Petaling Jaya, Selangor Malaysia (PressExposure) April 26, 2011 -- Lately, it's been published that the Chinese military has been launching massive numbers of spear-phishing attacks against U.S. government agencies and companies. The volume of attacks is such that "we have given up on the idea we can keep our networks pristine," said Stewart Baker, a former senior cyber-security official at the U.S. Department of Homeland Security and National Security Agency. Security experts say that the majority of attacks emanating from China still employ spear-phishing.
Evidence showed that Chinese hackers have been launching large numbers of attacks against U.S. government agencies and businesses. The most notable of those attacks was arguably Operation Aurora, which targeted Google and some 33 other companies. Google was compromised via targeted phishing attacks. Phishing, or also known as spear phishing, is a cyber threat using fake but personalized emails to trick people into visiting malicious websites or executing email attachments, which then attempt to exploit known vulnerabilities on the user's computer, giving attackers full control over it, and its contents.
Incidents such as the recent hacks of Epsilon shows that phishing remain quite effective and difficult to block. The massive data breach of thousands of names and email addresses from Dallas-based Epsilon may become victims of phishing attempts, according to The Better Business Bureau (BBB). Epsilon, a third-party marketing service used by high-profile businesses to distribute emails to customers, confirmed the data breach April 1. Among the confirmed companies whose customer data has been stolen are hotels, banking institutions and retail giants including Best Buy, Citi, Chase, U.S. Bank, Capitol One, Walgreens, Kroger, Marriott International, Ritz-Carlton Rewards, Brookstone, New York & Co., TiVo, HSN and L.L. Bean
There is an extremely high risk for phishing attacks, if the hackers have access to customer email addresses. Hackers may pose as official companies in an attempt to fraudulently obtain consumers' personal or financial information. Consumers are warned to use extreme caution and suggest the following tips to avoid becoming a victim of a phishing attack.
The Canadian government was also hit by spear phishing attack. The attackers, believed to be Chinese hackers, started by gaining access to the computers of several top senior government officials. Once accomplished, they sent emails to department IT staff pretending to be those officials. This method gave the access info they needed to enter key government systems. They also distributed malware pretending to be memos. When these fake documents were opened, a Trojan was installed that monitored and sent information back to the hackers.
It seemed surprisingly easy for the hackers to dupe IT professionals and gain access to such sensitive information. It's not known exactly what information was stolen, only that it was highly classified and from the Finance Department and Treasury Board. Both agencies were knocked completely offline by the attack.
As phishing and other scams become more prevalent, UK government officials and businesses are working together in a concerted effort to stem the tide of scam emails. This comes as the BBC reports mass markets scams like phishing makes up one quarter of all scams but are responsible for 90% of all scam losses. That makes phishing a very real problem for businesses and consumers. The UK government has started requesting people forward emails they suspect are scams to the national fraud authority.
According to the Anti Phishing Working Groups Global Phishing Survey, in the second half of 2009, there were 14,387 unique phishing attacks in the UK alone. Each one of these attacks has the potential to reach millions of people. To help minimize their impact, it is advisable for companies to educate their customers about procedures and let them know genuine companies will never ask for personal details over email.
The number of cyber attacks is only going to increase if organizations fail to pay attention on the vulnerabilities of their network security. Organizations need to implement robust information security initiatives, including having a proficiently skilled IT security workforce, in order to avoid cyber attacks and security breaches. IT security professionals can increase their information security knowledge and skills by embarking on advanced and highly technical training programs. EC-Council has launched the Center of Advanced Security Training (CAST), to address the deficiency of technically proficient information security professionals.
CAST will provide advanced technical security training covering topics such as Advanced Penetration Testing, Digital Mobile Forensics, Advanced Application Security, Advanced Network Defense, and Cryptography, among others. These highly sought after and lab intensive information security training courses will be offered at all EC-Council hosted conferences and events, and through specially selected authorized training centers.