Social Media Makes Good Spear Phishing Bait
Interesting article in the Wall Street Journal about criminals hacking corporate employees. Because companies are getting better at hardening the perimeters of their networks, the biggest security gap is now the end user.
Hackers are aggressively exploiting well intentioned employees through so called spear phishing tactics. We have all experienced general phishing attacks in the form of the infamous Nigerian e-mail scams.
Spear phishing is a targeted and sophisticated form of phishing because the bad guy uses social engineering via social media information to manipulate specific corporate employees into divulging confidential information or gaining access to corporate networks.
LinkedIn, Facebook, and Tweeter are used by criminals every day to harvest personal and corporate information that is then used to design and initiate a spear phishing attack against corporate employees.
Additionally, employees often forward business e-mail to their persoal e-mail account for convenience or other reasons. Hackers looking for valuable corporate IP or information to use for a spear phishing attack, target personal e-mail accounts that don't provide the same level of protection as corporate accounts do.
For gmail users, here is how you can prevent your personal e-mail account from being easily hacked and exploited.
There is no easy prevention except vigilance and training. Some companies run regular spear phishing attacks against their own employees to find the easy prey that need more awareness training. Unfortunately, the security risks from social engineering does not have a technical answer.