Phish in a barrel: Why you should always strive for online safety
Uncategorized Posted Dec 20, 2012 by chenpr
As my colleague Jennifer was explaining in her most recent post, working with security clients keeps online safety always in the forefront of our minds. It is impossible to not let the lessons we learn at work affect us outside of work. And of course, this is a good thing. An “ignorance is bliss” attitude when it comes to your online actions will almost surely result in a loss of some sort of personal information down the road.
Prior to working with security companies such as RSA, Invincea and Co3 Systems I felt quite certain that no hacker in their right mind would go through the trouble of hacking me. “Go ahead and take the $150 in my checking account,” was a sort of mantra of mine. However, now that a.) I actually have a job that puts a paycheck into my checking account and b.) I know that no one, no matter how insignificant, should consider themselves immune from hacking, I feel quite differently.
I believe it was learning about spear-phishing, an attack that can be both well-crafted and highly personal, that truly opened my eyes. A spear-phish is an email sent from an apparently trustworthy source with the intention of tricking the recipient into clicking a link or downloading an attachment, thus, unknowingly letting malware into their system.
I grew up in the AOL Instant Messenger generation. In the early 2000s, deciphering a “spambot” or a hacked AIM account was a piece of cake. Out of the blue someone you barely knew would send you a message: “Hello friend!! Cud u send me $$ I just ran out n need help!!! Wire it to this link: http://isteelurdollars.com/safwfaswei/asfe/awfeioj” I would just exit the message without thinking twice.
However, this sort of obvious ploy has developed over the years. Now, the user is tricked because the hacker has done research on them. They know, for example, through accessible information on Facebook that I attended Bates College. They then construct an email that looks like it may be from my Campus Activities Board with the subject line, “Graduation pics” with a link to said pictures. As soon as I click the link, malware is flooding my system (maybe the site the link took me to just said, “We apologize for the inconvenience, this website is no longer active.”) and it’s possible that I may be none the wiser that anything has gone wrong.
These days, we keep endless personal information stored on our computers—both our work computers and personal devices. I am fairly certain you could all but clone me if you spent enough time gathering information off my computer and/or phone. And sure, my bank account may not be worth hacking into, but, with access to my email address, a hacker could then get in touch with my parents, or even my boss. And they have much more to lose than I do.
Even if you think you don’t have access to anything a hacker may desire, you must keep in mind that you most likely are close with someone who does. Do not allow yourself to be a gateway to harm those who raised you, or employed you or trust you.