When Hackers Call You By Name

Lots of us have heard of the cybersecurity term "phishing", which refers to the attempt by malicious folks to take over our personal and work on computers by tricking us into clicking on a malicious web address link. But what is spear phishing and why is it even more dangerous? And just how likely are we to be a target?

Sadly, as Internet users have become more careful and cautious about clicking on strange or unknown web links in emails, the bad guys have had to respond by upping their game. By spending a bit of time getting to know you, finding you on Facebook, Twitter, LinkedIn and other social networks, they’re able to put together a profile and craft a phishing message based on your personal information that they hope looks too good for you to resist. Like a targeted fish in shallow water, they hope to get you get your computer speared by their patient, selective attack.

The Story of Betty the Business Woman

Betty was always cautious when she got those strange emails that wanted her to click on the supplied link.  "Your credit card was declined. Click here!" or "Here is the file you asked for. You can download it here" were no match for her phishing skills. She knew to never click on links from people she didn’t know, she didn’t trust links in unsolicited emails, and she even knew how to hover over and inspect the link, recognizing that ‘someplace.ru/mybank.com’ was clearly not the same as ‘mybank.com’.

But a few days after she attended the business conference in Chicago, she received an email from a Harry who said he had met her. Harry mentioned the workshop session she had spoken at and even told her how much he valued her information in his own business. Harry said he’d applied some of her ideas to his company and wanted her to click on the link to the page with that information so she could see her great ideas being put to work elsewhere. Clearly Betty had made a big impression, and she didn’t want to let a fan and fellow professional down. And she clicked…

And her PC was taken over by a Russian organized crime syndicate.

Betty was spear phished.  What Betty didn’t know is that her company was being carefully targeted by a group that had taken well-planned steps to trick her.

Spear Phishing Betty’s Computer in Eight Steps

1. Found her name in a company press release announcing she would be speaking at an upcoming industry conference event.
   
2. Researched the company she works for and called the helpdesk, pretending to be an employee asking for information on what anti-virus she should see running on her work laptop.
   
3. Visited the conference website and downloaded the presentation slides.
   
4. Found Betty’s information on Facebook and located an older presentation she gave to the town Chamber of Commerce on YouTube where she spoke about her business, position and family in her introduction.
   
5. Put together a detailed profile on Betty, her location, position, travels, family details, personal description and a profile of her tendencies.
   
6. Crafted an email message that carefully integrated each of these components with the goal of overcoming Betty’s cautious nature.
   
7. Placed a link in the email to a brand new version malware that was developed to bypass her company’s anti-virus software.
   
8. Delivered the malware into her laptop when she selected the link, taking over total control and giving them access to her files and the company network without her knowledge… or her employers!

Betty’s case almost sounds like a plot in a blockbuster film, yet it’s precisely the scenario that hackers had used in order to exploit one of the nation’s largest financial institutions this past year.

What Can I Do?

• Never trust a link you didn’t ask for, no matter how compelling and tempting it is.
• If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Contact the company using information provided on an account statement, not information provided in an email. Information about known phishing attacks is available online from groups such as the Anti-Phishing Working Group. Report phishing to the Anti-Phishing Working Group (APWG)
• Keep a clean machine. Having the latest operating system, software, web browsers, anti-virus protection and apps are the best defenses against viruses, malware, and other online threats.
• Remember that what you share with social networks is shared with the world. Organized crime, nation state hackers and other malicious actors are increasingly using your shared information in order to use you to attack your employer. If you don’t want it known by them, don’t put it out there.

What If I Suspect  I’m A Victim?

• Report it to the appropriate people at financial institution, credit card company or merchant you believe is affected. They can help advise you on suspicious or unusual activity.
• If you believe your financial accounts may be compromised, contact your financial institution immediately.
• Watch for any unauthorized charges to your account.

For more helpful tips on Cyber Security, be sure to follow the @ABABankers Twitter account and use the hashtags #NCSAM.