As the 2012 London Olympic Games are underway, headlines are going to flood the media with each passing second. The Olympics will most certainly take center stage as the most talked about, tweeted, and shared event over the next couple of weeks, and millions of people will follow the Games online. It is an exciting time for sports enthusiasts, and though it may come as a surprise, probably even more delightful to cyber criminals. It's not because of the athletic events and the excitement they bring, but because of the sheer number of people the Games themselves bring into their world. Sure, for all we know, the king fish of all cyber criminals may just be the biggest Michael Phelps fan there is. But what he really cares about is how many times he can use the name Michael Phelps and convert the people searching for him into another infected machine. For the convicts of the digital world, the Olympics just equates to more people to victimize, for greater phishing opportunities. Their jobs just got a lot easier, at least for the next week and a half.
It goes without saying: cyber criminals would not be half as successful if we were not so gullible. At least partly, their success is directly proportionate to how cautious the rest of us are. Cyber criminals are not as much innovators as they are crafty, situational, and "trend" shaping. They take advantage of our nosiness, so to speak-our basic human need for information. They manipulate the effect that sensational news has on us. They prey on our unyielding desire to be cognizant of all of the major events that matter to us and the people we like to keep up with-unfortunately for us, the Olympics contain a lot of both. They exploit the fact that the web has overwhelmingly become our mechanism for everything social-social engineering, in fact, is the term for it-and they are leaping at the chance to engineer whatever it takes to get a hold of your intellectual property.
Phishing is one of the oldest tricks in the book. In the simplest of explanations, it usually involves cyber criminals leveraging "trending topics," either by borrowing upon factual current events (i.e. presidential elections, government scandals, sporting events, holidays, celebrity gossip) or totally making them up (hence the term social engineering). They frame it as if it is a news headline and create a hyperlink to what is actually a disguised malicious website that when accessed, initiates a drive-by download and infects visitors' computers with malware. Cyber criminals blast these phishing emails, trying to hook you with their bait. They generate websites on certain topics as they go, and insert executable code within them. This may be done in many forms with several different types of exploits. And just when we thought we knew what they were up to with these generalized, random emails, they got smarter. Another form of phishing, appropriately termed "spear phishing," is when the message is personalized to you. The bad guys research information about you and then tailor the email to suit your interests and there you have it: a trending-topic attack, made specially just for you. They use topics that are relevant and probably seem important. We have seen cyber criminals take advantage of a celebrity death, a scandal, or even Black Friday to send these phishing emails. They also use what is called "black-hat SEO," the dark version of SEO. Cyber criminals will SEO their malicious sites so that they outwit search engines and climb the page ranks as if they were normal sites, avoiding the hassle and inefficiencies associated with emails. They'll even purchase keywords to ascend to the top of search results quicker, increasing the chances of your Google search for Jamaica's Usain Bolt ending with a virus.
Why do people click on these links? Why haven't we got smarter? And what are they after? People click on these links because we're naturally anxious to see the breaking news or capitalize on the great specials, discounts, or shocking pictures that they promise. Cyber criminals are always using the freshest news to lure us in, wherein lies the strength of this tactic. We have a natural tendency that makes us want to engage and be impressed, or at the very least informed, so we have something to talk about. Cyber criminals are after information, in hopes that it leads to more information, which leads to money. Maybe they can hack and infect your business computer and come away with all of your R&D documents, so they can build off of your work and make something better to commercialize. Or maybe you have your online banking credentials stored on your computer somewhere that they can penetrate and steal. They either get to your bank accounts themselves or sell your information on black markets for someone else to do it. Think about it: they wouldn't go through so much hard work if they weren't smart, if it did not work, or somehow make them richer in the end. Think of the whole process as a fishing analogy. Once you click on the link, you are a fish that just got hooked, and once the malware is in, they start reeling in their rods, picking up on all the extras as they reel in your information.
Suffice it to say, while we are dazzled by the athletic feats of our favorite athletes competing for the pride of our countries, cyber criminals are hard at work, competing for your information, probably with the use of these trending topics that the Olympics will constantly provide, in order to socially engineer an attack. While search engines ramp up their defenses and algorithms to weed out these fake sites, it's important that we as users protect ourselves as well, especially now that we are aware. There's anti phishing software out there that makes safe web browsing easy. It's difficult to know whether you have clicked a malicious link until it's too late, but there are tools that can warn you ahead of time. Enjoy London 2012 and access legitimate sites for updates on medal counts, scores, and highlights... not the ones that come through your email. Don't bite the bait!
Fortunately, there are companies out there committed to preventing the spread of phishing, like KaspAV, a division of Guardian Network Solutions and authorized Kaspersky reseller. KaspAV specializes in providing the ultimate anti-phishing solutions in order to prevent harmful types of malware from lodging itself into your system and facilitate safe web browsing.
Reprint Terms: You're welcome to reprint these articles on your website and in your e-newsletters free of charge, provided that you do not change the article in any way and you include the byline, phishing.
In doing so you agree to indemnify Guardian Network Solutions and its directors, officers, employees, and agents from and against all losses, claims, damages, and liabilities that arise out of their use.