December
28, 2006: The U.S. Department of Defense is suffering yet another Internet
based attack. This one is a "spear phishing" offensive. "Phishing" (pronounced
"fishing") is when a hacker sends out thousands, or millions, of emails that
look like warnings from banks, eBay or PayPal, asking for you to log in (thus
revealing your password to the hackers, who have set up a false website for
this purpose) to take care of some administrative matter. The hacker then uses
your password to loot your account. "Spear phishing" is when the emails are
prepared with specific individuals in mind. The purpose here is to get specific
information from, say, a bank manager, or someone known to be working on a
secret project. The thousands of spear phishing emails sent to military
personnel is worrisome, because it means someone is looking for defense related
data, including classified stuff. Most people don't fall for phishing attacks,
but the hackers know that some will. The recent spear phishing attack included
messages with a PowerPoint attachment. That file, if opened, installed a virus
on the users computers, and created access, to the users network, for the
hackers who carried out the spear phishing campaign. Military personnel are
trained to watch out for things like phishing attacks, but hackers only need to
get a few victims to fall for it. The Department of Defense has publicized this
spear phishing attack in order to encourage any military personnel, who may
have fallen for it (or think they did) to report that as soon as possible.
