LOS ANGELES — At least 2 million people received the email May 16 notifying them that an order they had just made on “Wallmart’s” website was being processed, though none of them had done any such thing.
Still, thousands of people clicked on the link in the email, taking many of them to a harmless Google search-results page for “Walmart.” Others weren’t so fortunate. The link led to the invisible download of malware that covertly infected their personal computers, turning them into remotely controlled robots for hackers, according to email security firm Proofpoint.
These sorts of “phishing” attacks are not only becoming more common but also are getting more lethal, with fake emails becoming harder to distinguish from real ones.
In the fake-Wal-Mart attack, people missed clear warning signs — such as the company name being misspelled and the sender’s address being very long and strange. But in another case a month later, an email claiming to be from American Airlines carried no visible hints that it was illegitimate.
Most Read Business Stories
- 55,000 in Washington state may have to pay back thousands in jobless benefits
- 1 house, 45 offers: Homebuyers in Western Washington hard-pressed as supply remains scarce
- Boeing CEO gave up millions in pay; here's what he and other top execs earned
- Jeff Bezos gets fraction of legal fees from girlfriend’s brother
- Amazon's telehealth arm quietly expands to 21 more states
The sophisticated attacks are targeting the likes of attorneys, oil executives and managers at military contractors. The phishers are increasingly trying to get proprietary documents and pass codes to access company and government databases.
Nearly every incident of online espionage in 2012 involved some sort of a phishing attack, according to a survey compiled by Verizon, the nation’s largest wireless carrier.
Several recent breaches at financial institutions, media outlets and in the video-game industry have started with someone’s login information being entered on a false website that was linked to in an email.
When an Associated Press staff member received an email in April that appeared to be from a colleague, the individual didn’t hesitate to click on the link. But that link led to the installation of a “key logger” that enabled a hacker to monitor keystrokes and see the password for The Associated Press’ Twitter account.
The hacker posted a tweet from the account saying that someone had bombed the White House. As investors reacted to the tweet, the S&P 500 index’s value fell $136 billion. The parody news site the Onion fell prey to a similar, though less costly, attack.
Chandra McMahon, the chief information-security officer for military-technology giant Lockheed Martin, said phishing attacks aimed at its employees try to replicate emails and websites of industry organizations that its employees visit on a regular basis.
“They are compromised by adversaries because they are the perfect spot to put malware because a lot of the employees from the industry will go there,” McMahon said.
As technology firms find ways to make emails safer for consumers, some security experts suggest treating every link skeptically. So if you can never click on a link in an email again, what options are left? Here are some suggestions from security experts:
Open links on an email app on Apple’s iPad or iPhone. These devices have fewer vulnerabilities so malware is unlikely to stick or get attached by clicking on a bad link. Android devices aren’t as foolproof, but smartphones certainly have fewer holes than personal computers.
A few tech companies are promoting a new technology known as Domain-based Message Authentication, Reporting & Conformance, or DMARC, that offers users a visual indication that an email is coming from the legitimate vendor.
For example, real emails from eBay in Gmail include a key next to the “from” field. In Microsoft’s Outlook, a green key is the sign. Despite a push from firms such as email-security provider Agari Data, not every major company has joined this effort.
Other companies are taking different approaches. Wal-Mart Stores, for one, is devising its own tool. Others are trying to block bad emails from reaching the inbox by harnessing the power of big data to see whether a message has the right context clues, anyone’s ever received a similar email or whether the sender’s ever been replied to.
With the warnings about these sophisticated and consequential attacks starting to grow, it’s possible employees could start facing repercussions for not being cautious with links.
Peter Toren, a former Justice Department computer-crimes prosecutor, said he hasn’t heard of any companies firing someone for introducing malware into a corporate system by clicking a link. But he said a company might eventually have to make an example of someone.
“They certainly wouldn’t sue an employee because they don’t have deep pockets to pay a claim,” Toren said. “But it certainly could be grounds for termination. You failed to listen to us. You failed to follow training.”