China hack of Chamber of Commerce highlights ‘spear-phishing’ dangers
By Hayley Tsukayama,
Hackers from China have reportedly been able to break into the systems at the U.S. Chamber of Commerce, stealing an unspecified amount of data and possibly gaining undetected access to the network for over a year. The Wall Street Journal reported that the hackers used “spear-phishing” — highly personalized e-mails that entice users to click on a link or open a file — to gain access to the Chamber of Commerce’s network.
More advanced spear-phishing attacks have been on the rise in the past year, in part because it’s so much easier for hackers to customize enticing messages based on data pulled from social networks.
Rohyt Belani, chief executive and co-founder of the spam education company PhishMe, said hackers used to focus their messages on high-level managers and officials with more network privileges. As spear-phishing has become more sophisticated, however, hackers have been able to convince more people to grant them access to the network by clicking a link or opening an attachment.
“When we talk to folks today, we want to say, ‘Don’t just focus awareness efforts on high-level targets; it has to be a wider net.’ ”
Scott Greaux, product manager for PhishMe, said scammers can now send messages that “look like something you expected to receive.” These messages will often include correct references asking you to take an action such as visiting a site that will attempt to install malicious software or downloading an attachment.
Technology designed to detect these kinds of attacks can go only so far, Belani said.
“The focus in the security industry has typically been ‘What shiny box can I throw this in?’ ” he said. “It’s great if you can catch this advanced malware but better if we can reduce the probability of it getting through. If you can get your human sensors activated, you can thwart this kind of thing.”
Attacks such as this don’t have to come from particularly skilled or advanced hackers, Greaux said, because the attacks aren’t necessarily exploiting a technology problem.
“It doesn’t have to be sophisticated anymore. Social media . . . makes for a rich starting point,” he said. “They can make it very personal to me as an end-user. . . . Organizations should talk about this more openly and start a more candid conversation.”