您已经了解网络钓鱼(Phishing):投入一些诱饵并等待某人泄露他/她的个人信息的过程。网络钓鱼有多种形式,例如 鱼叉式网络钓鱼(Spear Phishing)、Tabnabbing、捕鲸(Whaling)、Tabjacking和Vishing and Smishing。但是还有另一种类型,那就是鱼叉式网络钓鱼(Spear Phishing)。
您可能已经遇到过鱼叉式网络钓鱼(Spear Phishing)。使用此技术时,网络犯罪分子会从您认识的实体向您发送消息。该消息要求您提供个人和财务信息。由于它似乎来自一个已知的实体,您只需不假思索地回复即可。
什么是鱼叉式网络钓鱼
鱼叉式网络钓鱼(Phishing)是一种网络犯罪分子使用有针对性的技术欺骗您的方法,让您相信您收到了来自已知实体的合法电子邮件,要求您提供信息。该实体可以是您与之打交道的个人或任何组织。
让它看起来很原始很容易。人们只需要购买一个相关的域并使用一个看起来像您认识的组织的子域。它也可能看起来像您认识的人的电子邮件 ID。例如,something.com可以有一个名为paypal.something.com的子域。这允许他们创建一个电子邮件 ID,该 ID 是[email protected]。这看起来与与PayPal相关的电子邮件ID(IDs)非常相似。
在大多数情况下,网络犯罪分子会密切关注您在Internet上的活动,尤其是在社交媒体上。当他们在任何网站上从您那里获得任何信息时,他们将抓住机会从您那里提取信息。
例如,您在任何社交网站上发布更新说您从亚马逊购买了一部手机。(Amazon)然后您会收到一封来自亚马逊(Amazon)的电子邮件,说您的卡已被冻结,您需要在进行更多购买之前验证您的帐户。由于电子邮件 ID 看起来像Amazon,因此您很容易泄露他们要求的信息。
换句话说,鱼叉式网络钓鱼针对的是网络钓鱼(Spear Phishing has targetted Phishing)。电子邮件ID和消息是根据(IDs)Internet上提供的有关您的信息为您个性化的。
鱼叉式网络钓鱼示例
虽然网络钓鱼是一种日常活动,并且许多人对它足够熟悉以保持保护,但有些人仍然成为它的牺牲品。
最好和流行的鱼叉式网络钓鱼示例之一是针对EMC的(EMC)RSA单元的方式。RSA负责EMC的网络安全。网络犯罪分子发送了两封电子邮件,每封电子邮件都有一个包含活动MACRO的(MACRO)EXCEL文件。据说邮件的标题是Recruitment Plan。虽然这两封电子邮件都被过滤到员工的垃圾文件夹(Junk Folders)中,但其中一名员工很好奇并检索了它。打开后,MACRO为发送电子邮件的人打开了一个后门。然后,他们能够获得员工的凭证。尽管是一家安全公司,如果RSA可能会被骗,想象一下毫无戒心的普通互联网(Internet)用户的生活。
在另一个关于网络安全公司的例子中,有来自第三方的电子邮件诱使经理相信是他们的员工在询问详细信息。当网络犯罪分子通过电子邮件冒充员工获得信息时,他们能够将资金从公司转移到犯罪分子的离岸账户。据说,由于鱼叉式网络钓鱼骗局, Ubiquity损失了超过 4700 万美元。(Ubiquity)
捕鲸(Whaling)和鱼叉式网络钓鱼(Spear Phishing)诈骗是新兴的网络安全问题。两者之间存在细微差别。鱼叉式网络钓鱼(Spear Phishing)针对的是一群人——例如针对公司员工、公司客户甚至特定人的电子邮件。捕鲸(Whaling) 诈骗(Scams)通常针对高级管理人员。
鱼叉式网络钓鱼防护
永远记住,没有电子商务公司会通过电子邮件或电话询问您的个人信息。如果您收到任何形式的消息,要求您提供您不愿意分享的详细信息,请将其视为鱼叉式网络钓鱼尝试并直接将其切断。忽略(Ignore)此类电子邮件、消息并关闭此类电话。您可以在将来回复之前与组织或个人确认。
在其他鱼叉式网络钓鱼(Spear Phishing)保护方法中,仅在社交网站上共享所需的内容。您可以说它是您的新手机的照片并发布,而不是添加您从XYZ组织购买的照片 - 在特定日期。
您必须学会识别网络钓鱼攻击(identify Phishing Attacks),才能了解更多关于一般网络钓鱼防护的信息。基本上(Basically),您应该拥有能够很好地过滤您的电子邮件的安全软件。您可以将电子邮件认证和加密添加到您使用的电子邮件客户端,以便更好地保护您。许多(Many)鱼叉式网络钓鱼尝试可能会被内置或安装到电子邮件客户端的证书读取程序捕获。
Stay safe, stay sharp when online!
