Spear Phishing: The Real Danger Behind the Epsilon Data Breach
PHISHING vs. SPEAR PHISHING
Regular phishing may appear to come from a company that you do not have a relationship with. Spear phishing always purports to be from a company you do business with (such as Quad/Graphics in the case of Condé Nast).
Regular phishing starts with Dear Customer. Spear phishing addresses the target by name.
Regular phishing may talk about your frequent flyer miles as a concept. A spear phish will mention your 76,400 frequent flyer miles and you actually have that many.
Regular phishers don't know where you live. An article in the New York Times suggested that data taken from Epsilon could be cross checked with public information to learn your mailing address.
Regular phishing emails target one company. As a result of this huge theft of data, emails like the following may appear:
Dear Groucho Marx,
VictimCompany1 has just teamed up with VictimCompany2 and VictimCompany3 in a new loyalty program. This program offers great savings on products from all three companies. To sign up click this link.
And, of course, since Groucho has a business relationship with all three companies, it appears legit.
Spam blockers can't be counted on to detect a message like this, since it's so personalized. And, it's not spam. In the case of Condé Nast, the bad guys only needed to send one e-mail message to hook their victim.
Spear phishing also seems to be at the root of the RSA data breach where it has been reported that an employee opened an Excel spreadsheet attached to the scam email message.
The spreadsheet contained a Flash file that exploited a bug in Flash to install malware and things went downhill from there. These spear phishing messages were sent to "two small groups of RSA employees".
INTERNET USER GUIDE
This illustrates that there are two actions the bad guys try to get victims to perform: either clicking on a link in the e-mail message or opening an attached file.
Warnings about files attached to email messages have been around forever. If the Internet had a handbook, it would be on page one. The world seriously needs an Internet User Guide.
Another thing Internet users need to know is that reputabile companies never request personal information by e-mail.
Here is what some of the companies whose Epsilon data was stolen had to say about this:
Chase: "We want to remind you that Chase will never ask for your personal information or login credentials in an e-mail. As always, be cautious if you receive e-mails asking for your personal information ... It is not Chase's practice to request personal information by e-mail."
Crucial: "We will not send you e-mails asking for your credit card number, social security number or other personally identifiable information. If ever asked for this information, you can be confident it is not from Crucial."
Kroger: Kroger would never ask you to e-mail personal information, such as credit card numbers or Social Security numbers.
Best Buy: Best Buy will never ask you to provide or confirm any information, including credit card numbers, unless you are on our secure e-commerce site, www.bestbuy.com. If you receive an e-mail asking for personal information, delete it. It did not come from Best Buy.
More reasons why phishing scams succeed, and, how to defend yourself, next time.