Phishing, social engineering and self-protection

by Lee Hopkins on January 20, 2009 · 2 comments

in interviews,pr,tools

symantec-marian-merritt-600x900 The spate of recent ‘phishing’ attacks on Twitter and Facebook, inter alia, has once again highlighted how vulnerable we all are, even we (ahem) ‘luminaries’ (aka ‘should know better’).

One young, prominent and allegedly brash Sydney journo (with, perhaps, a few enemies) had an account hacked into and the hackers proceeded to post some rather inflammatory material about him and his contacts, changing the password so that he couldn’t get back in and halt the damage. And that was after Senator Conroy’s Twitter account was hacked.

So I took the opportunity to interview the lovely Marian Merritt [pdf] from Symantec (makers of the Norton range of protection software). I can say ‘lovely’ because not only do all the team at Text100 in Sydney say she is, but so to does Natalie Conner, Symantec’s PR Manager for the ‘Consumer’ side of business here in the Pacific region. So there!
:-)

Marian is the ‘Internet Safety Advocate’ for Symantec and even runs her own ‘Ask Marian’ blog – cool!

This is what she said:

~~~~~

G’day Marian. For the benefit of my readers, can you kindly explain who you are and where you sit within the Symantec empire.

Hi Lee. My current role is of Internet Safety Advocate, which means I try to help people to avoid internet dangers and learn how to guide their children to be web-savvy. I’ve been with Symantec in a variety of roles on our consumer products team for nearly 12 years. In that time, I’ve seen the world of online threats change dramatically. Way back when, we mostly worried about viruses and even those were slow to spread. Today, cybercrime is big business and though Internet Safety software packages like Norton Internet Security or Norton 360 go a long way towards protecting the typical computer, we still need an educated user. 

I love hearing from regular customers so I encourage your readers to drop me a line with questions or comments to marian@norton.com. We also have a great Family Resource website at www.norton.com/familyresource and a downloadable Family Online Safety Guide (which is part of the very comprehensive Family Resource Centre, where there’s even a video of Marian – Lee) which is a quick read about the most common issues impacting our kids when they go online.

There’s been a fair bit of online and mainstream press coverage recently about "phishing" — can you explain what "phishing" is and what have been some of the recent "phishing expeditions" that have generated considerable press?

Phishing is just a cute spelling of fishing, originally having been an homage to the musical group, "Phish." The criminals are "fishing" for victims, using attractive offers in spam emails or links in online environments like social networks, to lure us in. When we click on the offer or the link, we may end up on a copycat site that looks just like a trusted bank or store and fall victim into entering our account and passwords. Or we visit a compromised website that has become infected with "malware" which then automatically tries to climb aboard our computer. That "malware", short for "malicious software" may be a keystroke logger, which as the name implies, will record everything you type and then send it via the Internet to some cybercriminal. Account logins, passwords, even private information like bank accounts or tax ids, in the hands of a stranger can often lead to identity theft and financial loss.

I remember when "phishing" was called "social engineering"; con artists and hackers would go through rubbish bins looking for passwords, ring you up and pretend to be from IT and need you to confirm your network login details, and so on… Has anything changed?

Cybercrime is now estimated to be a bigger international business than the illegal drug trade. That’s because instead of one off dumpster diving efforts which might have led to one a time accounts to steal, today’s criminal is trading in big databases of stolen information. Some of it comes from data breaches, when an insider of a big corporation, government office or university steals the information, sometimes when laptops or memory sticks go missing, or when a hacker gains access to the information in other ways.

There is a big underground criminal effort to buy and sell this data.

Today, a full financial id is only worth $12 – $14 while the average loss to someone whose id is stolen exceeds many thousands of dollars.  Once they have your financial bits and bytes, the criminal may create a new credit card in your name and go on a shopping spree. Or they might divert the bills for your compromised credit cards so you can’t catch on to the extra shopping they are doing for a longer period of time.

But social engineering is still an important part of the methods we individuals can fight against. Be careful of telephone calls from your "credit card company". You can always call them back but be sure to use the Customer Service number printed on your card, not what the caller tells you is the number. Never click a link in an email to check your accounts. Always type the main website name in yourself and look for any alerts or actions needed on your profile page. By being suspicious and aware of these phishing efforts, we can all fight back at these social
engineers.

So what are some of the ‘big’ losses that have arisen from hacking, phishing and security intrusions? Can you name names and give dollar amounts to some of them?

We’ve had some very high profile data breaches here in the US. One of the worst was the TJ Maxx intrusion. What happened was a group of hackers figured out how to intercept transmissions from unprotected cash registers back to the store’s server. Each credit card that was read sent a signal to the server which the criminals could record. This enabled the hacking team to crack the store chain’s algorithms and by digging deeper into the chain’s IT infrastructure, amassed a database of 40 million credit cards. It’s estimated that the ring leader himself earned over $11 million from the scheme. He is currently in a Turkish prison, sentenced to 30 years for an unrelated charge of hacking a bank’s computers.

Of course, this all has a significant bearing on a business’ ability to protect itself, but what about the individual? What should and can you or I, as individuals, do to protect ourselves?

We need to be aware and cautious when online just as we are in the real world. Just as you should watch where you use your credit card (shopping kiosks, bank ATMs, restaurants) and look for signs of tampering, you should look for unusual signs in your internet experiences. Unexpected links sent to you by good friends should be questioned. All you have to do is send an email, an IM, a Twitter message back to the friend to ask if they sent you that link. If they did, go ahead and click the link. If they didn’t, you have just saved yourself from being scammed. Never click links in emails from banks and shopping sites. As I said earlier, you can save yourself a real nightmare by visiting the actual website yourself and always typing the web address into your web browser’s address bar.

And monitor your accounts. I try to regularly check the websites for my credit cards and bank accounts. It’s best to do this weekly and no later than Friday morning. Why? Because if something is wrong, you’ll want time to reach a real life person at the Customer Service desk and not have to wait all weekend to fix something gone wrong.

Marian Merritt, Symantec Marian, thank you so much for taking valuable time out of your day to answer these questions; is there any last comment you would like to make to my readers? And where can they get more information about online security, for their business, their families, and themselves?

I encourage you to learn more about strategies for preventing identity theft and staying websafe. We have loads of great articles on our website, http://www.symantec.com/familyresource but there is also good resources at government sites like http://www.scamwatch.gov.au, http://www.stopidtheft.com.au, http://www.protectfinancialid.org.au, and http://www.staysmartonline.gov.au. Be sure you are always using the latest versions of internet security software when you go online and educate your children about best practices.

If you are doing all the right things to stay safe, while your kiddies are clicking away on Internet ads to win a free iPod, they can undo all your good safety work!


There’s a couple of extra reports from Symantec that might also be useful:

Although for ‘Best Headline Award’ I adore ‘Your Computer is Now Stoned[pdf]
:-)

There’s also the very well-received report that the NSW Dept of Education and Training put out last year (I contributed an article for it): Click: a technology guide for parents

 


Previous post:

Next post: