If you have an email address, you’ve probably been the target of a phishing scam. Online phishes are social attacks delivered through email or a website that attempt to scam potential victims into divulging sensitive information such as logins, passwords or personal information. This information can be used to commit identity theft or to establish a beachhead into a network.
Notable breaches that used phishing as an attack vector are the Operation Aurora attack on Google, the compromise of RSA’s SecurID two-factor authentication product, and the attack on Target’s point-of-sale infrastructure through a subcontractor’s virtual private network account.
How do phishing attacks work?
An email-based phish typically arrives as a message containing an attachment or link to a website. A message containing an attachment is often titled to pique the curiosity with phrases like "2015 budget," "market strategy" or "restructuring plan."
A message with a link might pose as a delivery notice, order status or account expiration warning. The content might coincide with an event, such as a false reminder of a tax break near the filing deadline, a donation request after a natural disaster or a special deal around the announcement of the latest, greatest smartphone.
Opening the file or clicking on the link can launch malicious software that performs nefarious activities that might consist of logging keystrokes, leaking sensitive files or attacking other systems on the local network. Alternatively, the destination of the link masquerades as a legitimate website, prompting the target to enter information such as a login, password or credit card information.
Detecting phishing attacks
The ultimate defense is education and being able to spot indicators of a phish. Is the message from someone you know? Are there any grammatical or typographical errors? When you hover over the link, does the URL in the bubble match the link included the message? Does the message ask for sensitive information?
Companies can institute awareness training to get employees more familiar with phishing attacks. To enhance the training and effectiveness, organizations can simulate phishing attacks, creating a teachable moment when someone takes the bait. Rather than getting infected with malware, the employee is directed to training material focused on the particular attack.
——
Vincent Hoang is an enterprise architect at Hawaiian Telcom, a Certified Information Systems Security Professional (CISSP), GSNA Systems and Network Auditor (GSNA) and Cisco Certified Network Professional (CCNP). Reach him at vincent.hoang@hawaiiantel.com.
