Slashdot Mirror
Highly Targeted Phishing From Salesforce.com Leak
An anonymous reader writes "Salesforce.com has finally acknowledged what security experts have suspected for weeks: that a Salesforce.com employee had his company credentials stolen in a phishing scam, and criminals have been using names and e-mail addresses from Salesforce's customer list to conduct other highly targeted phishing attacks, including the recent round of fake e-mails apparently from the Federal Trade Commission." In such hightly targeted attacks, the AV companies are at a loss — they have little chance of quickly developing signatures for threats that only reach a few thousand victims.
Seriously, what do AV companies have to do with phishing scams? The proper counter-attack to phishing is user education, and proper security practices at various sites (e.g. banking sites not using email for official correspondence, not allowing info to leak, etc.). There are some technological tools that can help reduce the impact of phishing (e.g. toolbars that notify the user of suspicious activities) but ultimately this is an issue of user education...
Are AV companies even the appropriate resource for dealing with phishing scams? Why don't we just teach people some common sense or something? Phishing is a user education problem, not a problem to be attacked by antivirus tools.
My blog
If you know about a security hole in a product, and you write a program to attack it, and fire it off at a specific target, odds are poor that any antivirus software will catch it. And if it's a remote execute vulnerability, the target won't have a chance to avoid being phished, because it'll all happen automatically.
Also, there's software (like Internet Explorer) that pretty much trains people to fall victim to "thin" social engineering attacks (by, for example, crying wolf hundreds of times a day). This means that these attacks work often enough that if you can target a few hundred people at a specific location you'll get one, and they happen often enough that it's not even suspicious for a few hundred people at a location to get a dialog box asking if they want to infect their computer now.
Antivirus software can't help.
Security is like sex.
Once you're penetrated you're fucked.
Not everything can be addressed through technology. This is such a case. Note that the original error was with a human being that chose to be duped by a phishing expedition. In most of the cases the fatal flaw in any data security design is the people who run it.
My point is simply this. Training hours spent with each employee about how to recognize and respond correctly to online threats would have been a more effective and likely cheaper alternative to whatever their last security initiative was. Conversely testing or "job skill validation" that prevents people likely to do stupid things from getting enough clearance to have an email address on the corporate server - would also be effective.
The problem with modern operating systems is that they allow people to think they know how to run a computer. Vista says, "Shall I allow trojan.exe to run?" User says to self, "Self, I have no clue what that is, so I better let it run."
Anyone else see a problem with leaving immediate security questions to be answered by the person who happens to be at the keyboard?
IMHO Technology is not and should not be thought of as, the solution to all problems.
Dennis Dumont
They do. Federal law-enforcement is always present at, and typically presents at, APWG meetings (I work for an APWG member), and they do track this stuff, and when possible, make arrests. Among the problems they face are volume (there's so much of this stuff, and LE does not have unlimited resources), time (doing the investigation and compiling evidence is by its nature very painstaking work), and the fact that the perps are most commonly in Russia and other eastern European countries, making apprehension and prosecution far more difficult.
They can't solve all the problems, or maybe even most of them, but they're doing what they can, and it's more than you'll read about on Slashdot. No matter how much resources the FBI and others throw at this problem, however, it will always remain mostly a problem of technology combined with user education.
At the last APWG meet, in Pittsburgh, some researchers fron Carnegie-Mellon presented there findings of an anti-phishing game they wrote, the idea being that you can more effectively train users to not be phished by having them play a video game, rather than read some boring instructions from the IT department or watch a similarly boring video. Their test subjects showed real improvement Vs. a control group, and there has been considerable interest in the game.
A preview version is here, for anyone interested:
http://cups.cs.cmu.edu/antiphishing_phil/
License is CC-attribution-non-commercial.
(I am not affiliated with CMU)