Monday, June 6, 2011

Spear Phishing

About ten years ago I was still working in corporate America when an email warning came down from the company’s Information Technology department warning of a nation-wide virus attack that would arrive as an attachment to an email titled “I Love You.” The folks in IT warned all of us not to open any attachments from unknown senders, and advised that we should just delete any messages with that title for the next few days; they also made a point of warning everyone who had their email set to automatically open all attachment to uncheck the boxes, and in fact included the instructions for how to do that. One might reasonably expect that everyone in the company would have complied with these instructions, especially when a follow-up message came from the senior management team commending the IT department on this timely warning (which had been all over the news for the previous 48 hours already) and ordering everyone to take heed…

You’ve already guessed what happened, haven’t you? Yes, that’s right: nearly every member of senior management opened at least one of these infected emails, and every one of them had their email program set to automatically open attachments. In fact, the officer who sent around the follow-up message and condescending orders opened no less than a dozen of them (or possibly his secretary did to make him look even stupider than usual). It took our IT people almost two days of working around the clock to get all of the virus packets out of our system, and a hard as it may be to believe, within minutes of their finishing the job and bringing our email back up, a half-dozen people opened MORE infected emails, again with automatically opened attachments, and crashed everything for another couple of days. The following week, people from the IT building went around to every office and deleted the “automatic open” setting whether the user agreed to it or not – which caused some fireworks up in the executive suite, as you might imagine…

It all seems so quaint now, given the way virus attacks, email fraud and identity theft have become part of our lives. But anyone who thinks that the war between online thieves and security people is over really needs to read this article from The New York Times about a new practice called “spear phishing.” These attacks are similar to the more familiar email scams where someone will attempt to convince you to enter your password or personal information into a fake interface (so they can steal your identity, drain your bank account, run up fraudulent charges on your credit card, and so on), collectively known as “phishing” schemes, except that these new outrages are specifically targeted and meticulously researched, in order to make the target think they are legitimate. For many years now the majority of phishing schemes have failed because they are so shoddily constructed in the first place, with absurd grammatical and spelling mistakes, outrageous requests, and idiotic appeals to do things that no sane person would do – and I’ve been wondering when someone would finally realize that even a few attacks that actually work would be better than millions that are automatically deleted, and plan accordingly…

Of course, as time goes on and the race between measure and counter-measure grows ever more complex, there will inevitably come a time when the computer security of this time appears childishly primitive, and the fact that anyone ever fell for a spear phishing attack will seem as quaint as the people who were fooled by the “I Love You” virus do to us now. The real lesson here, I think, is that the ongoing war between hackers and counter-hackers is not likely to end within our lifetimes; if we expect to be considered competent managers and business people (or at least to avoid complete fiduciary misconduct) we will have to continue to learn and adapt, and remain vigilant. Because I can almost guarantee you that the hackers will…

No comments: