How Not To Get Caught By A Cyber Hook
Friday, April 8, 2011
A security breach of the internet marketing firm Epsilon's files has put millions of people at risk for identity teft. There are a few simple rules to follow that will almost certainly prevent you from becoming a cyber attack victim according to our phishing expert, Randy Abrams. Find out how to protect yourself.
If you’ve done business online with companies like Target, Best Buy or J Crew, you may have gotten an email recently saying some of your personal information has been stolen. The security breach involving online marketer “Epsilon” is being called one of the biggest data thefts ever. But, just what was stolen? And, how could it affect you?
Randy Abrams, Director of Technical Education, Cyber Threat Analysis Center for ESET North America
CAVANAUGH: If you've done business on line with companies like target, best buy, or J crew or even the basic city group, you may have gotten an e-mail recently telling you some of your personal information has been stolen. The security breech involving on line marketer epsilon is being called one of the big of the data thefts ever. But just what was stolen, and how could it affect you? I'd like to welcome high guest, Randy Abrams is director of technical education cyber threat analysis center at Eset north America. Randy, good morning. Thanks for coming in.
ABRAMS: Good morning. Thank you very much for having me here.
CAVANAUGH: So what is known about the scope of the epsilon security breech at this point?
ABRAMS: Well, we're limited in our knowledge by what epsilon's willing to release. And we have to trust that what they're saying is the truth. And if it is the truth, a bunch of e-mail addresses and names were breached. And almost certainly the people that have those names and e-mail addresses know which companies they correspond with.
CAVANAUGH: Right. So tell us, though, let's back up for a minute, what does epsilon do for all these companies?
ABRAMS: They're a spam machine. They send out lots and lots of e-mails on behalf of these people.
CAVANAUGH: I see. So if you were a -- if you've ever done on line business with target, and they want to let you know that they're having a sale of some kind, it might come through Epsilon?
ABRAMS: Correct. Or I get e-mails from the Hilton every month or from Marriott rewards, and they do business with epsilon too who sends the e-mails on their behalf.
CAVANAUGH: Okay. And so the type of information that these hackers stole was just e-mails.
ABRAMS: That's what's reported, yes.
CAVANAUGH: So what's the risk to people whose e-mail addresses actually were stolen?
ABRAMS: Had you know, this is a really interesting case. There is some risk in terms of targeted phishing. Because if I have the information about who you actually bank with, then I can send a phishing e-mail to a person that actually banks with the bank I'm targeting, which is far more effective than sending you a fish for a bank that you've never done business with. You'll recognize that immediately. But it's really valuable for marketers, because they can take a look at, say, 50 different companies and say, this e-mail address shes up across 17 of these different companies. Now I know this person's lifestyle, I know how to sell that as a targeted e-mail address. Of.
CAVANAUGH: So in other words, these -- the people who stole this information from epsilon may actually sell it on to other marketers who actually don't need anymore to do this research by themselves? They can just get it by assessing where these e-mail addresses go on in.
ABRAMS: Oh, yes. This would be extremely high quality in terms of mailing hiss.
CAVANAUGH: So tell us a little bit more about how a phishing attack works.
ABRAMS: A phishing attack is designed to get the user to do something that they wouldn't normally do by tricking them. It's usually a confidence breech. It also involves either fear or greed in most cases. So you get an e-mail saying there's been a problem with your hot mail account, and for security purposes, we need you to reset your password, give us this information. Or this is your bank, we really value your feedback, we'll give you $50 if you'll answer these questions, but we need your bank account number to put the money into.
CAVANAUGH: I see. I see. So there's no reason to think that perhaps this just is going to be sold onto some marketer. This might even be used for people who want to get access to more of your personal information.
ABRAMS: Best case scenario, it was stolen by somebody who wanted it for marketing purposes worst case scenario, it was someone who's gonna sell it for both purposes, and you have to assume that there are gonna be some targeted phishing attacks as a result of this.
CAVANAUGH: Now, who would be most at risk?
ABRAMS: Anyone who doesn't understand how to avoid a phishing attack.
CAVANAUGH: Okay, yeah, anyone who clicks on those e-mails and answer it, right? Replies to them.
ABRAMS: Yeah, and in this case, you know, it's really more about the behaviors than identifying the e-mails. You don't have to identify an e-mail as a fishing attack, even if it is, if you don't engage in the behaviors that allow the phishing attack to work. So any time you get an e-mail that asks for a password, it is a phishing attack. I might be wrong one out of two hundred and 70 billion times, but --
CAVANAUGH: Those are pretty good odds.
ABRAMS: You can call the company on the phone, if you think that it's for real. So if they're asking you for your personal information via e-mail, it's a phishing attack. Just assume it's a phishing attack. Follow up by phone if you think your assumption is wrong. Also, if you click on a link in an e-mail, and it leads you to I web page that asks you for a log in, don't do it. Now, this one is particularly difficult, because you'll often get e-mails from Facebook or twitter or waver, and clicking on that link takes you right to the thread that you're looking for, and that's the easy way to do it. It's also the easy way to fall for a phishing attack. So I always log in to my Facebook account and go looking for the message I want to find. I don't click on the links in the e-mail. You follow those simple steps and you're eliminated the behavior aspect of phishing, and you beat all the phishing e-mails.
CAVANAUGH: I want to let everyone know, I'm speaking with Randy Abrams, he's [CHECK] eset north America. And we're talking about the security breech involving on line marketer epsilon. And so in other words, what you're advocating is that people have this heightened awareness all the time, not just when they hear that there's been another big security breech somewhere?
ABRAMS: Exactly. Because these attacks are going on 24 hours a day, seven days a week, and they have been for years.
CAVANAUGH: I think a lot of people are, you know, familiar with the term phishing, but lately I've heard another term, spear phishing. What does that mean?
ABRAMS: Spear phishing is a targeted attack.
ABRAMS: So the analogy, imagine you take a net out and you go fishing with the net, you don't care which fish you catch, you're going for all of them. Spear fishing, you're throwing the spear at a specific fish. So spear fishing is a targeted attack, and in this case, it appears that epsilon was a victim of spear fishing. Some of their employees were targeted, and to me, I don't know that I would use the word phishing. Some security experts use it. But definitions get a bit blurry. But the people were sent a specific e-mail for a specific reason, now, in this case, it contained programs that have vulnerabilities that allowed hackers to get network access.
CAVANAUGH: Right. Yeah, let me talk a little bit about those programs that have those vulnerabilities. Because you are with this cyber threat analysis center, I know personally this -- I've gotten an e-mail like this thee times in the last 18 months. And I know that I can't be alone in this. Not from epsilon, but from other companies. And is this happening more often?
ABRAMS: You know, I haven't aggregated the numbers. At some point, personally, I get to the point of I don't care if it's happening more often, it happens so often that more or less a little bit doesn't matter. I mean, if you can track a less trend, that's good news and something to be happy about. But for the average consumer, whether or not it's happening more often is pretty irrelevant, it happens so frequently that you just need to be on your guard.
CAVANAUGH: Let's say you in a moment of distraction, you click on an e-mail or a link, and you say, you know, I shouldn't have done that. I exposed myself, this was a phishing attack. I know it was. Is there any way to immediately get on the phone to a certain company or -- and stop that information from being out there? Or is -- you're basically cooked if you do that?
ABRAMS: What I would recommend is that today you go out to the FTC website and look at the information resources for identity theft and what to do if you're a victim of identity theft. Print those out and have them by your computer, and you'll have the answers ready when you need that information. Because yes, there are steps you can do to mitigate the damage, especially if you recognize it right away.
CAVANAUGH: Is there anything that the people are working on the other end that's going to make all the information that is being gathered about people more secure?
ABRAMS: You know, there are a variety of projects at universities all over the world that are attempting to solve this problem. But what it really comes down to is we're talking about crime. And in the history of civilization, we have not eradicated crime. You know, the criminals are pretty persistent people, and have been for millenniums, so there are ways that technology can help, but fundamentally, we need to make essential education include antiphishing, anti social engineering, that's gotta be part of our social curriculum from elementary school on before we're going to be able to deal with this new type of threat that the internet the has brought upon us.
CAVANAUGH: Is there anything else besides these phishing attacks that's really so common people should be aware of all the time?
ABRAMS: There's a lot of information that people are sharing right now. And some people say it's a good thing, not necessarily. I really don't need to know that your child's knot the stomach flu and the details of that.
ABRAMS: But if you're aware that the information you put out there is public knowledge and everybody knows it, then you're able to defend yourself better. If someone says oh, I'm in the same club as you are, but in pay different state, and you think the reason that they know that you're in that club is because they actually know you, but you're published it on your Facebook account, you're setting yourself up for a social engineering attack. So be very aware of what information you have out there, Google yourself. Find out the aggregate of all the information. You know, I had a person one time send a tweet that I picked up on Google buzz that said I'm going to such and such restaurant in New Jersey. It had her first name and last name. I Googled her first name and last name, and between three different social networking sight sites, I find out what her phone number was, where she lives, and that there was a male in the household as well. So I e-mailed her [CHECK] my God, I had no idea I gave up this much information from one little tweet saying where I was going to dinner at.
CAVANAUGH: Do you find that across the board, people are still pretty naive about the Internet, and the kind of information that they're just basically casually letting out there?
ABRAMS: Absolutely. People right now don't even realize that their smart phone isn't a phone that does smart stuff. It's a computer that happens to be able to make phone calls as well. They don't realize the power that they've got in these devices. And the bad guys understand the power to do harm.
CAVANAUGH: Would it make any sense if someone were to take a sort of proactive measures and just use one separate e-mail for all of their business and another one for the other things they do? In other words one e-mail for their on line business, so indeed if there is this security breech there's only a limited amount of damage that could be done for that person?
ABRAMS: There is certainly a logic to that approach. And it any save you from some very embarrassing situations that may prevent a mistake they could cause a loss of your job. So yeah, data segregation is a part of defense in depth. And it's a good idea.
CAVANAUGH: Well, I want to thank you for your time. Thanks for speaking with us today.
ABRAMS: Thank you so much for having me today.
CAVANAUGH: I've been speaking with Randy Abrams, he's director of technical education, cyber threat analysis center, Eset north America. You're listening to These Days on KPBS.