Learn how to avoid spear phishing attacks, keeping yourself and your company safe from security breaches. On this episode of One-Minute Wednesday, Drew Lawson will explain how the Target security breach occurred, so you can prevent something similar from happening to you.
The Target Data Breach
Many of you have heard about the the Target data breach, where attackers stole personal information for 70 million customers and data connected to more than 40 million credit cards from the retail giant. This data breach originated with a simple phishing campaign launched against one of Target HVAC vendors. Employees were tricked into opening an e-mail and then clicking on an infected link, which installed password-stealing malware on their computer.
Now armed with vendor account passwords, the attackers gained access to Target’s system. From there, they were able to exploit a series of security vulnerabilities to dig deeper into the system, eventually gaining access to database servers and then installing malware on point of sale machines. It’s been estimated that Target’s all-in costs related to this hack could reach more than $1 billion.
Phishing and Email Spoofing
Let’s look at an example of an email phishing campaign and discuss some ways to avoid falling for it. In this example e-mail, we’re being asked to click a link and update our payroll information. The first thing to notice here is that the e-mail looks like it’s coming from our director of human resources.
An example of a phishing email with a spoofed sender address
This leads us to our first tip: don’t trust the display name. Hackers can search your website, Facebook, or LinkedIn to find somebody’s name and job title, and from there, it is trivially easy to forge their email. Forging an email address is called email spoofing, and it’s very common with phishing campaigns. This particular example of spoofing has even picked up the person’s signature, making it appear even more legitimate.
Another thing to notice is this embedded link. If you hover over the link with your mouse, a box will pop up showing you the web address being linked to.
If the address looks weird, don’t click on it. Now you want to pay close attention to these as they are often tailored to seem legitimate. For example, this one is techmd.hrportal.com, which is not what the TechMD HR portal actually looks like, but might trick someone who wasn’t paying attention.
Finally, there are a lot of things that are just weird about this email. First, the writing style is very different from Julie’s, and there are some unusual spelling errors scattered here and there.
Another thing to keep in mind is that you should never be asked to give sensitive personal information like this over an email. If you receive an email like this and suspect that it’s a phishing attempt, you should walk over to the sender’s office to confirm that they sent the email in person, just to make sure. If they’re not in the same office as you, give them a call instead.
Overall, the best defense against phishing campaigns is to stay alert, and always question emails that ask for sensitive information or contain unusual requests.
