By now everyone is aware that the United States Justice Department indicted five members of the Chinese military on charges related to cyberattacks against a number of American companies including US Steel, Allegheny Technologies and SolarWorld. Although this is the first time that criminal charges have ever been brought against a foreign country, this is not at all surprising. In fact, a study by the security company Mandiant in 2013 revealed how Chinese hackers have been stealing corporate secrets to use for their own benefit from 115 American companies since 2004. This story has many angles and it will be unfolding in the days and weeks ahead, but what should be of interest to us as individuals is how the Chinese hackers are alleged to have managed to infiltrate the computers of the companies they targeted. In the case of Alcoa, it is alleged that the way in was through an email that appeared to be from Nissan CEO Carlos Ghosn who was, at the time a member of the Alcoa Board of Directors. This email was sent to 19 Alcoa employees purporting to inform them about an upcoming shareholder meeting and containing an attachment with the meeting agenda. However, in truth the email was a phishing email sent by Chinese hackers and the attachment was riddled with malware that, when unwittingly downloaded by at least one of the Alcoa employees, enabled the Chinese hackers to gain access to Alcoa’s computers and all of the information contained therein.
So what does this mean to you?
In so many major hacks and data breaches including the Target data breach, the malware has been installed on the victim’s computers by the victim himself who in each case unknowingly downloaded an attachment containing malware or clicked on a link with malware. If these people had been regular readers of Scamicide they would have known that you should never click on a link or download an attachment unless you are absolutely sure that they are legitimate. Merely because an email, text message or other communication appears to come from someone you know and trust does not mean that it is legitimate. Never click on a link or download an attachment unless you have independently verified through a telephone call, text message or email with the person who it appears is sending you the communication with the attachment or link to be clicked on. Additionally, you should always make sure that your anti-malware software and anti-virus software is up to date although as I have often told you, even then your security software is only about 5% effective against the very latest malware programs.