data aggregato r cho icep o int so ld private inf o

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: sed to craf t a scam. It’s likely that a directo ry o f a f irm’s emplo yees, their titles, and o ther perso nal details is o nline right no w via so cial netwo rks like LinkedIn and Facebo o k. With just a f ew mo ments o f searching, a skilled co n artist can piece to gether a co nvincing and co mpelling sto ry. A Sampling of Methods Employed in Social Engineering Imperso nating senio r management, a current o r new end user needing help with access to systems, investigato rs, o r staf f (f ake unif o rms, badges) Identif ying a key individual by name o r title as a suppo sed f riend o r acquaintance Making claims with co nf idence and autho rity (“Of co urse I belo ng at this White Ho use dinner.”) Baiting so meo ne to add, deny, o r clarif y inf o rmatio n that can help an attacker Using harassment, guilt, o r intimidatio n Using an attractive individual to charm o thers into gaining inf o rmatio n, f avo rs, o r access Setting o f f a series o f f alse alarms that cause the victim to disable alarm systems Answering bo gus surveys (e.g., “Win a f ree trip to Hawaii—just answer three questio ns abo ut yo ur netwo rk.”) Data aggregato r Cho iceP o int so ld private inf o rmatio n to criminals who po sed as legitimate clients, co mpro mising the names, addresses, and So cial Security numbers o f so me 145,000 individuals. In this breach, no t a single co mputer was co mpro mised. Emplo yees were simply duped into turning data o ver to cro o ks. Gaf f es like that can be painf ul. Cho iceP o int paid $ 15 millio n in a settlement with the Federal Trade Co mmissio n, suf f ered custo mer lo ss, and ended up abando ning o nce lucrative businesses.G. Anthes, “The Grill: Security Guru Ira Winkler Takes the Ho t Seat,” Co mputerw o rld, July 28, 2008. Phishing Ph ish ing ref ers to co ns executed thro ugh techno lo gy. The go al o f phishing is to leverage the reputatio n o f a trusted f irm o r f riend to trick the victim into perf o rming an actio n o r revealing inf o rmatio n. The co ns are craf ty. Many have masqueraded as a security alert f ro m a bank o r eco mmerce site (“Our Web site has been co mpro mised, click to lo g in and reset yo ur passwo rd.”), a message f ro m an emplo yer, o r even a no tice f ro m the go vernment (“Click here to update needed inf o rmatio n to receive yo ur tax ref und transf er.”). So phisticated co n artists will lif t lo go s, mimic standard layo uts, and co py o f f icial language f ro m legitimate Web sites o r prio r e-mails. Gartner estimates that these so rts phishing attacks co st co nsumers $ 3.2 billio n in 2007.L. Avivah, “P hishing Attacks Escalate, Mo rph, and Cause Co nsiderable Damage,” Gartner, December 12, 2007. Other phishing attempts might dupe a user into unwittingly do wnlo ading dangero us so f tware (malware) that can do things like reco rd passwo rds and keystro kes, pro vide hackers with deeper access to yo ur co rpo rate netwo rk, o r enlist yo ur P C as part o f a bo tnet. One attempt masqueraded as a message f ro m a Facebo o k f riend, inviting the recipient to view a video . Victims clicking the link were then to ld they need to install an updated versio n o f the Ado be Flash plug-in to view the clip. The plug in was really a malware pro gram that gave phishers co ntro l o f the inf ected user’s co mputer.B. Krebs, “‘Ko o bf ace’ Wo rm Resurf aces o n Facebo o k, MySpace,” Washingto n P o st, March 2, 2009. Other attempts have po pulated P 2P netwo rks (peer-to -peer f ile distributio n systems such as BitTo rrent) with malware-installing f iles masquerading as video games o r o ther so f tware, mo vies, so ngs, and po rno graphy. So -called spear phishing attacks specif ically target a given o rganizatio n o r gro up o f users. In o ne incident, emplo yees o f a medical center received e-mails purpo rtedly f ro m the center itself , indicating that the recipient was being laid o f f and o f f ering a link to jo b co unseling reso urces. The link really o f f ered a so f tware paylo ad that reco rded and f o rwarded any keystro kes o n the victim’s P C.C. Garretso n, “Spam that Delivers a P ink Slip,” Netw o rkWo rld, No vember 1, 2006. And with this type o f phishing, the mo re yo u kno w abo ut a user, the mo re co nvincing it is to co n them. P hishers using pilf ered résumé inf o rmatio n f ro m Mo m craf ted targeted and perso nalized e-mails. The request, seemingly f ro m the jo b site, advised users to do wnlo ad the “Mo nster Jo b Seeker To o l”; this “to o l” installed malware that encrypted f iles o n the victim’s P C, leaving a ranso m no te demanding payment to liberate a victim’s hard disk.T. Wilso n, “Tro jan On Mo m Steals P erso nal Data,” Fo rbes, August 20, 2007. Don’t Take the Bait: Recognizing the “Phish Hooks” Web bro wser develo pers, e-mail pro viders, search engines, and o ther f irms are actively wo rking to curtail phishing attempts. Many f irms create blacklists that blo ck access to harmf ul We...
View Full Document

This document was uploaded on 01/31/2014.

Ask a homework question - tutors are online