Posted by: Ken Harthun
Clickjacking, Security, security awareness, Trust No One, Web 2.0 Security
The security threat formerly known as “spear phishing” is now called “weaponized email” and it’s a bad, bad thing made worse by Web 2.0 and the social network sites. As you probably know, spear phishing is an email attack that targets a specific organization or demographic. A couple of years ago, we had these things targeting dentists, doctors and other professionals from purported “hit men” who had consciences agreeing to forgo the hit in exchange for “protection” money — a classic extortion scheme. With the meteoric rise of Web 2.0 social networking sites like Facebook, MySpace, Twitter, the Ning networks and what have you, the game has changed.
Consider this (based on an actual incident): You’re employed by a financial firm; you have a Facebook page; you’re the coordinator for the annual company picnic; and, many of your co-workers also have Facebook pages and are in your group of friends. Sounds OK, right? Just a gathering of co-workers on a social network.
Well, think again. The cyber-criminals had a field day with it.
The crooks noticed this social circle, noting that they all worked for a firm that might be a good target. Attempts to hack the Facebook accounts were rewarded with a successful attempt against the person I mentioned above. The criminals now were able to impersonate the victim. The crooks sent messages out to the victim’s friends with a subject similar to “Look who I caught on camera at the company picnic.” The messages contained what looked like a link to some photos, but was really a link to a malicious site that contained malware in the form of a keylogger program.
You’re a friend of the victim, and you get a message from them. No problem, they’re your friend on Facebook and a co-worker whom you trust. Naturally, you think it’s safe, so you open the email and click on the link. You’re infected with a keylogger program. On your company laptop. That you use to access the corporate VPN at home and on the road.
Tonight, you have a report that’s due and you’ve just finished it, so you log into the VPN, access the secure data repository and upload your file. The bad guys have a complete recording of everything you just did…
The criminals managed to log in to the corporate VPN and spent the better part of two weeks mapping the network to see what they could steal. The good news is that the slime bags were discovered, but not before they had already compromised two of the central database servers and had taken full control of them.
Trust no one and never click links until you are sure where they lead.