|
|
 |
|
 |
|
Archive for the ‘Security Management’ Category
|
|
 |
|
 |
|
|
|
|
Tuesday, May 7th, 2013
Spring. For some it signals rejuvenation, rebirth, everything blooming… but for security administrators it can mean new security risk. Spring means that the next round of college seniors will be entering the workforce soon, which for phishers means a fresh group of targets. Hopefully their college educations have prepared them for the majority of challenges they will face, but when it comes to phishing that is unlikely. The types of phishing emails students and consumers receive are quite different from what employees receive, and without training, young employees can’t be expected to avoid tactics they haven’t seen.
 This email sent to Kansas State students attempts to elicit login and password information. In the higher-education arena, hackers want to infiltrate universities for the purpose of stealing credentials, to gain access to user accounts to send spam from the accounts or use university resources. (Here is a recap of the phishing problems higher education faces: http://blog.phishme.com/2012/05/educause-2012-spc-quick-review/ ) Take this recent attack on the University of Illinois as an example. Consequently, the most common phishing tactics college students face is a simple solicitation of login credentials in the body of the email. Kansas State provides examples of phishing attacks sent to its users (see the image to the left). Slightly more capable attackers may provide a URL taking recipients to a phony landing page that appears to be from the IT department.
University-focused spear phishing attacks typically don’t employ a high level of sophistication. Attackers are not packing malware or setting up masked command and control to go after students and faculty. (At least we should say the incidents that are publicized. That doesn’t mean that there are not advanced threat actors targeting university grant based R&D, hospitals, fundraising and endowment investments.)
Enterprises face much more varied and dangerous risks, as cyber criminals, nation-states, and hacktivists are all targeting their intellectual property and sensitive information. In addition to the data entry tactics, employees at large organizations receive highly targeted and customized spear phishing emails containing malicious links and attachments. Adversaries use a variety of continually evolving social engineering techniques, such as conversational phishing, to trick recipients. A young employee who has never received a targeted phishing email may not realize how adversaries gather details to write emails tailored to the recipient and organization, nor understand the implications of clicking on a malicious link or attachment. They may think they know what spear phishing is based on university security awareness campaigns. Furthermore, this generation of new workers is extremely connected through social media, providing attackers with ample information to use in targeted emails.
Graduating students may think they know what spear phishing is based on university security awareness campaigns.
New employees – whether young or experienced – may also think their role is not significant enough to merit receiving a targeted email, or that security isn’t their responsibility. Last fall, PhishMe commissioned a poll that revealed almost half of all respondents were more concerned about being phished at home than at work. There is definitely a prevailing notion in the workforce that security is the IT department’s concern, a view some in our industry recklessly share. As they begin their jobs, this year’s graduating seniors will undergo a great deal of training, both formal and informal, so why shouldn’t security be part of that?
This post isn’t intended to pick on graduating seniors, as they are no different than any new employee in many respects. For instance, if you are defense contractor that is constantly bombarded with phishing emails, any new employee may require training, regardless of experience. This is why it’s important for security awareness to be a continuous process throughout the year. When security awareness is part of your organization’s culture, the security risk posed by new employees can be more easily mitigated.
One of the many pre-built training modules included in PhishMe focuses on educating new employees about the differences between the consumer focused phishing they are used to receiving, and the enterprise-focused spear phishes targeting employees. Typically this content is reserved for PhishMe customers, but we wanted to share an example in this case:
–Aaron @higbee
|
|
|
|
|
|
|
|
|
Tuesday, April 23rd, 2013
When a hacked Twitter account spreads false news of an explosion at the White House and causes hysteria that spurs a 140 point drop in the stock market, it should encourage calls for Twitter to bolster its security measures, so it’s no surprise that many are clamoring for Twitter to offer 2-factor authentication. One problem with this – news outlets are reporting that hackers gained access to the AP’s account through a phishing attack. While 2-factor authentication makes it more difficult to phish an account, it will not prevent this type of attack from being successful (nor will a more complex or longer password for that matter).