What is Spear Phishing? Explanation, Examples, Protection
You already know about Phishing: the process of putting in some bait and waiting for someone to divulge his/her personal information. Phishing comes in many flavors like Spear Phishing, Tabnabbing, Whaling, Tabjacking, and Vishing and Smishing. But there is yet another type, and that is Spear Phishing.
You may have already come across Spear Phishing. When using this technique, cybercriminals send you a message from an entity that you know. The message asks you for your personal and financial information. Since it appears to originate from a known entity, you just reply without a second thought.
What is Spear Phishing
Spear Phishing is a method where cybercriminals use a targetted technique to dupe you into believing that you received a legitimate email from a known entity, asking you for your information. The entity can be a person or any organization that you deal with.
It is easy to make it look original. People just have to purchase a related domain and use a subdomain that looks like the organization you know. It can also look like the email ID of a person you know. For example, something.com can have a subdomain named paypal.something.com. This allows them to create an email ID that goes [email protected]. This looks pretty identical to email IDs related to PayPal.
In most cases, cybercriminals keep an eye on your activities on the Internet, especially on social media. When they get any information from you on any website, they’ll grab the opportunity to extract information from you.
For example, you post an update saying you bought a phone from Amazon on any social networking site. Then you receive an email from Amazon saying your card is blocked and that you need to verify your account before making any more purchases. Since the email ID looks like Amazon, you readily give away the information they ask.
In other words, Spear Phishing has targetted Phishing. The email IDs and messages are personalized for you – based on information available on the Internet about you.
Spear Phishing Examples
While phishing is a daily thing and many are familiar with it enough to stay protected, some still fall prey to it.
One of the best and popular spear phishing examples is the way RSA unit of EMC was targeted. RSA was responsible for the cybersecurity of EMC. The cybercriminals sent two emails, each with an EXCEL file containing an active MACRO. The title of the email was said to be Recruitment Plan. While both the emails were filtered into the Junk Folders of employees, one of the employees got curious and retrieved it. When opened, the MACRO opened a backdoor for the people who sent the email. They were then able to procure the credentials of employees. Despite being a security firm, if RSA could get tricked, imagine the life of unsuspecting regular Internet users.
In yet another example concerning a cybersecurity firm, there were emails from third parties that tricked managers into believing that it was their employees asking for details. When the cybercriminals got the information by posing as employees over email, they were able to get money transferred from the company to criminals’ offshore accounts. It is said that Ubiquity lost over $47 million due to the spear-phishing scam.
Whaling & Spear Phishing scams are emerging cyber-security issues. There is a thin line of difference between the two. Spear Phishing targets a group of people – like an email that targets employees of a company, customers of a company, or even a specific person. Whaling Scams typically targets high-level executives.
Spear Phishing protection
Always remember that no e-commerce company will ask you for your personal information via email or phone. If you receive any message in any form asking you for details that you don’t feel comfortable sharing, consider it a spear-phishing attempt and cut it off directly. Ignore such emails, messages and switch off such calls. You can confirm with the organization or person before responding in the future.
Among other Spear Phishing protection methods, is to share only as much as is needed on social networking sites. You can say it is a photo of your new phone and post it instead of adding you bought it from XYZ organization – on a certain date.
You have to learn to identify Phishing Attacks to know more about protection from phishing in general. Basically, you should have good security software that filters your email well. You can add email certifications and encryptions to the email clients that you use so that you are better protected. Many of the spear-phishing attempts may get caught with certificate-reading programs built into or installed to the email client.
Stay safe, stay sharp when online!