This childhood phase is something our parents ingrained in us and in turn we preached the same to our younger siblings, nieces and nephews or children. Between my mother’s warning remarks and one too many watched episodes of Law and Order I always have my guard up if a stranger starts a random conversation with me on the subway. However, if a stranger approaches me via social media such as a friend request, a follow or a connect on LinkedIn I am much less hesitant. I will most often connect with a person over social media if we have a common connection or interest.
Why is it that? Psychology! We tend to overestimate risk we can’t control. Social Media and the internet feels to be in my control, I can un-friend or un-follow someone but a stranger conversation on the subway feels more confining. When person approaches me on the subway platform I get nervous because my learned behavior triggers a flight response – I don’t know the person, something seems off and my instinct is to walk away as to avoid being robbed (lets’ say). A stranger on the internet seems less threatening because they are not physically in front of me. In reality it is easier for a hacker to open up my computer and steal from me than it is for the robber on the subway.
Would you let a stranger into your house? Of course not. But often, without knowing, we welcome hackers into our computers. The internet gives them the facade of security and control but if we don’t keep our guard up the internet can be a place where hackers prey on a sense of security. This usually happens through phishing. We get an email that looks legitimate, click on a link in the email and enter information without even knowing the email is a phishing attack.
The Anti-Phishing working group recently issued a report based on a web vulnerability survey. The findings from this survey are a bit alarming – most companies that have been compromised by a phishing attack are unaware their website has been compromised. For example you get an email from what appears to be your bank with a link to the new and improved online banking website. You click on the link and sign into what appears to be your online banking. You enter your information without knowing it is a scam. You never get a notice from you bank describing an attack so you never think to change your passwords and a week later $1000 is missing from your checking account and there is a charge for a flight to Fiji. Ok this story may sound dramatic but it is a real risk. Phishing attacks are on the rise but people are unaware that these attacks are happening to their companies. We need to start paying attention to what is happening in our inbox and our company. An ounce of prevention can go a long way.
How Hackers Go Phishing
How sophisticated does an attackers’ intelligence gathering have to be for a Spear Phishing attack?
Not very much! This type of attack normally includes the sender addressing the target by name and asking them “to act immediately to verify or update personal information such as bank account numbers, user names/passwords, credit card account numbers – even your Social Security Number”1
The attacker (i.e. Spear Phisher) in reality does not have to go through very sophisticated steps to gain such pieces of sensitive information from many people. A number of careless steps on the part of the target can yield some juicy bits of information. As an example, Joe Attacker has become friends with Jane Victim on Facebook, who does not even know Joe. On her page, she happens to have certain information (not terribly sensitive, but enough to get Joe started), including where she works and where she went shopping (i.e. Macy’s) last week. Joe then meticulously crafts an email to her work address; knowing all people’s e-mail addresses at her company use FirsInitial.LastName@Companyname.com. He is fairly sure that he will get to her. He addresses the e-mail to her specifically, and uses an email domain he created with “Macys” as part of it, asking her to verify her department store credit card information.
As we’ll see, normally for a successful Social Engineering attack to take place, a high degree of sophistication is not needed. In most cases all that is needed is for the target to see a recognized brand or system he or she identifies with and a sense of urgency, such as a revocation of account status or monetary penalties in order for him or her to comply with the attacker’s requests.
Jane received an e-mail with a title/subject-line that read: “URGENT Account Verification Needed after Your Last Purchase at Macy’s!”. Jane considered herself fairly savvy with detecting online fraud and knew to look for mistakes in emails for things like Spam or Phishing. She didn’t see any anomalies such as spelling errors, and did see an official-looking Macy’s logo. The email address had a sub-domain before the Macys.com, which she actually dismissed as operational procedure.
Had she paid closer attention to the e-mail address and the URL link to the website where she was asked to provide her credit card details, social security # and other PII, Jane wouldn’t have fallen prey to the account fraud and identity theft we see happened here. When entering such information always check to make sure there is a lock graphic in the web browser bar which indicates a secure connection. Jane should have gone directly to the Macys.com page and logged in to see if there were any irregularities with her account. Do not click over links in an email without investigating the URL.
Spear Phishing not necessarily be sophisticated in its identity gathering techniques. It can be a thorough method of targeting individuals, once certain details are gathered about them. Many individuals are careless in what they post out in social media and who they grant that access to. Attackers are constantly vigilant for these careless occurrences. They gauge if you are careless enough to make that information available in the first place, what’s is going to stop you in future from providing more information given a believable communication such as a targeted Spear Phishing e-mail.
Jane is a common occurrence – more common than it should be. Spear Phishing is often not detected or obstructed. User awareness is the best defense, where people become aware to not provide sensitive PII (i.e. credit card #’s, social security #’s, addresses, salary information, DOB’s) when prompted via an email communication, with a sense of urgency strictly commanded. Always check a click if it is in the body of an email. When you are entering personal information make sure the connection is secure. Trust your gut if something seems phishing it most likely a phishing attack!