If a user is tricked into revealing login credentials to a false landing page, 2-factor authentication will only limit the time the hacker has access to the account. Attackers would need to collect the 2nd factor of authentication, but the underlying tactics would remain the same. Even if a session cookie expires every few hours (which for Twitter would be days – not hours or minutes), then the attackers would still be able to cause the kind of mayhem we saw today. As we saw, it only took minutes for a tweet to make stock trading algorithms go bonkers. The following graphic provides a visual of the process a hacker would follow to get past 2-factor authentication (note that this isn’t how the AP was hacked, it’s how a hacker would attack Twitter if it had 2-factor authentication):
For an organization like the AP, which likely has multiple users accessing its Twitter account, security measures would have to extend to whatever platform it uses to perform group tweeting. At PhishMe, we have struggled to find an effective way to share tweeting privileges, as Twitter itself doesn’t offer a way to do this; we’ve been forced to use 3rd party platforms. Any additional security Twitter implements won’t be very valuable for organizations if it doesn’t also roll out an ability to have multiple users tweet from an account.
This is not to say Twitter shouldn’t implement a more robust layer of authentication, but it also begs the question of how far should it go? Twitter wasn’t designed for group use. If it adds layers of security, will it solve the group use problem?
The fact is, if the AP employees had recognized the phishing email, and never surrendered login information in the first place, this all may have been avoided. As long as users fall for these tactics, adversaries will develop tactics to trick users into leading them around technical security layers.
–Aaron @higbee
|
|
|
|
|
|
|
|
|
Friday, February 1st, 2013
Most of you are probably aware of the breach that occurred at the New York Times. Employee passwords and sensitive information related to an investigative news story covering the finances of Wen Jiabao, China’s Prime Minister, were compromised. The New York Times’research helps give them a competitive advantage in their industry, it is their proprietary information. It is the equivalent to the theft of financial reports, blueprints and customer data.
The headlines roll in… The NYTimes breached by spear-phishing! Symantec AV fails to detect attackers! In an official press release, Symantec says, “Anti-virus software alone is not enough.” Later, the CEO of the incident response firm hired to respond to the NYtimes news goes to Bloomberg TV to say that these attacks are rampant and that the group responsible for the breach has been active in nearly 100 other organizations. In that same interview he says that the attack (spear-phishing) is not unique.
This sounds like the type of story PhishMe would pounce on and twist into an obvious sales pitch right? Security Technology Fail; Spear Phishing is “rampant” ergo you need the PhishMe training method to change employee behavior regarding email safety.
Well, brace yourselves. Abandoning technical controls and substituting it with just awareness training isn’t our message. Organizations shouldn’t and can’t give up security technologies. In fact, based on some of the good work security technology vendors have been doing, we have witnessed firsthand spearphishers changing their methods to cope with the ever-improving technologies that are doing their best to prevent breaches. (More about this later).
The NY Times had AV and it failed to prevent the breach. Does this mean that technical controls are worthless? Absolutely not. Technical controls like anti-virus, firewalls and intrusion prevention/detection all help tune out the noise we see with known problems. If the network defender spends their entire day chasing down nuisance attacks by lesser adversaries, how can they begin to focus on the more sophisticated problems?
To be clear, the PhishMe message isn’t to abandon traditional network defense and security technology. Our message is that even the best tech will have gaps, and the role your human assets play in defending the network cannot be dismissed. An educated user base is the best choice you can make when it comes to filling these gaps. With consistent and relevant training, the vulnerabilities that technical controls cannot patch will be protected by another layer of security. The real problem is that too many programs are designed to only rely on technical controls and feed useless information to users. Holistic information security is a balance between technical controls (both tried and true and bleeding edge) and IT consumers who understand their role in security. The latter has either been neglected for too long or inundated with information that is too technical or focused on items that don’t matter.
Would the NY Times be making headlines today if one of their staffers reported suspicious email based on training they received? We’ll never know.
-Aaron Higbee
|
|
|
|
|
|
|
|
|
Thursday, November 29th, 2012
Trend Micro has just published research confirming what we at PhishMe already knew – spear phishing is the top threat to enterprise security. Trend Micro’s report estimates that spear phishing accounts for 91% of targeted attacks, making it the most prevalent method of introducing APT to corporate and government networks. Industry recognition of the severity of the dangers posed by spear phishing is always a positive development, but merely acknowledging the problem doesn’t provide a solution.
Fortunately, many of the underlying issues Trend Micro identifies are problems PhishMe is already helping our customers address.
One interesting point made in the report was that of the users Trend Micro monitored, nearly half of the recipients of spear phishing emails had email addresses easily accessible through Google. While it may be impossible to keep your employees’ email addresses secret, it’s not impossible to identify the most vulnerable users in your enterprise and deliver training targeted to them. PhishMe recently added a feature that allows administrators to search the Internet to find which users’ email addresses are easily discovered through a search engine, and develop a distribution list of those users. This allows our customers to pinpoint which of their users is most likely to receive a phishing email, and provide targeted training as appropriate.
