The prevalence and danger of phishing scams is a key lesson to be learned from the indictment of the Russian hackers in the Yahoo data breach. According to the FBI, phishing was used extensively, for purposes ranging from a means to obtain Yahoo user credentials to gaining access to gift card and credit card information. The individual accounts attacked ranged from U.S. and Russian government officials through private individuals like you and me.
Access to Yahoo accounts, other online accounts, and financial information was gained through:
- Logins and passwords sent through email
- Phishing email with links to spoofed sites
- Malware in email attachments
Ironically, these phishing techniques were utilized on key Yahoo employees to gain access to Yahoo’s servers.
The ultimate irony, however, is that much of this activity could have been prevented. Remember that the key to all phishing attacks is that they trick computer users into entering their login credentials and then intercepting the login data or looking for such data being stored in non-secure environments.
From Yahoo Into the Rest of Your World
Let’s address the latter, because it is directly related to our discussion last week about using the same passwords on different sites. In multiple instances, the hackers were able to log into other email accounts and other online portals using the hacked Yahoo credentials. From there, the ability to search for data granting access to other systems was multiplied. We’ll address this more in-depth later, but it is a common yet bad practice to send login data in email. Lots of access was gained in this manner.
Email is not a secure environment, particularly if you are using a public free service. And if your email is linked to public cloud storage, such as Google Drive or iCloud, hackers can get any data that is stored there. For example, if you have a Gmail account using the same password as your Yahoo account, your Yahoo password happens to be the same one used to open anything you have stored in Google Drive. And if you have an Android phone or tablet, it’s probably using the same Gmail account to back up your device. Similarly, your Apple ID accesses your iPhone or iPad’s data, plus iCloud documents used by your Mac. Do you log into various services using Facebook? That capability alone is fairly secure, but it won’t help if your Facebook password is the same as your hacked Yahoo password! Too much of your life is connected in this way, so our advice about managing your passwords and using multifactor authentication is very important!
Watch For Those Phishing Links
Malicious links are an ongoing problem that we deal with daily. While our discussion today focuses on phishing email, you are just as likely to get links to nasty places from your social media such as Facebook. On desktop computers, it’s relatively easy to spot the bad links. For example, if you bank with Wells Fargo, you should be logging in at https://www.wellsfargo.com . If you hover over a link in your email and it goes to an address with anything else, then it is most likely a phishing email.
A few things are essential for you to know. First of all, the https:// (as opposed to just http://) indicates the site is secure. This means that it is more difficult for anyone to intercept the exchange of data between you and such a site. All modern browsers will confirm that this connection is secure through the use of a padlock icon before the address.
Another thing to look for is exactly what domain are you accessing. www.wellsfargo.com is legit, but wellsfargo.wellsfargo3.com is actually on the domain wellsfargo3.com. See how that works? It’s pretty obvious here, but if you’re not paying attention, the two are similar enough to be dangerous. As of this writing, there is no wellsfargo3.com, but the real bank does own wellsfarg0.com and wellsfargoinc.com. They’re covering their bases in case their customers don’t type in their address correctly, but smaller financial institutions may not have the resources to buy variations of their domains. And malicious parties can easily use such similar domains. So pay close attention to what is just BEFORE the .com, .net, .org, etc. because that is the actual domain.
It goes without saying (but must be pointed out) that a reputable organization would not be likely to use a bunch of gibberish for their domain name. You most certainly will not log into a credit card company at jfkdfjsdljflewwicpo.com! Yet every day we get phishing emails with links with text like “Log Into Your Capital One account”, but he actual link goes to those infamous random characters!
Remember that the best way to play it safe is to log into your financial accounts by typing in their addresses directly into your browser, without clicking on links or even copying them (copy and past will paste the full address to the link, not the text). And watch for those padlock icons!
Likewise, you would think that people would not download attachments with the names of celebrities or the word “naked” in the file name, but it still happens. However, a more insidious trick would be to send you email that appears to be from your colleagues and looks like legitimate documents. But if your sender’s email account is compromised, that report could very well contain malware that can search your computer for credit card numbers and logins. And malware or commands to download malware can be added to Microsoft Office files, so be careful about hitting that “Enable Content” button on a suspicious spreadsheet in your email.
It’s for this very reason that we constantly are telling people not to use public email accounts for business.
If you think an attachment is genuine, it still is a good practice to download it and scan it with your antivirus program before opening it. Just make sure that your software is updated and you have the latest definitions.
But if you are suspicious about an attached file that you were not expecting, don’t hesitate to call or text the sender. Or instant message, if you’re on a secure enterprise system. Just don’t get on Facebook Messenger and message them. If their Facebook account is hacked, you may be messaging a hacker!
Train and Educate
If any one person in your office downloads phishing malware…the entire network can be infected within seconds. So making sure everyone knows about these threats is important! It is so easy to click on an attachment in the middle of intense deadlines, so it has to be drilled into everyone to the point that they look for signs of suspicious email without even thinking about it. The whole office should know how to spot spoofed addresses. If someone has a hacked personal email and they are checking it at work, the office computer becomes more vulnerable.
And yes, if you email even just yourself from home, whatever your family or roommates are downloading could spread to the office.
Just one click or visit to a website containing malware is all it takes to expose your entire network to vulnerabilities. While your IT department can safeguard the system to some extent, it becomes everyone’s responsibility to access the web and use email responsibly.
Read more about what happened with the Yahoo hack:
Here’s how the FBI says Russian hackers stole Yahoo account secrets
Learn about password safety:
Hack Lesson: Use Different Passwords
Free Email is No Bargain