Slashdot Mirror

← Back to Stories (view on slashdot.org)

RSA: Phish Me If You Can (Video)

Posted by Roblimo on from the hooks-often-lurk-inside-the-tastiest-bait dept.

Spearphishing. The deluxe (but easy) way to get unwary employees to put malware on your network. It's basically the same as phishing, except more targeted. That is, a plain phishing scam might offer an unwary web-browsing employee a chance to see a famous starlet naked, while a spearphishing attack might purport to be an urgent request from your Bizzaro County office for 200 Kg of Unobtainium Oxide. Open that email, and... ZAP! So this is social hacking (cracking for the old-timers), and cannot necessarily be fought entirely by technical means. So how about setting up fake spearphishing attempts and immediately sending employees who fall for them to an IT security class with an emphasis on how to avoid phishing scams? You can do this yourself, possibly with help from a bright person or two from a nearby University. Or you can contact PhishMe or another anti-phish training company and have them help you teach spearphishing awareness to your people. Either way, every computer-using person in your company should know about phishing -- and should know how to avoid getting hooked by phishers.

5 of 171 comments (clear)

  1. Open an email by Nerdfest · · Score: 4, Informative

    Open an email? You mean text? Not really a problem. if you're not blocking images and JavaScript, you're headed for trouble, targeted or not.

    1. Re:Open an email by Lonewolf666 · · Score: 3, Informative

      Several years ago, Outlook did something similar with Visual Basic scripts attached to a mail. Loading the email into the preview window was sufficient to trigger the script.
      IMHO the greatest security fuckup in the history of Microsoft (and Autorun on CDs was the second biggest).

      --
      C - the footgun of programming languages
  2. Re:More stupid victim-blaming by DarkFencer · · Score: 3, Informative

    Its rarely about just opening an email. Its about opening attachments in that email, or opening links that lead to sites with malware. There have been enough vulnerabilities (OS, Adobe, Java, etc.) that have been around which don't require any special privileges. Just a user to click through warning prompts.

    It cannot be solely IT's responsibility - especially in this day of BYOD (Bring your own device). IT isn't always able to remove admin privileges from corporate/organization owned computers - much less the Sales guy's personal laptop.

  3. This post = spearphished-slashvertisement? by DontBlameCanada · · Score: 5, Informative

    I got duped into clicking the story thinking it was a legitimate article. Instead I got a slashvertisement... ./suckered

  4. It's not that simple. by nuckfuts · · Score: 2, Informative

    Many corporate users use Outlook. When viewing (or previewing) HTML-formatted messages, it uses the same rendering as Internet Explorer, and is thus susceptible to the same vulnerabilities.

    I can remember a happy time when I could tell people with confidence "you'll never infect your computer by merely viewing an e-mail". Or a JPG. Or a PDF. Or ...