Tuesday, October 8, 2013

Spearphishing: Scamming the Tired, the Stressed, and the Downright Distracted

spearsphishing, social engineering, email scam, security awarenessAnother day, another phishing story—but this one made me really mad.

Rohyt Belani, CEO and co-founder of the anti-phishing training firm PhishMe, cited a very narrow spearphishing attack in a recent interview about the dangers of phishing in internal networks: a single employee working the night shift, monitoring his company’s SCADA systems.

According to CIO.com, “the attacker researched the worker's background on the Internet and used the fact he had four children to craft a bogus email from the company's human resources department with a special health insurance offer for families with three or more kids. The employee clicked a malicious link in the message and infected his company's network with malware.”

Scamming the Small Guy

Something here really tugs at my sense of justice. I mean, let’s review the facts:

One, this guy is alone working the night shift. That’s no one’s idea of a good time.

Two, he’s a father of four working the night shift.

Three, the email promised a special health insurance offer for families with three or more kids. Read: a special deal for folks who are strapped and tired and stressed and just trying to make ends meet.

Not cool.

Now, Belani just used this unfortunate gentleman as an example—let's call him 'Night Shift Guy'— and went on to talk about the specific dangers of phishing in industrial sectors where security measures include such measures as “Don't tell anybody the phone number.” Sounds like these folks have their own set of major problems to deal with.

But let’s go back to the weary-eyed dad for a minute. To me, the real lesson is this: Night Shift Guy could be me—or he could be you. He could be my dad or your mom. Spearphishers know exactly how to target anyone, and in this case, they honed right in on a guy’s weaknesses.

What's Your Poison?

So what’s your weakness? Are you the bored, shopaholic housewife hoping for that free iPad (it’s not coming, by the way)? How about the over-committed, over-caffeinated exec with an overflowing inbox? A multi-tasker with a mile-long to-do list and click-happy fingers?

Truth is, it doesn’t matter who you are. You have a weakness—and a social engineer is ready to discover and exploit it. Here’s what Belani says:

"You send them something that's targeted, that contains a believable story, not high-volume spam, and people will act on it by clicking a link or opening a file attached to it," he said. "Then, boom, the attackers get that initial foothold they're looking for."

Don’t be Night Shift Guy. Don’t give spearphishers what they want. If it sounds too good to be true, it pretty much is. Delete the email and walk away.

Read more here: http://www.cio.com/article/740402/Spear_Phishing_Poses_Threat_to_Industrial_Control_Systems

More about Social Engineering