Yesterday on our blog, avast! Virus Lab researcher Jaromir Horejsi, explained a banking Trojan called Tinba. Also this week, we told you about an email that Avast evangelist, Bob G. received claiming that he won money in a World Cup lottery. The cybercrooks behind that scam cast a wide net, hoping to catch a few people then ask them to provide banking information so they could deliver the prize.
The cybercrooks behind Tinba and Bob’s lottery email use a social engineering technique called spearfishing to target its victims. Spearphishing is similar to the classic technique called phishing which uses authentic-looking emails to lure the victims to fake websites, then trick them into revealing personal information.
Cybercrooks use emotional hooks to lure you in
Other high profile phishing attempts, like the DHL email scam that ran last Christmas, preyed on the anxiety of the holidays. An email that looks like the real thing from DHL was sent, offering all sorts of urgent and legitimate-sounding explanations as to why they need your personal data. It’s not hard to understand why busy people can be fooled.
Spearphishing is similar in every way to phishing except that the net is drawn in much tighter. The FBI says that cybercrooks target select groups of people with something in common—they work at the same company, bank at the same financial institution, attend the same college, order merchandise from the same website, etc. The emails are seemingly sent from organizations or individuals the potential victims would normally get emails from, making them even more deceptive. This is what is happening with the Tinba Trojan right now in Czech Republic.
In both social engineering schemes, once the victim clicks, they are led to a phony but realistic-looking website, where they are asked to provide passwords, account numbers, user IDs, access codes, PINs, etc.
How to avoid becoming a spear phishing victim
- Most companies, banks, agencies, etc., don’t request personal information via e-mail. If in doubt, give them a call (but don’t use the phone number contained in the e-mail—that’s usually phony as well).
- Use a phishing filter. Both avast! Internet Security and avast! Premier include anti-spam filters to detect phishing and scam emails.
- Never follow a link to a secure site from an email; always enter the URL manually.
Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter and Google+. Business owners – check out our business products.