how-to block ads
Grand Rapids, MI
|reply to chrisretusn |
Re: Canada and the US Government hacked by China
A law enforcement official who works with members of the White House Military Office confirmed the Chinese attack to FoxNews.com on Monday, but it remains unclear what information, if any, was taken or left behind.
"This [White House Communications Agency] guy opened an email he wasn't supposed to open," the source said.
That email contained a spear phishing attack from a computer server in China, the law enforcement source told FoxNews.com. The attack was first reported by the conservative blog Free Beacon. Spear phishing involves the use of messages disguised to appear as valid; in fact, they contain targeted, malicious attempts to access sensitive or confidential information.
By opening the email, which likely contained a link to a malicious site or some form of attachment, the agency member allowed the Chinese hacker to access a system, explained Anup Ghosh, founder and CEO of security company Invincea.
"The attack originated in the form of a spear phish, which involves a spoofed inbound email with either a link to a malicious website or a weaponized document attachment such as a .pdf, Microsoft Excel file or Word document," he told FoxNews.com.
Free Beacon claimed that the U.S. governments most sensitive networks were breached in the incident, which took place early last month.
One official said the cyberbreach was one of Beijings most brazen cyberattacks against the United States, the report said.
The law enforcement source told FoxNews.com he was notified of the successful phishing incident but did not know what information was actually accessed. A White House official downplayed that report, saying that the system involved was not a sensitive nuclear system, and no evidence indicated that information was actually taken.
Gladiator Security Forum
AVDRespice, Adspice, ProspicePremium
Grand Rapids, MI
List of phishing techniques
Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication.
Phishing attempts directed at specific individuals or companies have been termed spearphishing. Attackers may gather personal information about their target to increase their probability of success.
A type of phishing attack whereby a legitimate, and previously delivered, email containing an attachment or link has had its content and recipient address(es) taken and used to create an almost identical or cloned email. The attachment or Link within the email is replaced with a malicious version and then sent from an email address spoofed to appear to come from the original sender. It may claim to be a re-send of the original or an updated version to the original.
This technique could be used to pivot (indirectly) from a previously infected machine and gain a foothold on another machine, by exploiting the social trust associated with the inferred connection due to both parties receiving the original email.
Several recent phishing attacks have been directed specifically at senior executives and other high profile targets within businesses, and the term whaling has been coined for these kinds of attacks.
There are several different techniques to combat phishing, including legislation and technology created specifically to protect against phishing. Most new internet browsers come with anti-phishing software.
One strategy for combating phishing is to train people to recognize phishing attempts, and to deal with them. Education can be effective, especially where training provides direct feedback. One newer phishing tactic, which uses phishing e-mails targeted at a specific company, known as spear phishing, has been harnessed to train individuals at various locations, including United States Military Academy at West Point, NY. In a June 2004 experiment with spear phishing, 80% of 500 West Point cadets who were sent a fake e-mail from a non-existent Col. Robert Melville at West Point, were tricked into clicking on a link that would supposedly take them to a page where they would enter personal information. (The page informed them that they had been lured.)
Gladiator Security Forum