Spear Phishing

Marketplace Tech Report ran a story today about the detection of  renewed cyber attacks by the Chinese military against United States government and corporations.  These attacks resumed after a three-month lull.  Earlier this year such attacks drew much publicity, particularly after the Chinese tried to hack into not only American government computers but also major American media computers.

The Marketplace Tech story, however, focused on "spear-phishing", a hacking technique used to gather personal password and gain access to private information.  It involves targeting individuals by email.

Chester Wisniewski, a computer security expert with Sophos and a frequent contributor to Marketplace Tech reports, explained:

 When somebody singles you out as an individual to target with an attack, we call it "spear phishing". They find some way of convincing you that they are the target brand and get you to type in your password and give it to them.

You may have seen email like this, even if you have a spam filter.  I poses as a message from a legitimate website, like your bank or credit card company, saying that a security issue has arisen or a major purchase has been made.  It then directs you to click on an embedded link to obtain more information or contact the company.

This may be easy to spot if you do not have an account with the bank or credit card company, but the email is designed to play on our temptation to contact someone immediately to find out if there is a problem or if someone has used our identity to make purchases on our accounts.  It is playing on our own insecurities in the digital age and our desire to correct things immediately.

If you get an email like this, DO NOT CLICK ON ANY LINK WITHIN IT.  If possible do not open the email; view it in a viewer or reader before opening or scan it with a security program.  The embedded links take you to a website that looks like a real bank or business site, but is designed to get you to enter your username and password.  If you do, YOU have been SPEARED.  The bad guys now have your username and password and can start creating real mayhem with them.

If you want to contact legitimate site for this type of email, do it by going to the site using your computer browser and typing in the URL for the site (or looking up customer service for the company online and going to the site).  Or, call the company.  Remember that the customer service contact information for credit card companies and banks is usually on the back of their credit or debit card.   Do not use the links in the email!

And to end with a final reminder:  change or otherwise secure your user names and passwords!  If you have a lot of them, try using a computer service like Last Pass to keep track of them for you and help you change them frequently.