Hacking is a common
occurrence these days, but it's good to know that hacking targeting you
specifically because of who you are is far less common than scattershot
hacking. Additionally, taking advantage of your online data is much more common
than taking control of your computer.
Most people don't
understand their computers or operating systems deeply. There's no shame in
that. No one really understands everything about computers. But that makes it
easier for those types who are forever trying to make an illicit buck with some
new way they have to separate you from your stuff, or some tool they've bought
to apply leverage to an unprotected digital niche. Furthermore, the digital
world changes quickly and it's much easier for those providing software and
hardware to sell insecure wares rather than to take the extra time (and loss of
market share) to make them very safe.
So it remains up to us
to be more conscious in our behavior online, on the phone, and with our purchased
equipment. Some of these conscious behaviors apply across the board to
computers, tablets, and phones; others are specific to certain platforms.
Email - Phishing
I got an email from
Apple, referencing a recent purchase and asking me to verify it. I clicked on
the link and my browser went to Apple's website, but something didn't seem
quite right. I stopped a moment to think: I had made a purchase online from
Apple the previous day, but the email didn't reference the specific item. I
dropped off the website and took a look at the email. I hovered my cursor over
the link and sure enough, it didn't even mention Apple in the link. This is
super-common - phishing emails designed to get you to go to some
official-looking but bogus website (like the Apple website I'd thought I was
on) and enter in your credentials which then give the hacker free access to
your online account. And because many people use the same password and login
for many of their online accounts it can give the hacker control of your digital
life in short order. This happens to people who should know better and even almost
happened to me, who also should know better!
But how did they know
I had just bought something from Apple, or in other bogus emails - how do they
know I just bought something on eBay, or what bank I'm with? How do they even
know my email address?
The short answer is -
they probably don't. They send that same email to a million likely email
addresses - either from a list they bought, email addresses they harvested
online, or just randomly generated by a program ("joe@abc.com,"
"joe@xyz.com," "joe@yourwebsite.com," etc). It costs almost
nothing to send an email and it doesn't cost much more to send a million. It's
easy enough to add an official logo snagged off a corporate website to an
email, and it's similarly easy to make an official-looking website. In fact,
one could just snatch the code off an official website and replace the official
links with bogus ones that steal your login credentials. Furthermore, a link
isn't always what it appears to be. For instance, if I say to click here to WinAMillionBucks.com you'll see that it goes to a site
that may save you some money, but won't win you a million bucks.
It can be enlightening
to hover (without clicking) your cursor over a given hyperlink like the one
above, and see what pops up. Or if nothing pops up, right-click (on a single-button
mouse, [ctrl]-click) to reveal the link.
The short form answer
to not being taken in like this is: DON'T click on links in emails. Type the
desired URL into a browser. Or copy the link, paste it into a text document,
and see if it is actually your bank, or Apple, or eBay or where you really
wanted to go.
Coming up in part 2:
Two-Factor Authentication, Passwords, and Giving Away the Form.
Steve Burgess is a
freelance technology writer, a practicing computer forensics specialist as the
principal of Burgess Forensics, and a contributor to the just released
Scientific Evidence in Civil and Criminal Cases, 5th Edition by Moenssens
No comments:
Post a Comment