With the growing use of the Internet, users need to be wary of e-mails purportedly by local banks requesting to update details for online banking.
Never reply or submit personal details via cyberspace. The banks will never request any Internet user to update or furnish details via cyberspace.
If the banks are not forwarding such e-mails, then who else is forwarding? These e-mails are developed as cyber weapons by hackers to carry out an attack known as “social engineering”.
“Social engineering” is manipulating the people to unveil valuable information to the trickster. It is like a law enforcer going undercover as a drug user to arrest drug pushers, or spies trying to gain intelligence on national secrets from a government source.
As a part of the information-harvesting technique, the hackers will forward spoofed e-mails known as ‘phishing’ to collect potential information from a target and that will turn to be an useful mechanism to deploy attacks on any weak individual or corporate networks.
In June 2011, Chinese hackers targeted massive phishing attacks designed to compromise Gmail accounts of senior US and South Korean government officials, military personnel, Chinese activists and journalists.
The modus operandi in this sophisticated attack are victims receiving message from a spoofed address of close associates and corporations. If the recipients fall into the trap, the personal details will be forwarded to a compromised server that is operated by the hackers.
Then the hackers will have the necessary details to penetrate further. It is vital to understand from which angle the attack points will be used against the victim.
It is also important to understand on how the hackers derive a method to breach the weakest link. In common practice, hackers can manipulate e-mail settings by impersonating someone making a legitimate request.
The most favoured way for a hacker is by using email attachments. Emails with attachments will pass through firewalls unnoticed. The attachments are unleashed when the account is opened resulting in damaging effects, especially if it is sent from someone that the target recognises.
Powerful worm
These attachments may contain embedded programmes such as viruses, worms, or Trojan horses and are often disguised in a way that entices a user to execute the application. Any of these malicious attachments can wreak havoc on a system.
In the Stuxnet’s case, a powerful worm got into the nuclear facility when one of the staff brought in a thumbdrive and attached to the office computer. Someone has been tricked into downloading Stuxnet into their thumbdrive and then when it was released at the workplace, it created havoc to the whole Iranian missile centrifuge programme.
With the cyberspace growth, facing the flood of e-mails and instant messages, many people will have a hard time judging the e-mails, even if it is from a trustworthy source. To prepare any cyberspace hacking, the hackers will gather information about a target. The common practice is to search for any available online source.
The best approach will be to harvest information via Google by browsing and searching for valuable information about the target. The other option is to use the website, pipl.com, to perform deep search and web-crawling methods.
Information security experts always warn internet users to avoid revealing personal information such as photos via social media, resume’s uploaded on Scribd and so forth. This can be used against the target if the skilful hacker decodes the personal information. The cyber attackers often rely on people’s weakest links to tap information.
Every year organisations focus on changing and updating the information technology infrastructure, but have neglected to look into building human awareness programmes against information security breaches that commonly occur.
The message that has to be noted by the information technology personnel is that no matter how much budget is being increased to procure state-of-the-art technology, awareness of users on phishing as to be enhanced.
Comment by P Ramani
Penggunaan utama berinternet disamping melayari laman-laman web tertentu adalah berkomunikasi menggunakan emel. Servis 3 emel gergasi percuma yang selalu digunakan adalah Yahoo Mail, Hotmail atau Gmail. Malah ada mereka yang memiliki ketiga-tiga akaun berkenaan dan lebih untuk tujuan tertentu.
ReplyDeleteMemang mengambil masa saya yang terhad ini untuk secara pukul rata membaca kesemua emel. Oleh itu pembacaan emel perlu dilakukan dengan bijak dan berkesan kerana tidak kurang juga dengan emel-emel penipuan dari pelbagai bentuk. Dalam bahasa internet dipanggil Scam atau Phishing Email.
ReplyDeleteEmel dari Maybank yang mengatakan sesuatu telah berlaku kepada akaun maybank2u online anda (Contoh: Di blok, reset password, permintaan mengubah profil, dsb) yang bertujuan supaya anda menggunakan link URL yang disertakan di dalamnya. Anda tidak perlu mengikuti langkahnya. Hanya delete sahaja emel ini atau tandakannya sebagai spam-mail. Teknik untuk membuktikan link URL tersebut adalah palsu dengan hanya mouse-over di atas link tersebut. Anda dapat melihat link URL tersebut sebenarnya ke web yang bukan maybank2u yang sebenar.
ReplyDeleteEmel berangkai seperti, "Sampaikan pesanan ini kepada 10 orang lain supaya anda mendapat .....". Alasan utama penerima akan diberi untuk mengikuti orang yang terdahulu adalah, apa salahnya, bukan kena bayar pun kalau hantar ke 10 orang lain.
ReplyDeleteEmel meminta pertolongan untuk mendapat bantuan mengeluarkan sejumlah wang yang banyak dari sesebuah negara. Cara begini selalunya dibuat oleh orang-orang Afrika. Mereka sebenarnya akan meminta sejumlah wang yang agak kecil (berbanding dengan jumlah sebenar habuan yang mereka janjikan itu) untuk membantu supaya proses pengambilan wang tersebut. Sekiranya dapat, mereka anda meminta sedikit lagi, sehinggalah seberapa banyak yang mereka boleh mendapat dari anda.
ReplyDelete