Opinion

Column: It's in the public interest

Purely for research purposes, I spear phished one of the tabloid news editors who has been accused of hacking people's emails in the Leveson inquiry.

Piers Morgan, the lovable rogue who edited the News of the World and The Daily Mirror, has always claimed in his defence that he couldn't hack technology.

Though many people wouldn't, I'm inclined to believe him.

If Piers Morgan really was as fiendishly cunning as he is portrayed, he never would have fallen for the simple trick I played on him. This involved going onto a BBC news site, clicking on the 'email this story' box and filling in a false name and email address. In a classic spear phishing sting, I chose to forward a story about Piers Morgan (you get the impression his confidence needs boosting) and chose to pretend I was one of his old feuding partners.

The BBC system gives you plenty of space to pad your message with text, so no-one reads that disclaimer guff at the bottom of the email. All they see is a name and address and they've convinced it's official.

When Morgan received the message "Hi mate. Let's end our feud and go for a pint some time" he clearly fell for it and the men were soon seen drinking together.

The thing is. Piers Pughe-Morgan is no fool. Insiders - who begged not to be named - say he is highly intelligent, sophisticated and charming. Other says he has all the narrow eyed rat like cunning of a riverboat gambler. The point is, is he can fall for this scam, we all can.

"Targeted attacks have become far more widespread in recent years," says Rik Ferguson, director of security research and communications at Trend Micro. Data thefts from big firms make it much simpler for criminals to create convincing, directed email attacks based on our interests, our shopping habits or any other. But mass blasts of generic spam are still the most popular tactic. For now, that is.

The problem of spear phishing, where a bogus email is used to gain people's confidence and exploit them, is one of the great unreported scandals of public life, according to Dimitry Shesterin, vice president of product management at Faronics.

It has evolving from unsophisticated mass-mail phishing campaigns to something so sinister that Piers Morgan could be dragged into it.

"Originally it was spammed out to often thousands of users in the hope that some would take the bait," says Shesterin, "but now spear phishing attacks are much more targeted and particular individuals in a specific organisation are targeted."

Even the great and the good, like Piers Morgan.

So how can we spot it? Typically it involves a link to a fake website or encourages the recipient to download an attachment that is laced with malware. Chillingly, it sometimes involves old hacks asking each other for a drink. Luckily, Mr Morgan refused the disgusting offer, made his excuses and left.

Spear phishing emails have grown increasingly convincing, warns Shesterin. Indeed, his comments could be re-written to show that Britain is sleep walking into a hell hole of despair.

Social networking isn't making things any better either.  
"Users are continuing to trust social networking sites with sensitive information, which is harvested by cyber-criminals without any technical knowhow," said Shesterin.

Anti-virus alone is not enough, he warned.

Graham Cluley, Sophos's senior technology consultant, says executives with a public following can be targeted by cybercriminals with the aim of stealing information, commandeering accounts or just mischief-making.

"It sounds like you used a forward this story to a friend feature of the BBC website, which probably couldn't have done much harm as all it does is point to a BBC webpage which hopefully doesn't have any malicious code or a data-stealing form on it," said Cluley.

This harmless technique could be a great way to bring home to executive the need for security policy though.

"It's not uncommon for targeted attacks to trick a senior executive into opening an attachment," he said.

"You could pretend to send an email from Jeremy Clarkson to Piers Morgan or ask Piers to be guest of honour at some awards dinner where he will be named Journalist of the Year. Social engineering tricks like this can easily be an internet user's undoing," said Cluley.

They could be used for sales purposes too, surely.

This was first published in March 2012

Join the conversation Comment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.