So our recent security awareness exercise has a lot of people thinking about everything they do on the computer. And rightfully so. Nearly 30% of my company’s users who received the email clicked on the link, and were warned that they had opened a “phishing” site. Now, the email was fake, and not harmless. But there will be cases where a real phishing email will be sent.
Let’s explain what “phishing” is. It’s a type of information-gathering technique, designed to trick people into providing valuable information for seemingly (but not) valid reasons. The techniques range from claiming a breach and that you need to change some part of your profile, or your password, or some such. Other cases may ask for seemingly innocuous information, such as your name, email address, or other data. But a basic phishing attack doesn’t need to implant a virus, Trojan or other evil code. It just gathers information and then goes to work.
So let’s take into account a basic link you click on, similar to the one in last month’s exercise. If an email like this was sent to every possible combination of “companyx.com” email addresses, clicking tells the attacker a lot of information. By clicking on the link, you have confirmed that your email address exists. From there, they know your name – after all, an email address of “jack.rock@companyx.com” makes it easier to guess that my name is “Ryan Cash”. So now, the attacker knows my name, and the company for which I work.
Next, it’s a simple matter of taking that information to LinkedIn. Very few people hide much information on LinkedIn, as a lot of professionals use it as a way to be found by recruiters. So that site shows what I do for CompanyX, my previous jobs, possibly my certifications/education, probably a picture, and at least a general idea where I live.
Scared yet? You should be. Now that they know where I live, what I look like and my name, it’s not a bad jump to go to Facebook, since a huge amount of people are on it. The attacker can look at my pictures, and if my privacy settings aren’t very well done (and routinely audited), a lot of personal information can be seen; information like children’s names, pet names, spouse names. And a HUGE amount of people (including many who are reading this article) use these items as bases for passwords, so they can more easily remember them.
Now, if the attacker has any password cracking tools (they are easy to get, and freely so), they can put this information into the tool to start running millions of guesses a second. With a child’s name of five letters, that’s five letters out of 12 that they don’t have to guess – cutting their work almost in half.
Now, we have protections against this type of password guessing scheme, but we can’t rely on those alone. And even with them in place, there are other things they can do with that same information.
So BEFORE you click on a link, or open an attachment, in an email that just seems “weird”, call the helpdesk and ask about it. If an attack is real, then clicking on a link at all is dangerous, even if you close the browser immediately.
