Phishing
BeckyStrause
Sea spearfishing (phishing) isn’t what it used to be. In our recent past, spearfishing was simply an ancient method of fishing that was used throughout the world. But now the phrase hangs like a warning sign on the door of the internet.
The SEA (Syrian Electronic Army), a hacker group that is aligned with President Bashar al-Assad, has recently been targeting phishing attacks against various domains. Those domains include: The New York Times, Twitter, The Huffington Post, and Melbourne IT. They have also hacked into websites or Twitter accounts of various media organizations, including the Financial Times, the Associated Press, The Guardian, BBC, NPR, and Al Jazeera. The Onion was also targeted, and shared an honest response on how it happened.
The technique they are using in these attacks is one of the most simple and oldest ones in the book. They send out an email, or several emails, saying something to the effect of, “you should see this article,” with a link in it. The unsuspecting person clicks the link, is redirected to a URL asking for his email credentials to continue, which he enters, and now the hacker has his account info including password. And POW! The hacker has all the info he needs to access that person’s email, and send an email out to all his contacts. When the rest of the company gets an email with another phishing link in it, they’re more likely to open it because it’s from a colleague. That’s when things can really get crazy.
Here’s a bit of The Onion’s story from when they were attacked:
Once the attackers had access to one Onion employee’s account, they used that account to send the same email to more Onion staff at about 2:30 AM on Monday, May 6. Coming from a trusted address, many staff members clicked the link, but most refrained from entering their login credentials. Two staff members did enter their credentials, one of whom had access to all of our social media accounts.
After discovering that at least one account had been compromised, we sent a company-wide email to change email passwords immediately. The attacker used their access to a different, undiscovered compromised account to send a duplicate email which included a link to the phishing page disguised as a password-reset link. This dupe email was not sent to any member of the tech or IT teams, so it went undetected. This third and final phishing attack compromised at least 2 more accounts. One of these accounts was used to continue owning our Twitter account.
The lesson here is: don’t click any links you may be unsure of .
Things with phishing aren’t quite what they used to be. There was a day when an email would say something like, “Click here to verify your information or your account will be terminated.” They would often be comprised of bad grammar and spelling, and if you took a second you could see that things looked fishy. It seems that perhaps cyber criminals are getting smarter, and learning to spell, because it’s not so easy anymore.
The best thing to do is: don’t click on any links you may be unsure of.
A few sources have articles on ways to tell if an email may be a phishing email. Microsoft gives info on recognizing phishing in emails, links and even phone calls. The Return Path blog has some tips, as does wikiHow. However, if there’s ever any question whether or not a email you receive is not legitimate, the easiest way may be to contact the person who sent it and ask them directly.
The last bit of advice is: don’t click on any links you may be unsure of.
Sorry for being repetitious, but it bears repeating. And please consider this a warning sign, please heighten your security, question any suspicious emails, and when in doubt don’t click the link!
