Falling for phishing – hook, line and sinker

Picture of keyboard with two surveillance cameras on the keys

Watch out! Someone could be spying on you

When hackers broke into AP’s Twitter account earlier in 2013, their fake tweet about Barack Obama being injured in an explosion at the White House caused the US stock market to plunge. Just before the Twitter account was hacked, AP staffers had received an email asking them to click on a link that supposedly went to a Washington Post article.

Although it looked legitimate, the email was actually a phishing attack (view the email here). The fraudulent link redirected the recipients to a bogus site where they were asked for their login credentials. At least one person fell for the phishing email and gave the hackers, the Syrian Electronic Army, the password they needed to tweet in AP’s name.

Screenshot of AP Tweet reading "Breaking: Two explosions in the White House and Barack Obama is injured"

In this case, the incident proved more embarrassing than damaging – the tweet was corrected immediately and the stock market recovered within minutes.

But falling for a phishing attack can have much more serious repercussions.

Falling for a phishing attack can land you in jail

In Bahrain at least 11 people were imprisoned between October 2012 and May 2013 after the Bahraini government successfully phished their identities. All had allegedly written anonymous Tweets criticizing Bahrain’s King Hamad. The authorities identified the individuals by sending them fake links from Twitter and Facebook. When they clicked on the link, spy software noted the computer’s IP address allowing authorities to track the Twitter users down (read how the Bahriani government did this in an extensive report by Bahrainwatch.org).

Phishing attacks don’t just have to come from Twitter or email though; from sms to Skype, What’s App or even via the comments box on an online article, fake links can be embedded in any kind of communication.

What’s more, phishing doesn’t always involve a fake link. It might contain a downloadable file containing malicious software (or malware) that installs itself on your computer or smartphone without your knowledge.

Tweet text reads "Angolan activist was pwned via a spearphishing attack - I have the original emails, original payload and an updated payload."

Renowned security expert Jacob Appelbaum tweeted earlier this year about discovering spyware on the computer of an Angolan activist. Installed when an email attachment was opened, the spyware took shots of the victim’s screen and copied his files, automatically sending the information to remote servers.

This particular spyware wasn’t very high-tech but other malware can log keystrokes to steal logins and passwords, record visited websites or even activate the camera or microphone on the laptop to record what people are doing.

Phishing attacks becoming more professional and highly targeted

Many of us can now recognize phishing emails for financial information that have been around for a while. Often badly spelled, the emails say there has been unusual activity in our bank accounts or they have a deal that is simply too good to pass up and we should click on a link to verify our data.

The kinds of phishing emails sent to journalists and activists now though, have little in common with these clumsy attempts of the past. They are professional attacks that often target a particular person or a particular organization. The cyber attackers might research you on Facebook or LinkedIn or look at articles you have written to write a highly-customized email. That way, the target is more likely to fall for the attack.

Such targeted phishing attacks are known as spear-phishing, and are rapidly becoming one of the biggest security threats facing journalists.

We journalist are used to receiving emails, tweets or Facebook messages with links to stories or documents. After all, being on top of the news is part of our jobs. But letting hackers, whether they are government authorities or criminals, steal our information can endanger not only our stories, but also ourselves, our colleagues and most importantly, our sources.

Here are a few tips:

Email text showing mouse hovering over link to display link URLMouse over the link. You can view a link’s URL by hovering over it with your mouse (but don’t click). If the URLs doesn’t look legitimate, or doesn’t match the one given in the email text, don’t open it.

Read the URL carefully. Fake links will often try to trick you into thinking the URL is real by using similar spelling to a real site, for example www.aljazera.com instead of the correct www.aljazeera.com. If you don’t look carefully, it’s easy to think you’re clicking on a legitimate link.

Check the domain name. The domain name is the part of the URL just before the first slash. For example, Deutsche Welle’s domain is www.dw.de. Genuine DW links have the domain name before the first slash – for example, http://akademie.dw.de/digitalsafety/ is still a genuine DW URL as the “dw.de” is before the first slash. A phishing URL to a fake DW site may look like this www.topstories.com/dw/globalization. Here’s a great spambusters post that tells lets you know more about checking links.

Use an URL checker. They aren’t foolproof but sites such as safeweb.norton.com are a good start.

Don’t open unverified attachments. All file types can contain malware. If in doubt, delete.

To find out more about avoiding hacking attacks, tune into the What’s in that message? live online session with security expert Morgan Marquis-Boire on December 6 at 4pm CET.

Written by Kate Hairsine and edited by Kyle James