Phishing Attacks are a Door into Your Network

Hackers and Scammers can exploit unwitting employees to access sensitive information.

You may have heard about the recent Target or Home Depot security breaches in which a combined 160 million+ credit cards and other personal information was stolen.  In both cases, the hackers were able to get into the super stores' networks through a Phishing Attack.  The details can be found in this excellent blog post on Krebs On Security.

"Phishing" is really just "hacker speak" for social engineering.  In other words, the "hacker" contacts an employee directly, either through email or even by phone or other messaging service, and tricks the employee into giving out personal information or remote computer access.  A classic example of this is a type of attack that occurs often at hotels around the world:

A scammer will call the hotel front desk and tell the attendant that he is from technical support and is trying to work out a phone issue.  He will not ask for any personal information from the attendant but he will then ask to be transferred to a guest's extension to verify the phone problem.  The front desk attendant, trying to be helpful, will transfer the scammer to a guest's room.  At that point, the guest will see a call from "front desk" on the caller ID because the call was transferred from the front desk.  When the guest picks up, the scammer will tell the guest that he is calling from the front desk and that he is having trouble running the credit card and just needs the guest to read him the numbers over the phone.  If the guest complies, the scammer now has the guest's credit card information.  In reality, hotel attendants will always ask a guest to come to the front desk to work out billing issues, but the scammer has relied on the guest not knowing this policy to acquire credit card information.

Phishing Attack

A classic phishing email I received. Even though the email address looks correct, notice the poor grammar.

The hackers got into Target and Home Depot through a slightly more sophisticated method, but their initial point of entry was by compromising a vendor's computer.  In the case of Target, it was a Heating and Air Conditioning company.  The hackers sent out an email that was disguised to look like a legitimate message.  When an employee clicked on the link contained within the email, he or she unknowingly allowed a virus to compromise the computer.  From that point, the hackers were able to gather passwords and escalate their attacks through the HVAC company and ultimately into the Point of Sale systems in Target stores.  The image on the right is a classic example of an email phishing attempt.  The email address has been forged to look like a real address.  The grammar is what gives it away.  Clicking on the link will take the victim to a website mocked up to look like a Chase Online login page.  The victim is asked to enter in login information, which is sent immediately to the hacker.

So how do you protect your business or home network from these types of attacks?  Your security needs a layered approach.  A quality firewall between the internet and your internal network, spam filtering for email, and antivirus solutions are the basic protections.  Employee education is the most important layer of protection.  Employees must be educated to know what to do when they receive suspicious correspondence and they should know to expect it from email, phone, fax, text and even services like Facebook Messenger.