Slashdot Mirror

← Back to Stories (view on slashdot.org)

Phishers Hone Skills, Craft More Impressive Attacks

Posted by Soulskill on from the practice-makes-perfect dept.

CWmike writes "Recent break-ins at high-profile targets like the International Monetary Fund demonstrate just how proficient hackers have become at so-called spear phishing, researchers said on Tuesday. 'Today's spear phishing is not only more prevalent but also much more technically proficient,' said Dave Jevans, chairman of the Anti-Phishing Working Group. 'They're not going for a password, anymore; they're getting people to install crimeware on their computers.' The trend highlights the need for defenses against such targeted threats, requiring companies to look beyond security strategies focused purely on dealing with traditional network threats, analysts said. Increasingly, companies also need to focus on approaches such as continuous monitoring of networks, databases, applications and users, outbound traffic filtering and whitelisting."

14 of 63 comments (clear)

  1. The Art of Deception by DigiShaman · · Score: 3, Informative

    The Art of Deception. By Kevin D. Mitnick. It's worth reading.

    --
    Life is not for the lazy.
    1. Re:The Art of Deception by DeusExMach · · Score: 3, Funny

      It takes a thief...

    2. Re:The Art of Deception by Anonymous Coward · · Score: 2, Funny

      The phrase “Set a thief to catch a thief had by this time (after strong representations from the Thieves’ Guild) replaced a much older and quintessentially Ankh-Morporkian proverb, which was “Set a deep hole with spring-loaded sides, tripwires, whirling knife blades driven by water power, broken glass and scorpions, to catch a thief.”

  2. Re:What about turning the tables on them? by Billlagr · · Score: 2

    Really??? So have I!! And friends and relatives. All you need to do is provide some credit card details, and bam! your machine is instantly remotely cleaned up. It's good to see MS taking such a proactive stance.

  3. Maybe it's time... by __Paul__ · · Score: 5, Insightful

    ...to stop employing people who are so clueless when it comes to IT. Personal computers have been commonplace for more than twenty years now, it's time people started learning how to use them correctly.

    I'm still coming across businessmen of a certain vintage (typically 50+) for whom it's a matter of pride that they "don't know anything about computers". FFS, it's 2011. Get a grip or retire.

    --
    worldmobilenet.com -- World Prepaid Wireless Internet plans
    1. Re:Maybe it's time... by ColdWetDog · · Score: 2

      In my organization, it's not the old dinosaurs that create security problems, it's the idiot 20 something that bypasses Sonic Firewall (the dipshit product that it is) to get to Facebook by using HTTPS and then proceeds to play Farmville for hours. Unless you can employ security experts in every slot in your organization you have these problems. Remember this is about SOCIAL engineering, not technical issues.

      --
      Faster! Faster! Faster would be better!
    2. Re:Maybe it's time... by badzilla · · Score: 2

      It originates from a time when anyone with aspirations to status in an organisation also had a secretary to perform manual tasks involving keyboards and typing. Admitting to doing one's own typing was a bit of a career depressant. These days I can't believe that anyone of whatever age in business can make serious claim to non-use of computers.

      --
      "Don't belong. Never join. Think for yourself. Peace." V.Stone, Microsoft Corporation
    3. Re:Maybe it's time... by flappinbooger · · Score: 2

      ...to stop employing people who are so clueless when it comes to IT. Personal computers have been commonplace for more than twenty years now, it's time people started learning how to use them correctly.

      I'm still coming across businessmen of a certain vintage (typically 50+) for whom it's a matter of pride that they "don't know anything about computers". FFS, it's 2011. Get a grip or retire.

      No, for most people they have not developed any more technical competence for the computer than they have for the toaster. Once you could buy a computer from Wal-Mart at the same time as getting a loaf of bread and a gallon of milk, while having your oil changed, computers have become commodities. Why would you expect people to develop such deep understanding of using and securing their toasters?

      Who is to blame? Start with Apple, then Dell. Gateway. The early "computer in a box, use color coded wires and a pictograph to hook it up" people made it stupid easy to own a computer. Once the stupid is in, hard to get stupid out.

      It's not a bad thing over all, but from a security aspect it is.

      --
      Flappinbooger isn't my real name
  4. Special sandbox for 'em by Mathinker · · Score: 5, Interesting

    No, I think the best is to provide super-special sandboxing for them. One could even periodically send "test probes" to random people on one's network to better judge their level of acumen vs. current phishing techniques. Those who fail (or originally admit to being clueless) get:

    • all email which isn't a direct reply to something they originated "held up for review" by some luckless soul in IT
    • extra lockdown of their computer, perhaps including physically disabling USB ports and DVD drives
    • extra automatic monitoring of their computer for unusual behavior
    • segregating them into a special segment of the LAN which is only connected to the rest of the company via a special filtering/monitoring gateway
    1. Re:Special sandbox for 'em by AmiMoJo · · Score: 2

      I think the best is to provide super-special sandboxing for them.

      Etch-a-Sketch

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  5. Re:What about turning the tables on them? by syousef · · Score: 2

    I have had the Indian MS helpdesk ring a few times about the viruses of my Windows PC, surely there has to be a way of "honey potting" them to shut them down?

    If I have time, I like to play with them. i use to put the phone down while they were talking and walk away but I worry they'll take silence as consent to switch my phone or do something else. So you egg them on. Keep saying "Sorry I don't understand" and "Could you explain a bit more?". Then agree to nothing. If you don't have time you just hang up.

    --
    These posts express my own personal views, not those of my employer
  6. Not phishing by lavagolemking · · Score: 3, Informative

    Phishing means tricking users into divulging sensitive data, usually a password. It is just one type of social engineering. What is being described here is another form of social engineering, where users are told instead to install malware or something like that. It is not phishing, or even spear phishing. When you get a lot of information together to plan out an effective attack on human psyche, it's called pretexting.

  7. Locked down computers by Danathar · · Score: 2

    Fact of the matter is, the less companies, governments, organizations, etc trust their employees the less control they will give them. Every time a phisher is successful more control over the PC is taken away by security (in general).

    I've seen this happen in my organization. The flexibility of having a computer you can install software that helps you do your job without permission is vanishing very quickly. Before long I expect that you will not be able to download any executable (even archived in zip) or run them. Of course this not saying they will not

    Basically people's desktops at work are going to become less "personal computer" and more "web/document processing workstation".

    1. Re:Locked down computers by firewrought · · Score: 2

      That's the way it should be, and that's definitely the way it is at my job.... If you are allowing common users to install their own software, you are doing it wrong.

      Security groups tend to define "the way it should be" by whatever makes life most convenient for them. In their ideal environment, no software can run, no hardware can be introduced, no websites can be visited, and no emails can be received. Or at least, they'd like to get as close as possible to that environment as they can without management figuring out that they're responsible for organizational deadlock. Many of the promises of computing are lost to this mindset, and the bureaucratic "no" takes significant time, energy, and political influence to overturn or circumvent.

      Ideally, however, "the way it should be" is defined by whatever makes the organization most capable for the least amount of risk. There's a balance to be struck, and we haven't figured out how to organize IT departments so that security policymakers have an intrinsic interest in finding that balance.

      --
      -1, Too Many Layers Of Abstraction