A company by the name of Condé Nast, a giant publishing company was the victim of a phishing scam that almost netted the phisher $8 Million.
The complaint filed in Manhattan District Court by the U.S Attorney’s office, the accounts payable department of Condé Nast was fooled by a fake email that claimed to be on of their partners Quad/Graphics. The email included an E-Payment form which tricked the department into paying out $8 Million to the fake account between Nov 17, 2010 and Dec 30, 2010.
The account was frozen on Jan 9, 2011, before the perpetrator could withdraw the funds from the account he had set up. According to authorities he was caught because he incorporated the name using his home address.
For those of you who might not know, a phishing attack is when someone sends you an email claiming to be someone else in order to get you to open the link and give up information. Phishing can also be done by setting up fake websites with the same or similar domain names as ones you would trust in an attempt to get user login information.
I kind of like to organize the phishing attacks in two categories; there’s personal phishing and business phishing the way I see it.
An example of personal phishing would be to send someone an email claiming to be Facebook for example, the email can say you logged in from somewhere you don’t know and send you a link to a url to ‘fix’ your security settings. Once you click the link you’d be sent to a site that looks like the Facebook login site but isn’t, there you fill out your login information, maybe change a couple of pretend security settings (a good phisher will actually have you turn off any alerts rather than turn them on) and click next. At this point your sent directly to Facebook to avoid arousing suspicion and continue on about your day. Completely oblivious to the fact that you just gave your password away and turned off all your security emails. This is of course a simple example using something rather harmless in the scheme of things, phishers have been known to steal bank, social security and email login information among the many other much more dangerous threats to your security than losing a Facebook profile.
An example of a business spear phishing attack would be pretty much the same as above, you send an email, wait for someone to bait the hook, and then reel ‘em in the only real difference is motives, sometimes it’s access to a system, sometimes its wanting to wire millions of dollars to a fake account or steal proprietary information. Businesses' have a lot more to lose by phishing attacks and I think their best option would be to get phone verification with caller id before transferring any payments. It’s possible to get around that but it’s be a lot more technically than what I think most phishers are capable of.
Source: Threat Post
No comments:
Post a Comment