The report also found that 94% of all targeted emails use malicious attachments, in a variety of file formats. PhishMe’s functionality allows customers to send users emails with attachments in formats such as .XLS, .DOC, and .ZIP. Trend Micro notes that, “Spear-phishing email attachments are difficult to spot from normal document attachments passed on from user to user each day in a corporate environment,” but using PhishMe allows enterprises to train users to recognize a bogus attachment, as well as raise general awareness about the threat of malicious attachments.
The reality of these findings is that technology alone won’t prevent spear phishing; it’s up to an organization to ensure its employees are prepared when a phishing email arrives.
|
|
|
|
|
|
|
|
|
Friday, August 31st, 2012
I read Aitel’s article right before leaving for BlackHat: “Why you shouldn’t train employees for security awareness”
Popcorn in hand, this should be a fun read. After all, we agree that traditional awareness methods don’t seem to be sticking.
…
Reading… a phishing mention, ok good …
hrm …
“It’s a much better corporate IT philosophy that employees should be able to click on any link, open any attachment, without risk”
Wait what?!@#
…
A hit piece about security awareness with a sole focus on spear phishing.
“You talkin’ to me? You talkin’ to me? Then who the hell else are you talking… Well I’m the only one here.”
I wasn’t convinced the article wasn’t an elaborate troll, but CSO prodded, and Aitel reiterated. Most recently he was on a panel for PaulDotCom’s episode 300 and stuck to his original script. In the Security Leadership » Security Awareness section of CSO Online, these two articles have 80+ comments. The past ten articles combined (excluding these) have a grand total of three comments. Over-the-top opinions get page views. So here we go.
A phishing pentest is a waste of money
That statement aims squarely at the profitable pentest service line and kneecaps the zing from the juicy report that’s needed to sell next year’s assessment. It also irritates the mercenary face punchers when they have to go back to traditional attack and report work. Pentesters pay good money for point-and-clicky exploit tools. Who am I to cripple a feature set and spoil their fun? A report about how you weren’t able to break in flounders, while one about how you were able to trick employee X into clicking Y leading to compromise reads like a slasher novel. A pentester needs to deliver a thriller in order to level up in the customer’s security budget. Phishing does that nicely.
Any organization who believes they need to spend money to find out if they are vulnerable to spear phishing needs a new CSO.
“I felt like destroying something beautiful.”
I’m the last person to rehash the “there is no value in pentesting / pentesting is dead” debate. security needs testers who are motivated by the sole desire to destroy something beautiful. I employed a team of face punchers at Intrepidus Group who enjoy their job thoroughly. I’ll be the first to tell you this type of person is not who you want implementing and executing defensive security policy and strategy for your enterprise network. They punch faces and write reports.
It’s no wonder a number of passionate network defenders took issue with the article’s advice. Not only is a phishing pentest a complete waste of money, it squanders and taints a valuable teaching opportunity that could be used to improve security. Emotional beings don’t like to be penetrated for the sake of penetration. They’re fragile, very fragile! I have a list of organizations who can’t use the PhishMe method because an overzealous pentester went over-the-line!
PhishMe.com!# TURF WARS
The original article hits, heart rates increase, copy-cat services moan. Commenters comment, the twittersphere tweets, bloggers blog, and the dust settles. The responses were what I was expecting. It was good to see PhishMe customers chime in with their true-to-life experiences completely dismissing the article. The most disappointing commentary (yet not surprising) was the twitter echo chamber of offensive testing curmudgeons piling on with no experience making a meaningful impact to the security defense of an organization to speak from. Donny you’re out of your element!
It’s a simple matter of turf. PhishMe forces the intersection and commingling of the offensive and the defensive.
There is something about the PhishMe method that rubs pentesters the wrong way and this won’t be the last time we have them reaching for Alka-Seltzer. In the hierarchy of security industry egotism, face punching and popping shells is the most visible. There are no high fives or pelvic desk thrusts for blocking-tha-shit-out-of -packets. Along comes PhishMe looking hotter than the bride on the wedding day. “Social Engineering!?!—that’s my job!” I don’t expect face punchers to give up selling phishing tests. I just want them to stop getting the practice banned by screwing up the delivery.
