Tuesday, February 19, 2013

Spearphishing: The dirty email trick favored by the nastiest hackers

If you consider yourself a proficient internet user, you probably know to watch out for phishing attempts — massive email efforts to get you to hand over personal financial information like a credit card number or to click on a website link that could allow malware to steal information from your computer.  They usually come in e-mail messages riddled with spelling errors and terrible formatting.

Now comes a new, more subtle and more dangerous threat: spearphishing.  Spearphishing is often aimed at tricking specific individuals into opening a malicious file.  It could be, for instance, a boobytrapped PDF file or Word document which, when opened, secretly and silently installs spyware onto your computer.

Spearphishing is increasingly being used by totalitarian governments seeking to spy on individuals and to infiltrate computers belonging to government agencies in other countries.  Sophisticated criminal organizations have also started using the technique to obtain valuable financial information.   

Once installed, the malicious spyware code opens a backdoor, giving hackers remote access to all the files on your computer, as well as the ability to capture every keystroke, to steal passwords, and to read everything on your screen.

But why would an anyone be fooled into opening such an email?  The information in the email is crafted to look and sound just right enough so that it can dupe someone into clicking on a link or opening an attachment in an email and for their computer to become compromised. 

For instance, imagine you were a reporter covering human rights abuses in China.  I simply send you an email (with a boobytrapped attachment), forge my 'from' address so you believe that the email has come from a human rights group, and in the body of the email tell you that attached you'll find shocking details of human rights abuses in China.  If you click on the link or the attachment, I can then read all the information on your computer, including the identities of dissidents who may be supplying you with information.

Similarly, if you were a military supplier, I might make my email appear as though it came from a sister company or another supplier and use the access to your computer to gain vital military intelligence.

Some experts say that company employees and individuals who use cloud-based, shared document apps like Google Docs can be sitting ducks for spearphishing attempts.  In the first place, Google Docs is a very convenient way to fool end users into divulging passwords, because it is such a trusted source.  Also, Google Docs connections are HTTPS encrypted, and cannot be filtered by Web-filtering gateways to scan for malicious content.

While spearphishing may currently be used by governments and sophisticated criminal organizations against specific targets, we can expect large-scale hackers to begin using this technique to harvest financial data and other sensitive information from members of the general public.  The best precaution is to examine messages--especially those carrying attachments or containing links--very closely, to make sure you are viewing the entire file name of an attachment before clicking on it, to make certain that messages from people you know are genuine, and to be especially careful of messages from people you do not know.