It would be easy to make this a “Security Breach of the Week” column. K-mart just revealed that 1,300 of its stores point of sale terminals have been hacked, meaning that if you used a credit card at a K-mart in the last month you have lost your credit card information. That news is covered in other places. Today, let’s just go phishing.
In the early days of personal computing no one was thinking about security. When a coder was working on a program, the only worry was getting it to work. When it worked the champagne was uncorked, the product was sold and everyone went on to the next project.
As that pattern of production persisted, the personal computer world began to be populated with wonderful programs that worked but had huge security holes. In those naive and trusting early days hackers came along and exploited those holes to perform practical jokes on one another. During a flight simulator trip for example, a text might pop up that said, “Captain, this is your stewardess, would you like coffee, tea or me?” Everybody had a good laugh and kept working.
Later a transformation took place. Someone discovered that there was money to be made taking advantage of these security holes. They could use them to spread viruses, steal information, eavesdrop on email and other communications and enlist other people’s computers into robot networks called botnets to perform extortion attacks on other computer systems.
As these black hat hackers began to work, white hat hackers tried to stop them. The white hats would alert companies like Microsoft, Adobe and Cisco to the security problems hoping the companies would patch them before the bad guys could take advantage. Thus began a whack-a-mole process of patching software problems which continues to this very day. Microsoft does it on the second Tuesday of every month. If you have a computer and you are not patching, then you will get bitten sooner or later by the black hats.
Since companies are patching these security holes one might think that that would take care of the problem. But where there is money to be made and bad people to make it, there will always be a way. The black hats knew that they needed other ways to get malware into your system. That next method was called phishing. And just like the homonym suggests, it is a way of dangling a hook in front of you and hoping that you will bite.
The first well known phishing expeditions were variations of the famous email “I have money that I would like to bring into the United States and share with you if you would just put up some security money first,” or “You have won the Irish lottery. Please send us a check so we will know where to deposit your winnings.”
As email companies got wise to this kind of scam, they began blocking it. So the bad guys needed a new way to phish for you. They began using your friends to hold the fishing pole. Have you ever received a forwarded email with an attachment of a cute kitten doing something silly? How about some outrageous political story, a moving patriotic message or an inspirational poem? The odds are extremely good that you have been hooked by malware from one of your friends. They probably did not mean to send it to you. In fact, the malware that they downloaded may have sent it to you automatically, but you are just as hooked.
A variation of this attack is called spearphishing. This differs from phishing in that it is not directed to the box holder, but at certain people. For example, if you are a customer of Chase Bank, which admitted to a major breach a few weeks ago, you will likely receive an email message, phone call, text message or letter that appears to be from Chase, telling you of their recent security breach and asking you to provide information in response. Do not take the bait. Call Chase on your own and ask them if they contacted you for any reason.
How do you recognize a phishing attack? You won’t always be able to, but here are four rules to follow:
1) If you did not ask for it, don’t open any attachment.
2) If someone emailed you asking for personal information, do not reply, but call the person or business directly.
3) Never click a link in an email. It may say “ChaseBank.com” but could be taking you to PhishingBank.com.
4) Do not open forwarded email and do not send forwarded email.
Suggestion for the week: visit www.snopes.com. This is a website where they debunk myths and urban legends. Browse around and see how many of the things you have opened from friends that are completely untrue and have been used in a phishing scheme to get into your computer.