“I live my life one EIP register at a time…“
The article’s bulleted suggestions of what organizations should be doing instead of phishing awareness training just goes to show how disconnected the offensive mind can be. ***Breaking News: *** Those suggestions: They are already doing them! If you define success or defeat in digital defense by code execution on a single internal host, then reducing your employee’s phishing susceptibility from 68% to 5% probably does seem like a #fail. Let’s gloss over an organizations natural headcount churn. For the sake of discussion, let’s assume a significant reduction in phishing susceptibility isn’t reason enough to do the PhishMe method. Most can appreciate the following byproducts of a PhishMe program:
• Dramatic increase in incident reporting — Employees learn how and who to report suspicious emails to. Getting incident reports to the right people instead of the spam bucket does wonders.
• Employees learn the difference between phishing-fraud at home vs. targeted phishing at work.
• Inconsistent email messaging goes away — You cannot have terrible, unverifiable, non-standard corporate email communications alongside a PhishMe program. The presence of PhishMe will force an already needed email communication change.
• Situational Awareness — The time from initial phish to the first report will dramatically decrease. This is a huge advantage to the network defender.
• Email defenses get reexamined: Initiatives like SMIME and rejecting inbound email spoofing the organization’s domains get prioritized.
You would think with all these measurable benefits that it wouldn’t be too hard to convince someone to put down their hammers and refocus on improving the security posture of an organization. But I still encounter the resident assessment guy within an organization who is irritated by the fact that PhishMe isn’t an attack tool. I would say to their CSOs: Don’t buy PhishMe and force your pentest team to create awareness. More often than not they can’t get out from under their own attack-and-report mindset . Instead they are bitterly jealous they are stuck working on improving security, while their peers get to have fun punching faces. For now email remains broken. Putting all your eggs in the technology basket hasn’t been working. We don’t have a single customer who purchased PhishMe to fill a compliance need. PhishMe walks a different path. We change behavior.
Regards,
Aaron Higbee
p.s. “Is Pentesting Worth it?” A round table at PaulDotCom’s 300th episode begins at 5:15pm today. Care to wager on some panelist insisting that a pentest without a phishing component is the ‘wrong way’?
|
|
|
|
|
|
|
|
|
Wednesday, June 6th, 2012
Spoiler: LinkedIn password leak: What it means for phishing? Answer: Not Much!
When people talk to us about phishing, they often want to know “What’s next in phishing? What else are you seeing?”
This gets asked a lot, and is one of my least favorite questions because the truth is, email based spear phishing works as-is It has no reason to evolve right now.
But certainly in the age of social-media-Cloud-SaaS-BYOD attackers are going to shift away from email right? We take our cues from the incident response community. We are sticking with email based spear phishing until they say otherwise. I pointed out in a previous post Spear Phishing Vs. Spear Phishing these large data dumps will help build some authenticity into the general consumer fraud phishing emails, that will continue to be the case.
Is this LinkedIn data dump going to be different?
What do we know this breach? Not much right now. I have the current dump and it’s just an unsalted sha1 hash of the passwords. The dump that is on the internet right now is just the password hash. We must assume though that the bad guys have the username:shapassword hash, and that it’s only a matter of time before that combo is widely distributed. My LinkedIn password was terrible. It was 7 characters long and only letters and numbers. I looked for it in the dump but couldn’t find it. (i’m reading now that it’s been discovered that many of these hashes are damaged that that the first three bytes are zero’d out. When I zero out the first three chars of the sha1 hash of my old password I find it.)
Will a phisher be able to take control of hundreds of LinkedIn accounts and launch phishing attacks from within the LinkedIn portal?
A lot of what is going to happen will depend on how LinkedIn handles this situation. LinkedIn owes the public some answers about its password storage. (Check out my old TripAdvisor blog post about their breach). If LinkedIn does it like Zappos and allow users to login with the old password and then reset it, it could be a disaster. LinkedIn should *not* handle it this way. Instead they should lock out every account that has an exposed password hash and force users to do a password reset.
Let’s assume an attacker does get access to hundreds of accounts because of this. They will be able to use the data gleaned to create a highly personalized and targeted story, but many of us have fairly public LinkedIn personas and are very liberal about accepting invites to connect. I don’t think this will have a meaningful impact on phishing.
What about an attacker sending phishing messages through LinkedIn’s InMail?
I suppose it’s possible but we haven’t heard of any cases yet. The message may seem more authentic to the recipient but let’s not forget that LinkedIn’s messaging system doesn’t allow attachments. So the attacker will have to send links (which LinkedIn does make active) to the victims. Here is what it would look like to send:
And in the victims email box:
So the LinkedIn platform isn’t a very good one to send phishing attacks with. Are there any other concerns? You betcha! Password re-use! Earlier in this post I admitted to having a poor LinkedIn password. But that didn’t get my heart racing because I’m a fanatic advocate of password managers that auto- generate and store complex passwords. I have 185 items in my personal password manager. (I had 183 this morning until I changed my LinkedIn and personal Twitter password) These massive credential breaches will continue to happen. Companies like LinkedIn will continue to have terrible password storage practices. (sha1 unsalted. Really? Whip yourself.) We still don’t know how LinkedIn will handle this. If this breach does lead to an uptick in consumer based phishing, it will be hard to tie it to LinkedIn because the phishing emails will likely come from compromised email accounts that shared the same LinkedIn password, not LinkedIn itself.
–Aaron Higbee @higbee
Edits:
Nice post here about this: http://www.novainfosecportal.com/2012/06/06/leakedin-passwords-linked/
UPDATE: LinkedIn gives more details. Already they are handling this better then some other breaches.
Check out this blog post from LinkedIn’s Vicente Silveira: http://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised/
Of course this is an embarrasing situation for them, but I’d like to give them credit for:
- Disabling these accounts instead of letting people log in to a password change.
- Giving people some good information about password resets and not following links in email. (phishers will use this breach story to try to compromise accounts in spite of this but good for them to put out a warning.)
- Using the word Salt and promising to give us more details about the security meachnisms that will be going into place.
|
|
|
|
|
|
|
|
|
Tuesday, May 22nd, 2012
Last week I attended the Educause Security Professionals Conference 2012 in Indianapolis Indiana and was lucky enough to co-present with Emory University to discuss the phishing problems higher education face. This event had an entire track devoted to Awareness & Training and of course a major topic for discussion was phishing.
Beyond presenting and spending time answer questions at our booth, I spent a lot of time in the sessions learning about the IT security issues they face. The professionals that work in this space really have their work cut out for them.
- They have all the challenges of supporting security, enforcement, abuse of services, and account compromise from the students and alumni services.
- They also have the classic enterprise security challenges when it comes to supporting faculty and business administration.
- On top of that, many have an added layer of challenges keeping their hospitals and research centers protected and in compliance with the applicable regulations.
Maintaining security for these different audiences really keeps you on your toes and the depth of ability and expertise I saw at Educause was truly impressive. (hat tip)
What ‘phishing’ means in Higher Education…
The most visible phishing problem is student account compromise. The attackers want student credentials to abuse resources. This could either mean using a compromised email to phish for more accounts (more about that later), send spam email, access restricted publications/journals, or abuse VPN services to bypass geo restrictions. The earlier emphasis on ‘most visible’ was to speak to the fact that the aftermath of an account compromise is usually the only indicator an email phishing attack occurred. The account compromised will spend out loads of spam or launch further attacks, which of course is quite different from the spear phisher attacker who is trying to gain access to a network and maintain secret control.
A great session I attended was by Harvard Townsend of Kansas State University. He presented the multi-pronged approach they use to bring awareness to the phishing problem. K-State has a lot of valuable data about the types of incidents they respond to, the number, and the frequency. (It’s probably not a surprise that phishing related incidents make up the bulk of their response efforts).
YouTube video: K-State IT Services Cyber Security Awareness
One of the most creative ways I’ve seen to get the word out about phishing was a video Kansas State produced. (besides PhishMe, I’m biased  ) This video has fantastic production and insight into the type of phishing problem higher education is facing. In their multi pronged approach they even ran this video on their Jumbotron during a sold out game!
I really enjoyed the Educause Security Professionals Conference and will have more to share about it later this week.
Aaron Higbee - @higbee
|
|
|
|
|
|
|
|
|
Tuesday, November 1st, 2011
What is it about? Simple, the poison ivy trojan wrapped in a password protected ZIP file so it can get past filtering. Symantec has an excellent analysis of these attacks in a paper titled: The Nitro Attacks: Stealing Secrets from the Chemical Industry by Eric Chien and Gavin O’Gorman. You can read the entire paper here.
“The most recent attacks focusing on the chemical industry are using password-protected 7zip files which, when extracted, contain a self-extracting executable. The password to extract the 7zip file is included in the email. This extra stage is used to prevent automated systems from extracting the self-extracting archive.”