1 “Spear Phishing: the real danger behind the Epsilon data breach”: http://blogs.computerworld.com/18093/spear_phishing_the_real_danger_behind_the_epsilon_data_breach
Andres Tabares, CISM, CRISC, CISSP is a Data Security Professional with Aujas (www.aujas.com), a Global Information Risk Management consulting firm that focuses on Data Protection and Safeguarding against Social Engineering attacks, including Spear Phishing. He can be contacted at Andres.Tabares@Aujas.com.
Dreamforce 2012, the flagship event from Salesforce starts in San Francisco’s landmark Moscone Center on the 18th of September. This event last year attracted 45,000 delegates (an additional 35,000 joined online) trying to get into the several main and overflow halls to learn about latest trends in cloud services. In 2012, the event is expected to attract over 60,000 delegates making it one of the largest technology events of its kind. Continue reading
We come across so many links via social networking websites, and we unknowingly click on many of them. The malicious links have catastrophic results and the system, as well as yours privacy, is either compromised or your data takes the hit. This is an analysis of a link dated 17-April-2012 that I came across via Twitter and LinkedIn.
NOTE: All links have been appended with ‘non-clickable’ suffix “hxxp://” to prevent mistaken clicks.
Someone posted this link hxxp://pastebin.com on a tweet. On checking, it was a list of URLs actually single URL pasted multiple times – a sign of desperation:
9954 credit card numbers
It states this link has 9954 credit card numbers. The first malicious hint is – Why not posting it directly rather than pasting the same link 4 times in an entry. Continue reading
Protect your employees from spear phishing and strengthen your human firewall. Read Phishnix Insights, our popular free newsletter.
Social engineering engulfs most companies today; the primary way to an individual is via a phishing email. It is easy, it can be sent from anywhere in the world, and as untrained employees many think it is an honest request they often do something foolish. I have said in the past that it is time to start assessing your Human Firewall, your employee, and help them understand right from wrong through security awareness. You will read in the articles below how and why phishing continues to be on the rise. Enjoy this edition of Phishing Insights. Continue reading
You must have heard about recent breach at LinkedIn, which led to exposure of 6.5 million hashed passwords available for download at hacker site. Many of such passwords were decoded and published on an un-authorized website. Feds are involved in investigation to find out possible perpetrator(s) behind this criminal activity but I see there are certain takeaways from this incident and probably which would make us better prepared for possible future breaches. Continue reading
I continue to receive phone calls that go something like this. Hello this is Mr. or Ms. CISO and I continue to have a problem, trust me I know it is a problem because my Board of Directors and Audit Committee Members tell me so. We continue to get inundated with phishing emails and we “think” our employees are doing the right thing, but we really don’t know. Can you help me?
As the consummate sales professional I say “Well of course we can”. There are three easy steps to helping solve the problem, you can never wipe the problem out because human will always be the weakest link. First step, assess your employees via a controlled phishing assessment (Phishnix). Second step, administer the security awareness training (Phishnix) and the third step is to Monitor and repeat above. Bottom line is that this risk of Phishing is not going away and is getting bigger and bigger, just like the size of the fish I caught and the fishing stories I tell my friends. Continue reading
It was a bright and beautiful early summer day when I set out on our Sea Ray boat with my daughter, son and his friend for what was supposed to be a simple two hour trip to deliver “Good Times” to her home slip on LBI in New Jersey. However, when we were only a half mile from our home port, the engine shut down and as we say in nautical terms that was that.
After several tries to restart the engine and a few calls to my mechanic I realized we were stranded. The only thing I could do was drop anchor and wait for the tow boat. I anchored only 10 feet from one of those pesky little islands that are everywhere in the Jersey waters and waited for over an hour until the tow boat arrived, secured the tow line and brought us home. Continue reading
Protect your employees from spear phishing and “Strengthen your Human Firewall”. Read Phishnix Insights, our popular newsletter.
In my travels to new and existing clients one topic comes up 9 out of 10 times and that topic is phishing. Why, because people continue to be the weakest link, we are human after all and not properly programmed (my wife has been saying this for years). Security professionals and their management are no longer burying their heads in the sand like an ostrich on a summer´s day walk, thinking there is nothing that can be done about this. Assessing the risk and remediation is what we have been doing for many years, this is no different. So it is time that you assess your Human Firewall through a controlled simulated phishing assessment and remediate via a strong security awareness campaign. You will be able to sleep better at night. Continue reading
As a risk professional I am sure you have heard stories and stats about how prevalent phishing is. Some reports say the reports are going up, some say they are leveling off and still other say they are declining. The bottom line is that it only takes one person to put an entire company at risk. Don’t you think it is time to strengthen your human firewall? Continue reading