Yahoo YHOO, +0.54% said last week that it will send users notifications if “we strongly suspect that you may have been a target of an attack, and want to encourage you to take steps to secure your online presence.” Google GOOG, -0.77% began issuing such warnings in 2012, and Facebook FB, -0.63% and Twitter TWTR, +1.98% do so as well.
Hackers — in this case, those linked to another country, such as China or Russia — who cannot crack corporate or government agency networks often seek to infiltrate an organization through employees’ personal accounts. If the individual uses the same password across accounts (and several studies have found that they do), or logs onto work-related portals from home, criminals can approach their targets through those gateways.
Fingers have been pointed at hackers linked with North Korea and China for high-profile breaches, including the incidents at Sony Pictures Entertainment and the Office of Personnel Management. Attackers looking to crack your Facebook or Yahoo accounts aren’t after users’ Christmas photos or holiday messages: They target people to fulfill specific objectives, says Tom Kellermann, chief cybersecurity officer at the Tokyo-based security company Trend Micro, such as gaining access to a corporate or government network.
“If you are a Fortune 1,000 corporate official, C-level, or a senior executive in the U.S. government, or you are within one degree of separation from them — as in, you are a spouse of them, a child of them or a deputy of them — you will and have been targeted already,” Kellermann says. People connected to those individuals in some way could be targeted because a criminal could use that person’s account to send an email with malware to the actual target.
For example, a long-running cyber espionage campaign called Pawn Storm has targeted the credentials of more than 12,000 U.S. and Ukrainian citizens since 2014, according to Trend Micro. Russian spies behind the group attempted to lure Yahoo users into providing access to their accounts through a phishing scam, the security company explained in a blog post in August.
A spokeswoman for Facebook declined to say how many users it has notified about state-sponsored attacks. Twitter and Yahoo did not return requests for comment.
“Consumers in general are not at risk. You have to be in a specific role for something like this to be likely to occur to you,” says Al Pascual, director of fraud and security at Javelin Strategy & Research. He says the industries most likely to be targeted include politics, defense, financial services or critical infrastructure.
“If you receive one of these notifications, the first thing I would do is subsequently notify my employer.”
By: Priya Anand.