The AP: Scammed by a clever phisher

You would never open a phishing e-mail that asks you to deposit $1,000 to obtain $1 million, would you? And you would definitely never open something from a Nigerian prince needing the funds he needs to flee to the United States, right? But what about the most refined of today’s phishing e-mails? Think you will never be seduced by one of these? Think again. A recent phishing e-mail snared the Associated Press, the nation’s top provider of wire-service news. Given that the AP could become a victim of phishing, so could you.

The AP attack

AP fell victim to a phishing scam organized by a group calling itself the Syrian Electronic Army. This group was able to take over the news service’s Twitter account, sending out a message that President Obama had been injured in an explosion at the White House. This message was obviously false, it still had a significant impact, sending the stock market into a brief but precipitous freefall.

The e-mail

How did this attack succeed? Hackers sent legitimate-looking e-mail messages to AP staffers referring them to what was said to be an important news story in the Washington Post. The phishing e-mail was professional enough so that some AP staffers clicked on it, starting the process that gave the Syrian Electronic Army control over the company’s Twitter account. AP had to shut off its Twitter account as a result.

A warning

It’s tempting to blame the AP for this attack. But the true lesson here is that none of us is safe from the savviest of online scammers. Con artists have advanced past the days of phishing e-mails stuffed with horrendous grammar and sent by “senders” with outlandish names. If you want to protect your online life today, you’ll have to be more vigilant than ever. Scammers are adapting. You’ll need to do the same.

Labels: