Hackers and phishing

A report in today’s Guardian talks about a targeted phishing attack, aimed at U.S. officials, Chinese dissidents and others. Google’s post on the matter states:

Through the strength of our cloud-based security and abuse detection systems, we recently uncovered a campaign to collect user passwords, likely through phishing. This campaign, which appears to originate from Jinan, China, affected what seem to be the personal Gmail accounts of hundreds of users including, among others, senior U.S. government officials, Chinese political activists, officials in several Asian countries (predominantly South Korea), military personnel and journalists.

There’s a much better description of the attack here.

Two things.

Firstly, the attack highlights the need to be incredibly careful about who you trust. These attacks included somewhat genuine looking content, but it still appears many people were less careful than they perhaps should have been. Especially considering the nature of the content they dealt with. It would appear many people entered their email account passwords into websites paying little attention to where these sites were. These attacks could be mitigated with the standard advice:

	- **Never, ever enter your password into a site you visited from a link in an email.** Always go via the address bar directly, or a trusted third-party like Google. It’s pretty difficult to over-stress how many attacks this simple advice would kill stone dead.
	- **Learn to understand the tools your browser gives you. Understand URLs.** If you can understand a postal address or a phone number, you can understand a URL. Stop being scared of computers. Computers are complicated, but so are cars and you manage to lock your car.

Phishing attacks are based on a two-fold strategy: gullibility and ignorance. The second is easy to address, the first less so. In brief, from the URL http://www.dx13.co.uk/2010/11/14, the important bit is the dx13.co.uk. If that bit in the URL you are visiting doesn’t match what you expect (e.g., in amazon.fakesite.com), close the browser window. Newer browsers will highlight this portion of the URL in the address bar. Use this tool.

The second, smaller bugbear is the use of “hacker” in this article. I’m not sure when hacker became shorthand for “criminal using a computer-based attack”, but I don’t like it. It’s an incredible perversion of the original term. I could cope with it—just about—when used to describe creators of sophisticated viruses. But to describe those sending emails pointing to copycat websites as hackers is pretty slapdash. It’s similar to calling chippie owners Michelin-starred chefs because they both use fish, but this battle may already be lost.

.:.