When a eBay suffered a massive data breach a few weeks ago, most of the attention revolved around the compromise of passwords and the vulnerabilities in the sites security. While those are legitimate concerns, they obscure the most glaringly weak link in the security chain: people.
Indeed, it was not a sophisticated exploit that facilitated the eBay breach, but an old-fashioned con. Its been determined that as many as 100 eBay employees were likely victims of a social engineering scheme: an attack where the perpetrators arm themselves with enough information to pass themselves off as a known and trusted individual or organization and convince the victim to reveal valuable personal informationin the case of the eBay employees, their logins.
Thats actually not surprising. When I recently asked a number of security experts to weigh in on innovative new attacks we should look out for, I was told the most concerning trend couldnt be remedied by patching and updating applications or thwarted by your security software.
The lowest hanging fruit is still humans, said Ken Westin, a security researcher for Tripwire. As long as attacks against humans still work consistently attackers will use them on their own, or as part of sophisticated, integrated campaigns.
Increasingly, those campaigns are tightly targeted to individuals and use carefully mined personal data to gain their trust. A person is likely to dismiss a typical phishing attack message that starts Dear Customer and contains only general information. But if a criminal can tailor a message that addresses the recipient by name; includes their personal details such as home address, phone number, or birth date; and looks like it comes from a company they do business with, the odds are much higher that even a cautious person will respond or take action.
The more pertinent personal information attackers can obtain, the easier it is for them to craft realistic-looking spearphishing scams. This is what makes companies like Target and eBay so appealing to hackerstheir customer databases are a treasure trove of data about millions upon millions of consumers.
Look, for example, at the eBay breach, says Dwayne Melancon, CTO of Tripwire. Millions of users personal information was disclosedfar more than just email addresses and user names. Those who possess the eBay data are now armed with dates of birth, locations, and even phone numbers , from which they can craft some of the most convincing phishing sites weve ever seen. By mentioning details from your local area, adding details that would appeal to you based on your age, and so forth cybercriminals can greatly increase the odds you will respond to a phishing email.
Sign up for Computerworld eNewsletters.