SAN FRANCISCO — Most people know to ignore the e-mail overture/ from a Nigerian prince/ offering riches/ in exchange/ for a bank account number. That is a scam, plain to the eye.
|
http://www.nytimes.com/2011/06/03/technology/03hack.html?ref=business
SAN FRANCISCO — Most people know to ignore the e-mail overture/ from a Nigerian prince/ offering riches/ in exchange/ for a bank account number. That is a scam, plain to the eye.
Secretary of State Hillary Rodham Clinton said the F.B.I. would investigate a series of fraudulent e-mails.
But what if the e-mail appears to come/ from a colleague /down the hall? And all he asks is that you add some personal information to a company database?
This is spear phishing, a rapidly proliferating form of fraud that comes /with a familiar face: messages that seem to be from co-workers, friends or family members, customized to trick you/ into letting your guard down/ online. And it has turned/ into a major problem, according to technology companies and computer security experts.
On Wednesday, Google disclosed that it had discovered and disrupted an effort /to use such pinpoint tactics/ to steal hundreds of Gmail passwords and monitor the accounts of prominent people, including senior government officials. Secretary of State Hillary Rodham Clinton said Thursday that the F.B.I. would investigate Google’s assertion that the campaign originated in China.
Such tactics were also used/ in an attack /on a company /called RSA Security, which (security experts say) may have given hackers the tools / to carry out a serious intrusion/ last month/ at Lockheed Martin, the world’s largest military contractor.
The security specialists say () these efforts are a far cry/ from more standard phishing attempts, which involve spraying the Internet /with millions of e-mails that appear to be from, say, Citibank in the hope of snaring a few unfortunate Citibank customers. Spear phishing entails sending highly targeted pitches that can look authentic because they appear to come /from a trusted source and contain plausible messages.
As such, the specialists say, the overtures접근[제안] are becoming very difficult/ for recipients to detect.
“It’s a really nasty tactic because it’s so personalized,” said Bruce Schneier, the chief security technology officer of the British company BT Group. “It’s an e-mail/ from your mother saying she needs your Social Security number/ for the will () she’s doing.”
Mr. Schneier said the attacks are more like a traditional con game than a technically sophisticated intrusion. “This is hacking the person,” he said. “It’s not hacking the computer.”
Symantec, the computer security company, said it intercepted around 85 targeted attacks/ a day/ in March, including efforts /to steal personal information /through phishing or with links /to nefarious software that could ultimately expose corporate files. The only month with more attacks was March 2009, when a surge coincided with a Group of 20 summit meeting.
Symantec said the most common targets were government agencies and senior managers and executives; the phishing of such big game is commonly referred/ to as “whaling.” Manufacturing firms were the targets of 15.9 percent of the attacks, compared with 8 percent for the financial sector and 6.1 percent for technology companies, Symantec said.
Hackers/ taking aim at corporations are often seeking new product designs and may focus/ on engineers at a defense contractor, for example, to get data they can sell on the black market.
Enrique Salem, Symantec’s chief executive, gave the example of an e-mail/ sent /to the head of a company that appears to be from the Internal Revenue Service. The message raises questions /about the tax implications of an acquisition, and the chief executive passes the message/ to others inside the company. Someone opens the attachment, giving the attacker access /to the company’s internal network.
“It’s about getting you to do something/ to compromise the system,” Mr. Salem said.
In the case of the Gmail attacks, Google said they appeared to originate from Jinan, China, and were aimed/ at users like Chinese political activists, military personnel, journalists and South Korean officials.
The Chinese Foreign Ministry said Thursday that the government had no involvement/ in any such attacks, and that it “consistently opposes any criminal activities that damage the Internet and computer networks, including hacking, and cracks down /on these activities according to law.”
It is not clear how the attackers obtained the Gmail addresses () they used, although they could have been found inside other compromised accounts, including corporate or government accounts whose addresses are often easier to guess.
The attackers may have hoped to find some work-related e-mail/ in their victims’ personal Gmail accounts.
Mila Parkour, an independent security researcher who helped alert Google / to the attacks, said she was tipped off/ to the campaign when one of the victims let her examine some suspicious messages.
That led her/ to discover a fake but convincing Gmail login screen that attackers used/ to dupe targets/ into submitting their passwords. She said the messages indicated that the phishing attempts had begun at least a year before she learned of them — early in 2010.
“I thought () it was interesting because they did it/ for so long,” Ms. Parkour said.
She said she also saw screens that mimicked the login pages/ for the Web portals of corporate e-mail systems.
Companies and individuals can take steps/ to head off attacks. For instance, Google encourages people to use a two-step process that sends a special code /to their cellphone when they log into Gmail. The Defense Department asks its personnel to use a “digital signature” on their e-mails that verifies their identity.
The momentum is on the side of the attackers, given that their forgeries can be realistic and thus irresistible, according to Lt. Col. Gregory Conti, a computer security expert at West Point. He said () one reason () the problem was getting harder to parry was that the people/ sending the messages use the Internet, specifically social networks like Facebook, to gather so much personal information/ about potential targets.
“What’s ‘wrong‘ with these e-mails is very, very subtle,” he said, adding: “They’ll come in /error-free, often using the appropriate jargon or acronyms/ for a given office or organization.”
The way/ to stop such efforts is not clear, Mr. Conti said: “It’s an open problem.”
Victims of spear phishing include people who oversee corporate security, said Larry Ponemon, chairman of the Ponemon Institute, a research company in Traverse City, Mich., that focuses /on data security. He gave the example /of a security technology executive who received an e-mail/ from what appeared to be his employer’s human resources department that asked for personal information/ to make a payment.
Mr. Schneier of BT said () he did not believe () there was an easy and universal fix /for the problem, any more than there was for car theft. He said the personal nature of the attacks made them too seductive.
“Welcome to the world. You cannot stop it,” he said. “Live with it.”
|