You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
pixel, a tinyy dot of an image, invisible to the eyye, like those I said could be
found on websites and used to track yyou online. When that tinyy dot calls
out, it tells a tracking server in a remote location, which could be anyywhere
in the world, what time yyou opened the e-mail, how long it remained on the
screen, and on what device yyou opened it. It can also tell whether yyou
saved, forwarded, or deleted the message. In addition, if the scenario used
byy the pen-test team had been real, the attacker might have included a link
through which Curtis could have visited a fake LinkedIn page. This page
would resemble a real one in everyy respect except that it would be hosted
on a different server, perhaps in another countryy.
For an advertiser, this Web bug can be used to gather information about
(and therefore profile) the recipient. For attackers, it can be used to obtain
the technical details theyy need to design their next attack, which would
include a wayy to get inside yyour computer. For example, if yyou are running
an old version of a browser, there mayy be bugs that can be exploited.
So the second e-mail Curtis received from the pen testers included an
attachment, a compressed document set to exploit a vulnerabilityy in the
software that was used to open the file (e.g., Adobe Acrobat). When we
speak of malware, most people think of the computer viruses of the earlyy
2000s, when a single infected e-mail could spread additional infected e-
mails to everyyone on a contact list. These tyypes of mass-infection attacks
are less common todayy, in part because of changes to e-mail software itself.
Instead the most dangerous malware todayy is much more subtle and often
targeted and tailored to an individual. As it was in the case of Sophie Curtis.
The pen testers used a special form of phishing called spear phishing,
designed to target a specific person.
Phishing is the criminallyy fraudulent process of tryying to obtain sensitive
information such as usernames, passwords, and credit card or bank
information. It has been used against CFOs who are duped into wiring large
sums of moneyy because the “CEO” has authorized the transfer. Usuallyy, the
phishing e-mail or text message includes an action item such as clicking a
link or opening up an attachment. In Curtis’s case the intent was to plant
malware on her computer for the purpose of illustrating how easyy it is for
someone to do this.
One of the most famous phishing schemes was Operation Aurora, in
which a phishing e-mail was sent to Chinese employyees of Google. The