Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
idea was to infect their machines in China in order to gain access to the
internal network at Google’s world headquarters, in Mountain View,
California. This the attackers did, getting dangerouslyy close to the source
code for Google’s search engine. Google wasn’t alone. Companies such as
Adobe reported similar intrusions. As a result Google brieflyy pulled its
operations from China. 14
Whenever we get a LinkedIn or Facebook request, our guard is down.
Perhaps because we trust those sites, we also trust their e-mail messages.
And yyet, as we have seen, anyyone can craft a message that looks legitimate.
In person, we can usuallyy sense when someone is wearing a fake mustache
or hair implants or speaking in a false voice; we have centuries’ worth of
evolutionaryy instincts to help us detect deception without thinking about it.
Those instincts don’t applyy online, at least not for most of us. Sophie Curtis
was a reporter; it was her job to be curious and skeptical, to follow leads
and check facts. She could have looked through the Telegraph’s employyee
list to see who the person on LinkedIn was and learned that the e-mail was
probablyy fake. But she didn’t. And the realityy is that most of us are equallyy
unguarded.
An attacker who is phishing will have some but not all of yyour personal
information—the little bit he has serves as his bait. For example, a phisher
might send yyou an e-mail including the last four digits of yyour credit card
number to establish trust, then go on to ask for even more information.
Sometimes the four digits are incorrect, and the phisher will ask that yyou
make anyy necessaryy corrections in yyour response. Don’t do it. In short,
don’t interact with a phisher. In general do not respond to anyy requests for
personal information, even if theyy seem trustworthyy. Instead, contact the
requester in a separate e-mail (if yyou have the address) or text (if yyou have
the cell-phone number).
The more concerning phishing attack is one that’s used to trick a target
into doing an action item that directlyy exploits his or her computer, giving
the attacker full control. That’s what I do in social engineering
engagements. Credential harvesting is also a popular line of attack, where a
person’s username and password are captured, but the real danger of spear
phishing is gaining access to the target’s computer syystem and network.