Will Someone Give a Hacker Access to Your Network?
How can this happen?
A common way in which this is done is through something called spear phishing.
What is spear phishing?
Spear phishing is when someone sends you an official looking survey, asking a couple of questions. Based on the answers provided, they are able to access your entire network. Many times the survey is sent using a reputable company, such as SurveyMonkey.
What are the odds you will fall for it?
According to PhishMe, Inc.,
once in an employee’s inbox,
there is a 60% probability
that an untrained staff member will miss all of the indications that the email is in fact a scam and will click on a hyperlink or open a file attachment within the email.
How do they do it?
Step 1:
Create a free account on an Online survey site.
Step 2:
Set up the survey to ask 5 questions.
They can be something like:
1. Do you find it difficult to remember all of your corporate passwords?
2. How many passwords are you required to remember for corporate systems?
3. Of all your passwords, enter the one which you think is the best? (Such as sljkf2875$^ or
Cook#paper)
4. Of all your passwords, enter the one which you think is the worst? (Such as password or LALakers)
5. Do you think your Chief Security Officer would be interested in our software tool that is both inexpensive and offers bullet-proof security protection?
Step 3:
Only send it to one user.
What’s going on?
Questions 1, 2 and 5 were there simply for an air of legitimacy.
Questions 3 and 4 were the spear phishing questions.
Since this was sent to only one person, the results provided inform the hacker that the targeted user answered the survey.
They then can analyze the report and extract the relevant data.
How do most people respond?
Most of the time, the user will enter in the best and worst password!
This will allow the hacker to hack the users and his or her entire office network!
Is every email from SurveyMonkey dangerous?
No, Many times honest and safe people are sending you a link to take the survey in effort to accomplish a safe goal.
SurveyMonkey CAN be set up so that the responses are anonymous and secure, but that is determined by the individual survey creator to decide.
Recommendation #1
The most effective way to counter phishing and spear phishing is via an effective information security
awareness program that educates users on how to identify and avoid a well-crafted spear phishing
email.
Recommendation #2
As part of a corporate security awareness program, users should be cautioned against answering
surveys around proprietary and/or confidential corporate information, or any personal information.
Recommendation #3
Users need to understand that since SurveyMonkey can’t guarantee the anonymiztion of the
answers, they should have zero expectation of privacy.
For more info…
CLICK HERE to view the complete article.
To see an example CLICK HERE to download the PDF.