In March 2016, at 4:34 am, Hillary Clinton campaign manager, John Podesta, received an alarming email:
“Someone just used your password to try to sign in to your Google Account…You should change this password immediately.”
Personally, I have never kept confidential information in my GMAIL account, but seeing this message would alarm even me. Unfortunately, Mr. Podesta committed a cardinal sin in the realm of phishing: He clicked on a link included in the email to reset his password. This was obviously not the real password change URL. Clicking it gave the Russian hackers that had sent the email his current password which they used to log on to his account and download his messages.
In general terms this type of attack is called phishing. There are variations on this concept called “spear phishing” which targets a specific individual or “whaling” which targets a specific high-ranking individual within the company. This is precisely what happened to Mr. Podesta. These attacks all rely on the target believing the email he is receiving is real and urgent in nature (hence the need for the target to act at once instead of taking the time to verify the information with others).
Variations of “spear-phishing” generally appear to come from “C-level” executives at the company requesting something that typically wouldn’t be done without going through several channels of verification:
- I need the name, SSNs and salaries of all employees NOW!
- Transfer this amount from the corporate account to this account immediately!
When faced with a request from the “CEO” most employees would not question it; however, upon closer inspection, these requests aren’t really coming from the CEO. They’re coming from email addresses that only look like the CEO: firstname.lastname@example.org instead of email@example.com. Notice the difference? A number one “1” is in place of the lowercase “L”. While this is fairly obvious once pointed out, reading this email at 3am might make you less likely to question it and just send the information it’s asking for.
Spear phishing attacks often target HR and/or Accounting departments because users in these departments have the "juicy" information that hackers want: salaries and personal data on other employees that can then be used to target them.
A 2014 FBI report indicates that these types of attacks cost companies more than 200 million dollars. This is fertile ground as demonstrated by the 2016 APWG Global Phishing Survey.
The dips in this graph can be indicative of the time frame after companies fix the flaws that caused the breach. As a result less attacks occur following remediation, but notice what happens as soon as the hackers develop a new method. The number of attacks skyrocket again. Overall you can see the trend is going in the wrong direction. This is because our approach to security today is generally reactive instead of proactive.
So how can you be more proactive in order to reduce the threat of falling victim to these types of attacks? There are several steps you can take to "harden" your personal security, but the one that gives you the biggest "bang for your buck" can be summarized in three words:
Two-Factor Authentication (sometimes called Multi-Factor Authentication)
If highly classified information passes through your hands you should have two-factor authentication on as many login accounts as it is available. Two-factor authentication basically requires two pieces to logon to any system:
- Something you know (a password).
- Something you have (a hardware token or even your phone). By enabling two-factor authentication on your accounts, you prevent hackers from logging in even if they trick you into revealing your password. They now must not only have your password, but they must also have the token that generates your unique code to access your accounts.
Those who've used an RSA SecureID hardware token are already familiar with this concept, but most people today use 2FA and don't even realize it. It's called a "chip-enabled debit card". The reason chip-enabled debit cards are so secure is because in order to use them in an ATM or a store you must not only have your pin, but also have the card with the chip itself. It's something you know and something you have.
While enabling 2FA or MFA does not eliminate the threat from malicious software downloaded when visiting a compromised website it does give you an added "firewall" that can stop hackers from accessing your accounts if you've been fooled into revealing your password.
Other ways to avoid falling prey to "phishing" attacks in the first place are relatively straightforward, if more onerous to implement:
- Develop a verification process for all important requests (even those coming from C-level executives) and stick to it regardless of who is asking or how much they push you to override it.
- Clearly identify emails that are not internal (the CEO would not likely be requesting confidential data using his external personal GMAIL account).
- Train employees to recognize the signs of a fake email.
- Always verify requests by initiating the communication to the sender yourself (call the CEO on a number you know is reliable or email him/her on an internal established email address).
- Keep all systems patched and up-to-date with vendor patches and address all vulnerabilities.
Even with all these walls to break through, some hackers may think that a well-designed lure can make you less suspicious and more willing to bypass going through all the steps in the verification process.
Spear-phishing and especially whaling attacks are most effective when the hackers know a lot about you. Be mindful of what you reveal in your social media profiles. If your LinkedIn profile states that you work at the Pentagon and hold a TS level security clearance then you are essentially painting a big target on your back. No hacker is going to spend hours doing research on the attendant at your local gas station (no offense to gas station attendants), but they will definitely invest time in finding out everything they can about someone with Top-Secret clearance that works for the DoD. This information will help them determine the best way to fool you.
Although being skeptical of unsolicited emails or calls is a good way to weed out the crudest of attacks, no system is 100% hack-proof. Therefore, the best security is one that is layered, so the attackers must break through several barriers to accomplish their goal. By making it harder and more time consuming, you are basically motivating them to find a softer target. But only if you force them to jump through all the hoops and don't provide them with shortcuts.
Remember, follow the process and don't be a "phish" or by the time you realize you've been hooked, you'll be in the net on the way to the cooler.