When we think of phishing, we immediately think of the fake emails sent to consumers that pretend to be from trusted senders, such as PayPal, eBay, banks and insurance companies. Consider the essence of a phishing attack – it is a fake email that masquerades as something the recipient wants. In the consumer arena, that could be a special offer, your bank statement or the status of your insurance claim. WikiLeaks has revealed that consumers aren’t the only targets of fake emails designed to steal credentials or infect computers.
In State Department documents leaked by WikiLeaks as reported in the New York Times, in 2008 agents of the Chinese government used a document labeled “salary increase – survey and forecast” as bait in a scheme that compromised more than 50 megabytes of email and a complete list of user names and password from an unidentified US government agency.
Another leaked cable contains a warning from the Secretary of State’s office warning about a spear-phishing attack (spear-phishing is a phishing attack that is highly customized and targeted to specific people) directed at five State Department employees involved in global warming policy. The fake email pretended to be from a respected columnist and was intended to install malware on the victims’ computers. Similar attacks, “tenuously connected” to the Chinese government, were made against German government targets.
These incidents remind us that telling real emails from fake emails is hard and that the bad guys continue to work at making it harder. As a consumer, eMail ID is a free tool you can use to help identify real emails from nearly 2,000 top senders.