HackDig : Dig high-quality web security articles for hackers

«No Previous

Phishing Post Mega Breach: How The Loss of PII is Only the Start of Your Customers’ Problems

2014-08-15 01:13

unlock image[1].jpgWith billions of records and other credentials being compromised recently, it’s more likely than not that either you or someone you know had some sensitive information stolen. Information is the currency of the underground economy, and mega-breaches can collect a ton of it.

Once user’s personally identifiable information (PII) is lost, it’s often sold on the underground market to other attackers who look to profit from it with very specific phishing attacks, known as “Spear Phishing”.

Spear Phishing is for more dangerous than a traditional phishing message in that your PII is used to make the email more personal. The spear phishing email may address you by name or include details you believe only your bank or friends know. They may list account numbers, your address, or recent purchases as proof of their validity, culling known PII in order to learn unknown information.

Phishers will also use the breach itself against victims, claiming to be able to “wipe” or erase the victim’s PII from the hackers’ database. These claims are, of course, themselves a scam to get further information. While this trick isn’t new, it is unfortunately becoming more common. Recent research shows that in 2012, only 1 in 414 emails were phishing scams, but in 2013 1 in 392 were phishers.

Not just a risk for newbies

Proficiency in technology or a healthy dose of cynicism doesn’t exempt users from becoming victims, especially when hackers get their data from a third party. Consider the case of Mat Honan, a respected writer for Wired who had his iCloud account taken over—and subsequently his laptop/phone/tablet wiped clean remotely—all because attackers got ahold of the last 4 digits of his credit card number. These four digits, combined with his billing address (likely guessed as his home address, which was easy to locate via Google), were considered sufficient identification to reset his iCloud password.

Several years ago, UK Justice Secretary Jack Straw’s email account was phished as well, resulting in what would later become known as “spear-phishing” in which emails are sent to email contacts belonging to the user as the user itself. In Justice Straw’s case, hackers send emails which looked to be from Straw telling his contacts that he was stuck in Nigeria with no money and needed a loan to return home. Unlike Honan’s case, Straw lost nothing but a little trust in his emails form his colleagues, but the damage could have been far worse.

How can we stay safe?

Avoiding a phishing attack can be easy if you know what you’re looking for. Proactively keep yourself informed by staying current on phishing trends here on Symantec Connect and Antiphishing.org. As a general rule, avoid clicking unusual URLs in emails which come from senders you don’t recognize, and type in the home URL of the company requesting information into your browser to access your account directly. If you’ve been made aware of a large-scale breach in which your data was compromised, you will need to be especially vigilant. If you receive an email from an online vendor seeking any PII, take the extra step and call the customer service number listed on the company website to ask why the information is necessary.

Unfortunately, there’s no way to ensure sites/services that you use won’t be breached, but you can take steps to limit the damage. Using unique passwords and enabling two-factor authentication would have prevented the initial incursion into Honan’s email, and regular backups would have prevented some of the losses that he faced once the hackers had his information. It also pays to be especially aware after any breach of a major retailer that you may be a target: immediately change passwords upon receiving information regarding a breach, especially if the password involved is also used elsewhere. Support for storing passwords can be found in Norton Internet Security for a more secure solution.

Source: emotsuc-ruoy-trats-ylno-iip-ssol-woh-hcaerb-agem-tsop-gnihsihp/sgolb/tcennoc/moc.cetnamys.www

“Phishing Post Mega Breach: How The Loss of PII is Only the Start of Your Customers’ Problems”0 Comments

Submit A Comment



Blog :

Verification Code:


Tag Cloud