Are you prepared for the General Election Spam?

Like any major National or International event the General Election is going to generate a large amount of unsolicited e-mails (and some of it may not actually come from the political parties). Most of this will be harmless but annoying, but past experience has shown that the bad guys out there will be working on Phishing attacks that are designed to get users to download Trojans and viruses onto their PCs.

So what types of e-mails do I think we'll be seeing? They'll definitely be designed to direct people to one of two types of websites, firstly ones where they collect logon usernames and passwords and secondly to websites that attempt to download files to the computer. I'm not sure which one is worst or going to be the most prevalent but the advice below should help avoid both.

The most challenging aspect of stopping this type of attack against a computer user is the content of the e-mail. Gone are the days of bad English, misspellings and random words. Today's phishing e-mails are written by experts in Marketing, copied from legitimate e-mails and designed with a strong "call to action" to get users to click on the link. To be honest some of the writers could make good money in legitimate e-marketing.

The most affective phishing e-mails use emotion and curiosity to get the user to click. Who wouldn't click on a link to hear the Queen berate Gordon Brown on calling the election late? Even if it meant downloading a new "codec" to hear the file? Would you download an application to your computer to show your support for a particular party? What about a video showing the top ten gaffs of the political leaders? Would you sign up to a website to register your protest against or support for a particular party? And finally, for now, what about an e-mail from your bank asking you to logon to confirm or reject a donation of £100 to the Labour Party or BNP or Conservative Party?

Of course it might be a bit difficult to spot the fake phishing from valid e-marketing during the campaign, one of my local candidates has been pulled up twice for poor spelling in marketing material, but the tips below should help.

1. Don't click links in suspect e-mails (ideally in any e-mail).
2. If you need to visit the site type the address into the browser address bar manually, copy and paste as the last resort if the address is too long. Google the URL (other search engines are available) to see if anyone has reported it.
3. If the site asks to download a file, run a script or to open a program say No and double check with the sender of the e-mail. Make sure you read the box that appears fully as sometimes No can mean Yes, software designers are great at double negatives.
4. Avoid logging into a website or creating a logon unless absolute necessary. Complain to the website owner if you don't think you should have to logon to use the site.
5. Always, always, always use a different password for sites. Ideally one per site but worst case never use the password for a site that has the potential for financial transaction on another site (this includes e-bay, PayPal, banks, credit cards, merchant sites, Amazon etc.)
6. Ensure your anti-malware is up to date
7. Apply security patches for the Operating System the moment they become available.
8. If you think you've been compromised contact the owners of any site you think you have compromised the logon for and get a clean scan of your computer sorted out.

And just to pre-empt the "buy a Mac" brigade its worth pointing out that the same level of caution about clicking e-mails and downloading files from the Internet applies to Mac users as well, it's just the likelihood of a Mac targeted attack is less. The bank details of a Mac user can just as easily be compromised by a well-crafted Phishing attack as those of a PC.

Paul Maloney CISSP MBCI
Technology Management and Consultancy Ltd.
Web: Business Continuity
Web: Information Security
Web: Information Consultants
Tel: 08450 560530
Fax: 0871 6611093

No discussions found