Episode 3
Spearphishing
In this story we discover that the pitfalls can also arise from the receipt of a simple email, whose sender may not be what it seems at first sight. Surely you’ve ever received some “suspicious” emails, at work or at home: today we find out what the consequences and risks associated with this phenomenon can be, even in the real world.
The characters of the story
The story
Glossary
Social Engineering
Social Engineering, represents the technique used by an attacker (criminal) to gather information or circumvent physical and logical security checks. It has this name because it exploits human ties, habits, rules or procedures that keep society together, to change them to their own advantage.
Phishing
Recalling the gesture of "fishing", it refers, in computer jargon, to the action carried out by criminals, falsifying electronic communications (email), to "bite" the target by causing them to click a link or enter personal credentials.
Spear Phishing
Similar to Phishing, it tends to trap the unfortunate user who receives it, but in a targeted manner. Spear translates into "lance", and in fact the contents of Spear Phishing are launched towards the target in a targeted way, contain true information (collected for example thanks to Social Engineering), combined with false information, and induce the target to believe again more to the content of the email.
Target
The name of the cyber attacks has this name. It is not necessarily a human being, it can be a "given" or a "system", but it represents the ultimate objective pursued by a criminal or malicious software.
URL
Often called a web address, a URL is a sequence of characters that uniquely identifies the address of a website or any resource reachable from the internet, for example a video, an image, a document or an audio file. It is commonly used by typing it in the address bar of the browser or with other programs. The term URL is an acronym meaning "Uniform Resource Locator".
Today's lesson
Does it seem incredible what you read? And yet this type of threat is very frequent and sometimes well masked, and a user’s error can have serious consequences for companies and public administrations.
What would have happened if the employee of our history had followed the link of the email, entered the fake site (completely resembling the Municipality’s management) and entered his login credentials? Mr. Malinitenzionati, the creator of everything, would have obtained the credentials of Francesco to access the management of the Municipality, and could thus have obtained all the sensitive data of the citizens. Sensitive data that could be of various nature (addresses, telephone numbers, perhaps the income situation) and that could be used for many unlawful purposes. Finally, a note: Francesco had used or published his work email address on social networks, instead of using a personal address. A mistake that was going to cost him dearly!
What should I do?
Know more with external links
-
Case 1In 2011, two different emails were sent to two small groups of employees at RSA Security (then a division of EMC), a well-known company specializing in computer security. The emails sent over the course of two days had as object "2011 Recruitment Plan" and as an attachment an excel file. At least one of the employees opened the file and a program was installed on his PC that allowed the attackers to connect remotely and do damage to the company for several million dollars.
-
Case 2Between February and March 2014 the credentials (login and password) of some eBay employees were compromised, most likely through a Spear Phishing attack. The company has run for cover by asking for 145 million password changes only two months later, when the incident was discovered and disclosed. A lot of time during which intruders were able to "rummage" through the company network.
-
Case 3In 2015 it fell to the Anthem company, which was robbed of the data of 78 million users, through the compromise of a single e-mail box.