The news has been full of stories recently about hackers breaking into Federal government data bases and gaining access to the personal information of millions of current and former federal employees. Maybe even government contractors as well.
The employees’ names, addresses, Social Security numbers, employment histories, medical records and other information, security clearances for example, are certainly now in the hands of evildoers.
The initial concern was that the information would be used to gain access to bank and credit accounts, steal intellectual property and uncover the plans and workings of various federal agencies. But a number of cybersecurity experts see another use for this information — Phishing!
Phishing is the art of luring people to a website where questions are asked for supposedly valid reasons. The phishing email appears to be from a legitimate organization or even someone the recipient knows. It entices the recipient to provide information such as user names, passwords, data on financial accounts and the like. The website could even deposit malware on the victim’s computer. Seem unlikely? Just read on.
Many phishing emails are mass mailings with the expectation that some recipients will respond.
These include emails with such subject lines as “Your Reward for Shopping at XYZ Store Due to Expire” or “Correct Your Vision Without Glasses”.
One such email, claiming to be from the New York City Police Department, told the recipients that an automobile registered to them had been clocked at 80 miles an hour at 2 a.m. on the morning of such and such a day. It was imperative, the email said, that the recipient contact the department immediately to resolve the issue and it gave an address to do this.
One recipient was a community civic association – it owned no automobiles much less one that was speeding in New York City. A quick check showed the URL address given to resolve the issue was something like www.trafficviolation.de. It was located in Germany! Hardly likely the NYPD would use a German organization to resolve the city’s traffic violations. But the threatening tone of the message probably caused some recipients to frantically click on the link without thinking. One would assume they were asked for their auto license number, driver’s license, home address, insurance policy data and the like.
The most dangerous phishing, termed Spear Phishing, is aimed at specific individuals or companies. This uses the kind of personal information given up by the hack of the Federal data bases. The email seems authentic – as though it was coming from a supervisor, fellow employee, the bank and so forth.
The URL that the user is responding to would appear legitimate. If the data base hack disclosed Federal employee Joe Blow had an account with XYZ Bank, the URL to which Joe Blow is asked to respond might be www.xyzbank.example.com. Looks all right to Joe and he might go there to answer some questions from his bank. But the URL really takes him to the xyzbank section of the example.com website. The Phisher has a prize catch.
Another trick used by Spear Phishers to appear legitimate would be to use the URL www.xyzbankk.com. Looks good at a quick glance, but…
We will discuss Phishing further in future blogs but readers are encouraged to tell some of their own stories.