Back to PhishMe Home
PhishMe Blog

Archive for the ‘Phishing’ Category

« Older Entries
Newer Entries »

PhishMe Blog – Administrivia

Wednesday, March 24th, 2010

We currently don’t have this blog indexed on our www.phishme.com website but will at a future date when we give it a bit of an overhaul.  Late last year we decided to split our  post activity into two blogs.

From now on, posts about general infosec, mobile security, and our consulting practice will be kept at http://intrepidusgroup.com/insight

This blog, when we resurrect it, will stick to phishing related posts.

Some other new additions include:

An Intrepidus Group managed delicious bookmark feed: http://delicious.com/intrepidusgroup

A PhishMe youtube channel: http://www.youtube.com/phishme

A PhishMe Twitter account: http://twitter.com/phishme

A IntrepidusGroup Twitter account: http://twitter.com/intrepidusgroup

That’s it for now! Sorry about the long lapse in posts here… but I promise you, PhishMe has been busy.  We’ve helped organizations send over 1 million phishing training emails to date. Whew!

Aaron Higbee

CTO
No Comments » | Posted in Phishing, Uncategorized

Moxie Marlinspike Un-masks Tor Users

Thursday, February 19th, 2009

This post was moved here: http://intrepidusgroup.com/insight/2009/02/moxie-marlinspike-un-masks-tor-users/
Comments Off | Posted in Phishing, ssl, Web Apps
Tags: , ,

DNS vuln + SSL cert = FAIL

Wednesday, July 30th, 2008

Post moved here: http://intrepidusgroup.com/insight/2008/07/dns-vuln-ssl-cert-fail/
Comments Off | Posted in Articles, Conferences, Phishing, Security Management, Web Apps
Tags: , , , ,

Apple.com XSS

Friday, May 23rd, 2008

Post moved here: http://intrepidusgroup.com/insight/2008/05/applecom-xss/
2 Comments » | Posted in Articles, Phishing, Web Apps
Tags: ,

SCADA hacking? What if they used phishme.com?

Thursday, April 10th, 2008

At this year’s RSA conference Ira Winkler went on to tell the audience about hacking into an energy company (via an authorized penetration test) using a targeted phishing email. Details are in this networkwold article: http://www.networkworld.com/news/2008/040908-rsa-hack-power-grid.html

“The penetration team started by tapping into distribution lists for SCADA user groups, where they harvested the e-mail addresses of people who worked for the target power company. They sent the workers an e-mail about a plan to cut their benefits and included a link to a Web site where they could find out more.”

Are we surprised they were successful? Absolutely not. We’ve been using this technique and responding to real incidents that that used spear phishing for quite some time now. But what if those same employees had already been “phished” through targeted awareness and then presented with the appropriate training material? What if you ran this exercise against all your employees regularly?

Phishme.com already has pre-built scenarios to make this training quick and easy. It has many generic domain names to choose from or you can register your own look-a-like domain.

There is no sense in paying a pentest company high dollar consulting fees to find out if your employees are vulnerable to phishing. I’m about to save your company a boat load of money.

Dear Magic Eight ball, I don’t currently conduct phishing attacks against my own employees as a means to train them. Am I vulnerable to spear-phishing attacks?
No Comments » | Posted in Conferences, Phishing

Shmoocon 2008 wrap-up: The Non-Moose Stuff

Thursday, February 21st, 2008

Post moved here: http://intrepidusgroup.com/insight/2008/02/shmoocon-2008-wrap-up-the-non-moose-stuff/
2 Comments » | Posted in Conferences, Phishing, Tools

Whitepaper: The State of Information Security 2008

Friday, February 8th, 2008

I just got back from The Credit Union Information Security Professionals Association 3rd annual National event in Austin Texas where Rohyt and I were talking to the folks about www.PhishMe.com.
I have never attended a CUISPA event before and welcomed the opportunity. It was refreshing to see this industry work together. Credit unions don’t have the budgets larger institutions do and many of their technologists wear multiple hats. Security is a group effort. (as it should be)

Two major takeaways I had from the conference:

1.) Credit Union security professionals have a can-do attitude and value networking with their peers to solve their security woes
2.) Don’t show up to a Credit Union event dressed in New York-Financial attire (unless you enjoy looking like that creepy sales guy) :)

On the heels of the CUISPA event is a good white paper I saw on BankInfoSecurity.com titled The State of Information Security 2008 – Survey Executive Overview (Free signup)

Tom Field (Editorial Director) did a good job putting the overview together. The top security issues I heard the Credit Union folks discuss are the same ones captured in this survey. (It’s good to see that this paralleled what I saw in person at CUISPA … too often these days a whitepaper is just a synonym for marketing fluff.)

Of course the #3 issue “3) Training – Employees, Customers Need More.” grabs our attention as our http://www.phishme.com/ moves from beta and inches towards launch.
I’m beyond excited.
-higB

p.s. If you happen to attend my ShmooCon 2008 presentation please be kind with the Shmooballs.
2 Comments » | Posted in Articles, Conferences, Phishing, Security Management

Phishing with Encoded IP Addresses

Saturday, January 5th, 2008

Phishme Phishing Links

I was adding a little special sauce to Phishme.com this past week and thought this might be fun to share. We have a few different ways a user can craft their phishing links. If he/she chooses the IP address option, then there is also the choice of encoding options. This lets you mask the IP address in an attempt to trick the user into thinking part of the sub directory is perhaps the host name. Or as in the case with my mom… she thinks it is just the phone number so the computer knows where to call. And it’s hard to blame her when you see a decimal encoded IP address.

http://2130706433/somecompany.com

The team over at Marshal has put together a good walk through of the encoding so you can follow along. If you would like to view the javascript, you can find it here. This may not work on all browsers, but it holds up pretty well on your corporate windows boxes with IE or Firefox. Want to test it out? Just put in an IP address below and click on the link it generates.

-b3nn
1 Comment » | Posted in Phishing, Spam, Tools

Carnegie Mellon Findings Second PhishMe Concept

Tuesday, December 18th, 2007

Carnegie Mellon researchers presented a paper at the Anti-Phishing Work Group’s E-Crime Researchers Summit in October 2007. The results of the study indicated the following:

  • Users learned more effectively when the training materials were presented after they fell for a phishing attack (embedded training), rather than when the training materials were simply emailed
  • Users also retained more knowledge and transfered more knowledge about how to avoid phishing attacks when trained with embedded training

These are the underlying principles of PhishMe.com – Phish n’ Educate. PhishMe.com will facilitate the execution of mock phishing attacks against employees. Those that fall “victim” will be presented appropriate training materials.

-Rohyt
No Comments » | Posted in Phishing

PhishMe.com: Featured in eWeek

Saturday, December 15th, 2007

Those close to us know that we’ve been working on a self-service portal designed to help organizations run mock phishing exercises aimed at raising employee awareness. Shortly after the recent news about Oak Ridge National Laboratory and Los Alamos being targeted by spear phishing was published, I was interviewed by eWeek.

Read the full article here: Phishing Drills Teach Employees to Dodge the Hook

-higB
No Comments » | Posted in Articles, Phishing
« Older Entries
Newer Entries »