I have lots of email addresses, but there's one that I use as the main catch all one, it’s the one I usually give to most people, and it's the one account I like to clean and clear out regularly. Because it is the most publicised one of all my many accounts, it's the only one that I receive SPAM into regularly. Equally, I speak at events, write in publications, write on websites, and participate in some social networking sites, which also open me up to being a target of SPAM.
Last week I received an invite to join "Plaxo" from a friend of mine who works for the Financial Services Authority, I know that he is unlikely to send a non-work message from his work email, so this seemed authentic as it was seemingly sent from his personal domain name.
Whenever I receive an invite to join any new service that I have not used before I usually explore why I would need that service in my life, and I usually look at what sort of people use the service, how they use it, as well as looking through the help section available to non-users of the service. I don't want the give the impression that I get lots of invitations to join new services, but whenever I do, I don't assume that the invite is from who is seems to be from, and follow it up with the person directly, even if as in above example it seemed to be sent from by friends personal domain address.
Therefore, following form, I emailed him asking what he thinks that this service offers that can't be got elsewhere, to which replied that hadn't sent the invite. I attached the email into a message, so that he could see that I had actually got it from his private domain name.
So was this a spear phishing attempt to get me to disclose personal information? Probably, but I didn't fall for it this time, who knows, one day my guard may be down for whatever reason, and I click through and end up with malware on my pc.
Is this unique? Not really, many people get spear phished all the time, but for me this was the first one, and one where the originator was another trusted security friend and the email domain was his personal one. It is the first one I’ve received which didn't send the usual alarm bells like the emails from banks that I don't bank with, or offers of business opportunities.
Although this is a single incident for me, it is however in line with findings of a report from Sophos I came across today the "Social Security" survey. Two of the related findings are:
- 57% of users report they have been spammed via social networking sites, a rise of 70.6% from last year
- 36% reveal they have been sent malware via social networking sites, a rise of 69.8% from last year
Details of this report are available from the Sophos website, but the question for me is: “what can we do to ensure that we don't fall victims to such targeted attacks”?
Unfortunately, it is all those same old obvious things that are covered in corporate security awareness training courses / workshops: don't disclose any useful information on the internet; only accept invitations from people you know; check links before you click, and the list goes on. There is nothing in the list that we don't already know, the question then becomes “how many non-security people actually pay any attention to the good practice”?
What we need is something simple like the Governments old "Green X Code" campaign, which hopefully after several years will become ingrained into people's minds from child to adult. And even if the campaign only saves a small percentage of people from being taken in, it's still worth it. And what’s more is that over a period of time those people will share their experiences with other and hopefully educate others through discussion.
Which social networking services have you received spear phishing emails from?