Packing malicious code into ZIP file and including the password in the body of the email is fairly common spear phishing technique that has been going on for quite some time. In fact, we have specific training about this tactic available at PhishMe. Here is a small snip from our training about password protected ZIP files:
By now you may be aware of spear-phishing emails that contain malicious attachments. We have technology in place that scans email looking for malicious attachments, but it’s not foolproof. In this cat-and-mouse game, the bad guys are always looking for new ways to get past our safeguards.
 
One technique they use is placing the malicious attachment inside of a password protected ZIP file. It works like this: the attacker zips the malicious file, then puts the password for the ZIP file in the body of the email. They do this because they know our email security tools can’t see what is inside the protected ZIP file.
Existing PhishMe customers: If you haven’t gotten the message out to your people about spear phishing using password protected ZIP files, login to you account and check it out.
Future customers: You could be using our award winning solution right now to train people about this exact tactic.
stay safe,
Aaron Higbee
|
|
|
|
|
|
|
|
|
Tuesday, September 6th, 2011
Phishing has always been a challenge for companies, but in recent months high profile breaches have cast a bright light on a more pressing aspect of the phishing threat – user awareness; or the lack there of! The reason phishing attacks are so effective is because most employees have a basic level of phishing awareness. Companies attending recent events such as Black Hat and SANSFIRE, reiterate a common theme; “we need more effective ways to increase our employees’ awareness to help minimize the success of phishing attacks.”
Once thought of as a threat that could be mitigated simply by an email filter solution, phishing (and now more importantly, spear phishing) has evolved to such a sophisticated level that technical controls are no longer effective in differentiating well-crafted and targeted emails from legitimate ones. This leaves employees as the last line of defense which is highlighting the need for improved education. The challenge for many security IT professionals is that they have little time to develop programs that provide effective education and reduce the risk to their organization. While many companies indicate they have an awareness program, they also indicate that they lack consistency and content. This awareness model does little to increasing their employees’ awareness or change their behavior.
Organizations with mature awareness programs attribute their success to a mix of periodic communications and structured training that provide immediate, informative and relevant awareness content to employees. The inline awareness saves both time and resources and targets training to those who need it most. At PhishMe we encourage our customers to conduct sanctioned simulated phishing exercises. This allows organizations to identify where targeted education should be directed and offers the ability to provide immediate education.
There are several different ways PhishMe works with our clients to improve overall employee awareness including online games, tutorials, custom training and awareness program consultation. In the end it comes down to striking the right balance between content and repetition for your enterprise. Having trained over 2 million users to date our customers have seen how consistent training can raise awareness and reduce the risk of employees falling victim to phishing attacks by up to 80 percent.
If we are in your area, we welcome you to come speak with us at an upcoming event!
The PhishMe Team
|
|
|
|
|
|
|
|
|
Friday, July 29th, 2011
There is a common spear phishing tactic that we help our PhishMe customers combat, and that is attackers using familiar names with fake free webmail accounts.
The attacker wants to break into Widget, Inc. The first thing they do is research Widget, Inc., looking business units who may have access to the information assets they are targeting. Once they have picked their target, they need familiar names to make their spear phish more enticing to the eventual victim.
They will pick a real name inside of Widget, Inc, that will serve as the From: line of the spear phishing email. Sometimes the attacker is smart enough to choose a name in a different office or time zone. This increases the likelihood that the victim won’t pop their head over the cubical wall and ask “did you just send me an email from your Gmail account?”
Once the phisher is satisfied they have a good name to impersonate, (e.g. Bob Dobolina) they will register bob.dobolina@gmail.com, (or hotmail, yahoo, etc…)
Armed with a new free email account that uses a familiar name, the phisher will send out their spear phish to the intended targets who may know or have heard of “Bob Dobolina.” This increases the chance that the victim will fall for the phish.
How does the attacker find the names needed to carry on this charade? Social networks and tools like Jigsaw and LinkedIn provide a wealth of information. (Head over to jigsaw.com right now and put your company name in.) You will see that piecing together the necessary information to effectively impersonate someone is quite easy.
Besides making your organization aware of this threat, what else can you do to protect yourself? How about creating fake personas? Ann Smith, Executive Assistant to the Director of Legal. But in this case, Ann Smith isn’t an executive assistant, instead, Ann Smith is an email alias that goes directly to your incident response and network monitoring team.
Stay Safe!
-Vanessa Bush
|
|
|
|
|
|
