|
|
|
| Dear Craig,
|
Welcome to
CN Consulting's
"Cocktail Talk".
Cocktail Talk is a casual monthly newsletter
intended to arm you with amusing bits and bytes of information on
whats happening in the computer world. Topics sure to break
the ice and capture an audience at many a social or business
event.
There are buttons below
to do things including unsubscribe. If you unsubscribe you will be
immediately removed from our email list and may end up hanging
around a soggy fruit tray sipping warm beer, alone, at your next
Cocktail Party.
But that's your call, and
that's Cocktail
Talk.
| |
Spear Phishing
|
 Using trickery to get a specific someone to give up
confidential information is called
Spear Phishing.
Case
in point: A client is on vacation and visiting a friend. The friend
is an ebay user, and while they're together he gets an email to his
gmail about something on ebay. But its really Spear Phishing. He
clicks the link, his gmail account becomes inactive, and while he's
trying to figure that out someone uses his account to buy cheap cell
phones for $1,000 each on ebay. ebay caught it so he's not liable,
but now he's stuck with "lost my wallet" issues, and if you've ever
been there you know what that's like.
Somebody had a plan to
dupe an ebay user by sending them an innocent looking email
pretending to be ebay. The attachment made it through AV screening
and became the responsibility of the recipient. It seemed right,
routine even, and he opened it. Then the crook bought cell
phones from his own crooked ebay listing hoping to cash in on
thousands of dollars. Spear Phishing is used in lots of other ways
too.
CitiBank will not email you asking for you to
confirm your account information because they had a computer
problem. There's a long list of reasons why but this one should be
enough. CitiBank would never ever admit a mistake of any kind.
Believe it or not, its probably just the Russians trying to steal
from you. But how do they know you use CitiBank?
AirTran
Airways got Spear Phished. Executives there received emails phishing
for confidential information. The U.S. Department of Energy got
Spear Phished. The criminals knew exactly who they were after and
targeted their attack. The FBI and MI5 are onto Spear Phishing as
espionage and have tracked attacks back to China.
Not too
long ago a campaign headquarters in Colorado was targeted. One group
didn't like the politics of the other and cyber attacked them
to cripple their network during elections. Not phishing, but
an excellent example of targeted attack.Causing the right damage at
the right time. Just like the spit-ball pitcher in baseball who
throws one junk pitch to change the outcome of a game.
So
what about you? The Russians and Chinese couldn't fool you could
they? . Facebook, LinkedIn, MySpace and Google give them more than
enough dirt on you to act all buddy-buddy.. Go ahead and play spy on
yourself. Google you, your company, organizations you belong
to.
Cyber Espionage, by well-resourced organizations,
particularly using Spear Phishing, is ranked the #3 Cyber Security
Menace for 2008 by the SANS Institute.
Maybe you feel you're
too small to be a target, but that's your call, and that's Cocktail
Talk. |
|
Craig Phillips
CN Consulting, Inc.
| |
