The Art of the Phish

The face of cyber-crime has changed over the past five years. Back in 2007 virus programs, hacking and malware, which would try to compromise the security of a network or computers, were the major source of problems for any corporation or institution, but things have evolved. Corporations, higher education institutions and the government have become far more technically adept at defending their networks. Through the use of tighter and more efficient controls, the implementation of firewalls and other hardware and software based solutions, it is now much harder to gain control over computer resources from the outside. Unfortunately, there still exist a weak link in the Information Security Chain and that is often the one which sits behind the keyboard: Users.

The "bad-guys" have realized that rather going after resources directly, it is easier to focus on soft targets, which are the humans who use those resources. That means that you and I are the primary focus of their attempt to gain access to computer networks and the information they house. Information is big business, netting criminals over $485 million dollars in 2011 according to the Internet Crime Complaint Center. Those loses only reflect the 314,000 complaints which the IC3 responded to directly, the actual figures have been projected much higher and when the loss in revenue from companies who lost protected information is included the final total is expected to exceed $1 billion.

So why are we humans such an easy target? The "bad-guys" use techniques which humans use to interact every single day. Social Engineering is how we get things done, it is how we negotiate, build relationships and come to agreements, but when misused it becomes a tool of manipulation. The most prevalent method is the use of Phishing emails. Phishing is a hacker term which relates to baiting a victim into giving them what they want. Emails can vary in their components, but they all have the same end goal: to do something you would not normally do or goes against your best judgment. Phishing emails are often alarmist, telling you that your account access may be cut off, that your financial transaction has failed, that there is an outstanding bill, etc. Alternatively they offer you things that are ‘too good to be true’: free vacations, payments waiting to be picked up, pictures of your favorite tennis star.

The sophistication of Phishing is ever increasing. While a few years ago emails would be grammatically incorrect and misspellings would be rife, now many are perfectly formatted and use the official graphics of places like Western Union, Banks or postal carriers. Many may even address you by name, or appear to come from your own institution.

There are some key steps to take:

  1. Listen to your instincts – If something seems off, pay attention to it.
  2. Do not click on any links – If the email has hyperlinks, simply hover your cursor over them for an instant without clicking. Your email client will reveal the destination and you can often tell that it is not legitimate.
  3. Do not open any attachments – Many of these can contain malicious code which can compromise your computer.
  4. Never send your password – No company or institution will ever ask for your password. Ever.
  5. If you do get Phished act immediately – Change your password through the official website and notify Information Security or ITS Service Desk at x4357.

Being aware is the greatest weapon in your arsenal against Phishing!

Notheastern’s Information Security team often will send tweets out on @SecureNU and post on their website www.northeastern.edu/securenu when a new or particularly devious Phishing email is received. Use those resources to your best advantage and don’t take the bait.

Posted in 2012 December IS Newsletter and tagged , , .