When the bombs went off at the Boston Marathon last year I was in Vancouver, in a room filled with technology executives from some of Canada’s largest companies. As always, computer security had been among the items on the agenda, but the tragedy in the U.S. pushed it immediately to the top of the list. At the time, though, we had no idea how quickly the cyber criminals were capitalizing on the bad news.
This week Cisco Systems, which makes the hardware and software that runs big corporate networks, released its annual Security Report. The research is based on all the web and e-mail data gathered during routine monitoring of the products and services Cisco offers. According to the report, spam relating to the Boston Marathon bombing made up to 40 per cent of all unsolicited e-mail messages delivered worldwide on April 17, 2013. Even worse? A lot of people clicked on those messages, and their computers were almost instantly inflected with malicious software, or malware, that could steal passwords of other personal information.
“Because breaking news spam is so immediate, e-mail users are more likely to believe the spam messages are legitimate. Spammers prey on people’s desire for more information in the wake of a major event,” the report says. “When spammers give online users what they want, it’s much easier to trick them into a desired action, such as clicking an infected link. It’s also much easier to prevent them from suspecting that something is wrong with the message.”
Most of what’s in Cisco’s report is aimed at technology professionals who could put expensive computer systems in place to thwart security attacks, but this method that cyber-criminals use to trick people -- sometimes referred to as “social engineering” -- is the one area where consumers could do a better job of self-policing.
Of course, anyone who has followed the technology space could tell you we’ve had this problem as long as we’ve had e-mail, but there are a few factors that may make it even worse today. This isn’t really spelled out in Cisco’s research, but the proliferation of mobile devices has meant, in many cases, that we are checking e-mail more often and at all times of the day compared to the desktop era when we left such tasks behind after 5 p.m. That’s been a boom for spammers.
So has the rise of location-based apps that expose users’ whereabouts, which can help cyber-criminals tailor their bogus messages with more context and relevance. Finally, the fact that many of those mobile devices are purchased by employees themselves and only partially controlled by companies puts more of the onus on individuals than ever before.
It’s probably too easy to say consumers should just “smarten up” and not click on links that are in any way questionable. Instead, companies may need to spend more time educating their employees and even their customers about how these kinds of attacks work. Most already do something similar with fire drills, training staff about how to respond in a sudden emergency. Malicious spam is more challenging because the “emergency” comes in the form of information that may have nothing to do about the business itself. And until malicious spam brings down a corporate network, many firms might feel they have more important things to occupy their time.
This apathy is nearly as powerful a weapon as breaking news to cyber-criminals. It’s also a shame, because addressing this issue is a lot easier than tackling the more complex computer security issues organizations face. Speaking at a recent conference in Toronto on cyber-security, University of Ottawa professor and intelligence expert Wesley Wark said much of this area is largely unfathomable.
“There are so many nuances -- cyber aggression, covert operations, cyber espionage, cyber crime,” he said. “We’re still grappling with a key issue around understanding the nature of the threat.”
In contrast, cyber-attack via e-mail news bulletin is the one thing we can all understand fairly readily. Let’s make 2014 the year it becomes so well understood that it finally fades away.