When you hear about a phishing attack on e-mail accounts, it's easy to assume that the victim was just too gullible. But as recent attacks on Gmail, Hotmail and Yahoo Mail have demonstrated, the old rule of "don't open attachments or click links from untrusted sources" isn't always enough to fend off a targeted phishing attempt.
Security firm Trend Micro has dissected the attacks to figure out how they worked. Here are a few key takeaways:
Friends Can't Always Be Trusted
Everyone knows to treat certain kinds of e-mails with suspicion, the like the one from your bank claiming that it needs to verify your user name and password. But the recent spearphishing attacks on Gmail users were made to look like they came from friends, family, or colleagues. This trick made victims more likely to open attachments and click on links to fake log-in pages.
Sometimes, You're Powerless
In late May, Trend Micro discovered a vulnerability in Hotmail that could compromise a user's account just by previewing an e-mail. The malicious messages, specially crafted for individual targets, triggered a script that could steal e-mail messages and contact information and forward new messages to another account. Microsoft has already patched this vulnerability, but only after real-world attacks were discovered.
In the Gmail attacks, phishers used a vulnerability in a Microsoft protocol to analyze the user's antivirus software. That way, the attackers could tailor their code to avoid detection and take over the victim's computer.
One Phishing Attempt Begets Another
Security researchers suspect that successful targeted phishing attempts can lead to follow-up attacks on the same user, and they'll be more dangerous because the attacker can draw on personal information to sound more convincing.
You're Probably Safe
The recent phishing attacks on Gmail, Hotmail, and Yahoo users were aimed at specific people, including government officials, activists, journalists, and military personnel. Attackers used personal information and specialized code to target specific individuals. Most ordinary users, by comparison, are likely to see simpler phishing attempts on a wide net of targets, in hopes of snaring a few gullible users.
The Usual Tips Still Apply
Aside from using antivirus software to sniff out attacks, Trend Micro recommends looking for spelling or grammatical errors to determine the trustworthiness of an e-mail source. If you click on an external link, pay attention to the URL; the page may look like it belongs to Google, Yahoo, or Microsoft, but the Web address will tell the truth. If you suspect an attack, check your e-mail settings to see if messages are being forwarded to other addresses. And if you use Gmail, you can enable two-step verification for added security.