find out what the issue was! The point I’m making here is that despite our awareness of these threats increasing, their sophistication is increasing just as much. As such, we must be very careful not to write off the threat that phishing poses simply because millenials are more aware of it [2].
References:
[1]: Norton, “Spear Phishing: Scam, Not Sport”, available at us.norton.com/spear-phishing-scam-not-sport/article
[2]: Kevin Murnane, “How Older And Younger Millenials Differ In Their Approach To Online Privacy And Security”, Forbes, available at www.forbes.com/sites/kevinmurnane/2016/04/13/how-older-and-younger-millennials-differ-in-their-approach-to-online-privacy-and-security/#7f2921559aa3
Image: cybernetic-gi.com/phishing-dont-become-someones-big-game/
Users who have LIKED this post:
7 comments on “Spear Phishing”
Comments are closed.
Great article Sinclair! I had heard of phishing before, but now it seems weak in comparison to spear fishing. I think the example you brought up with your friend’s Facebook account was especially troubling, because it means that spear phishing can spread. If one person falls victim to an attack, then suddenly all of their social connections online are also vulnerable; it feels like the spread of a contagious disease. I certainly hope that in the future people will be more proactive about notifying others when their accounts are compromised, which can hopefully mitigate this spread. This actually happened with one of my friends recently, and the first thing they did was notify everyone in their contacts that their account had been compromised; I hope that this can become more of a social standard.
That’s an interesting point, Alex. Perhaps the biggest example of integrated data is on social media, and the majority of people seem to not be fully aware of their privacy settings, which is concerning! This definitely needs to be worked on.
Thank you for the post Chris. I have read there are several ways of pishing. One way is the one you described above but another way is for the hacker to start tracking your movements and see the way you work and who in send you email within your company. Then they send you an email as a “coworker” with a fake Microsoft Word document that has a virus in it and from the moment you open that document all of your information is exposed. They can get into the company’s cloud and everything is exposed. You can check out how they do it here. http://www.informationsecuritybuzz.com/articles/getting-know-phishing-story-eyes-hacker/
Hey Chris – Great article and a great reminder for all of us to remain vigilant! As CTO of a healthcare technology company, we see spear phishing attacks and many other attempts to get at our data on a regular basis, because our data is very valuable to hackers. We employ a number of layers of security to protect our assets, but one very important one is our employees. The approach that you took with your “friend’s” request for money is exactly what we tell our employees to do: if they receive an e-mail with attachments or links to follow, they should use a separate channel to contact the “sender” (or who they think it is – since it may have been spoofed) to see if the e-mail is legitimate.
What are your thoughts about additional technologies that can be used to protect us from these attacks? I think that using machine learning, as has been done pretty effectively for spam e-mail, could help eliminate a lot of these attacks. Thoughts on other approaches?
Great post! I found this very interesting, as I have always wondered what kind of data websites (such as social media sites like Facebook) are collecting about me when I use them. For example, I am always surprised when an ad on my Facebook page shows me a product that I had looked at on a different website the day prior. Every time I see these eye-catching ads running through my newsfeed, I think about how Facebook and my web browser history are sharing information. Even more unsettling is the idea that this data may be private – and now may be used for these “spear phishing” attacks. I read an article (http://www.businessinsider.com/how-to-see-what-facebook-knows-about-you-in-your-ad-preferences-2017-4) that explains some (only some!) of the data that Facebook collects and stores for each of its users. As the article points out, your Facebook account knows the type of smartphone you have, your desktop operating system, and even deduces your political leanings, among other things. The fact of the matter is that we cannot really be sure how secure this information is. And as you have pointed out in your post, hackers are now extracting information from social media accounts in order to directly, specifically, and very personally attack you and/or people that you know. I agree that as millennials, we feel so adept at using the internet and social media. This over-confidence likely causes many of us to neglect some important concerns – who can see what we are doing, where is our personal data being stored, and how can it be used against us? I think it is so important for people to become more educated about the personal data that exists about them online, as this concept of spear phishing is very sophisticated and threatening!
MS&E 238A WEEK 4 PARTICIPATION POST – ELENI MCFARLAND
Great post Chris. Indeed as millennials are becoming more familiar with traditional methods of phishing, hackers are targeting us where we are most vulnerable through spear phishing. Apart from myself experiencing spear phishing attempts quite often recently through fraudulent claims concerning very specific bills, I also think that machine learning could remedy this for its one critical difference from the human thinking process: lack of “unconscious” thinking. As I am currently reading a book which analyzes deficiencies in human ability to “thin slice” through unconscious processing, I couldn’t help but think of its connections to spear phishing as I read through your post. Spear phishing takes advantage of the characteristics of our daily lives and attempts to extract information through the guise of routine behavior. The unconscious is often unable to catch subtle clues because– with the help of personal data accessed through public clouds– the moment after we see the subject of the email, our guard is lowered by its familiarity. ML programs on the other hand treat all data in a similar manner and are not affected by this veil of unconscious processing that hackers take advantage of. It will be interesting how ML will be implemented into everyday cyber security to make even spear phishing obsolete.