Announcements of a data breach at a company or governmental agency have become so common that they no longer seem particularly startling. However the recent announcement by Verizon Enterprise Solutions that it had become a victim of a massive data breach is particularly noteworthy because Verizon Enterprise Solutions is the unit of Verizon that assists other companies when they become victims of data breaches.
OOPS!
In fact, one of the things that Verizon Enterprise Solutions does each year is issue an annual data breach investigations report. Next year, it appears that the report will be including information about its own data breach. According to Verizon the information stolen by the hackers was limited to basic contact information for many of its customers. Verizon is in the process of contacting affected customers. Meanwhile the stolen information is already being sold on the Dark Web, a part of the Internet where criminals buy and sell such information.
One might question the value to criminals of such non-financial basic information, however, that information can be quite valuable to cybercriminals for use in creating spear phishing emails that lure unsuspecting victims into clicking on links in the emails which contain malware, which when downloaded on to a company’s, government agency’s or person’s computers can provide the criminal with access to all of the sensitive information contained on those computers which may include credit card information, banking information, Social Security numbers and a myriad of other personal information that can be manipulated for financial gain by cybercriminals.
Almost all of the major data breaches of recent years including the massive data breaches at Target, JP Morgan Chase and the Office of Personnel and Budget (OPM) started with spear phishing emails.
Spear phishing is a more evolved form of phishing, which has been used by cybercriminals since the inception of email. Phishing occurs when someone receives an email that under various pretenses attempts to lure the victim into downloading an attachment or clicking on a link contained in the email. When the victim does so, they unwittingly download keystroke logging malware that will enable the hacker to steal all of the information from the victim’s computers. Just as few people now fall for obvious scams such as the Nigerian letter scam, fewer people are falling for phishing scams where the email purports to come from, for example, a company with which you do not do business and the email address appears to come from an individual (often a person whose email account that has been hacked by the cybercriminal and used as a part of a botnet of computers to send out phishing emails) rather than the company itself.
However, with spear phishing, the cybercriminals often accumulate much personal information about their intended victim before they send their malware riddled spear phishing emails in an effort to make the victim believe that the email is trustworthy. They accumulate this information from a variety of sources including easily accessible public data bases, however, they also obtain information from the victims themselves who may post substantial amounts of information about themselves on various social media including Facebook and LinkedIn that can be used to make the spear phishing email appear legitimate because they know so much about their victim, their interests and what they do.
It is easy for a cybercriminal to go to the Amazon wish list of a targeted victim to see what things are of interest to the their victim. All the cybercriminal needs to know is the intended victim’s name or email address, both of which are easily obtained.
According to federal indictments, the Russian hackers of J.P. Morgan Chase, E*Trade, Scottrade and Dow Jones were merely seeking names and contact information that they were able to use to fashion spear phishing emails to people who would be interested in investing in penny stocks in a new incarnation of the old pump and dump scam by which the criminal buys stock in companies at low prices, touts the stock to lure his victims into buying the stock and driving up the price, whereupon the criminal sells his stock at a huge profit soon followed by the dramatic drop in the stock price as the market adjusts to the stock’s true value.
Other times the phishing email may attempt to lure the intended victim into providing their user name or password in response to a phony emergency represented in the email by the cybercriminal. Again, the more personal information contained in the email, the higher the chance of its success in luring the victim into providing information. This was how convicted hacker Ryan Collins gained access to the Gmail accounts and iCloud accounts containing nude photos stored there by many celebrities, including Jennifer Lawrence and Kate Upton in 2014. All he did was send emails to the celebrities by name appearing to come from Apple and Google indicating there was a problem with their accounts and they needed to confirm their user names and passwords, which they readily provided.
The lesson is a simple one. Trust me, you can’t trust anyone. The best anti-phishing security software is not perfect so you just should never click on a link, download an attachment or provide personal information in response to any email until you have absolutely confirmed that it is legitimate.
Just because it looks like a duck and quacks like a duck, does not mean that it is a duck. It could be your goose cooked.
Steve Weisman is a lawyer, a professor at Bentley University and one of the country's leading experts in scams and identity theft. He writes the blog scamicide.com, where he provides daily update information about the latest scams. His new book is Identity Theft Alert.
