RSA: Phish Me If You Can

Spearphishing. The deluxe (but easy) way to get unwary employees to put malware on your network. It's basically the same as phishing, except more targeted. That is, a plain phishing scam might offer an unwary web-browsing employee a chance to see a famous starlet naked, while a spearphishing attack might purport to be an urgent request from your Bizzaro County office for 200 Kg of Unobtainium Oxide. Open that email, and... ZAP! So this is social hacking (cracking for the old-timers), and cannot necessarily be fought entirely by technical means. So how about setting up fake spearphishing attempts and immediately sending employees who fall for them to an IT security class with an emphasis on how to avoid phishing scams? You can do this yourself, possibly with help from a bright person or two from a nearby University. Or you can contact PhishMe or another anti-phish training company and have them help you teach spearphishing awareness to your people. Either way, every computer-using person in your company should know about phishing -- and should know how to avoid getting hooked by phishers.

LOL

Your daily Slashvertisement brought to you by Dice Holdings, Inc.

Open an email

[Nerdfest]

Open an email? You mean text? Not really a problem. if you're not blocking images and JavaScript, you're headed for trouble, targeted or not.

Re:Open an email

[cusco]

In network security, just the same as physical security, the main problem is not the hardware or the software, it's the wetware.

Re:Open an email

[smoothnorman]

my thoughts nearly exactly! "Open that email, and... ZAP!" what sort of lame mis-managed system is that true of?

Re:Open an email

[Lonewolf666]

Several years ago, Outlook did something similar with Visual Basic scripts attached to a mail. Loading the email into the preview window was sufficient to trigger the script.
IMHO the greatest security fuckup in the history of Microsoft (and Autorun on CDs was the second biggest).

Re:Open an email

[Sloppy]

Text email is vulnerable too! I'm in the habit of: after reading every email, I save it to malware.sh, then I go to a shell, type "chmod +x malware.sh" and then either "./malware.sh" or "sudo ./malware.sh" depending on the flip of a coin. And in spite of my weird habit of doing this, I never check to see who sent me the email and whether or not it's PGP signed and if their signature checks out.

See? Spearphishing is a really hard problem to solve! Reading email is dangerous! DAAANGEROUSSS!!!!11

More stupid victim-blaming

[pclminion]

The problem is 100% technical. How could viewing an email ever result in malware being installed? Somebody failed -- they're called the IT department.

Re:More stupid victim-blaming

[h4rr4r]

Yeah, they failed when they let you have admin on your pc. They failed when they did not enforce updates. They failed when they let you run a vulnerable email client.

Yet, if they don't let anyone have admin, ban outlook from the network and force updates and reboot that come with them you would be bitching up a storm.

Re:More stupid victim-blaming

[DarkFencer]

Its rarely about just opening an email. Its about opening attachments in that email, or opening links that lead to sites with malware. There have been enough vulnerabilities (OS, Adobe, Java, etc.) that have been around which don't require any special privileges. Just a user to click through warning prompts.

It cannot be solely IT's responsibility - especially in this day of BYOD (Bring your own device). IT isn't always able to remove admin privileges from corporate/organization owned computers - much less the Sales guy's personal laptop.

Re:More stupid victim-blaming

[Gulthek]

This is what passes for +5 insightful these days?

The issue isn't opening an email: but clicking a link in that email or, worse, clicking a link that takes you to a legitimate looking site and entering data, or opening an attachment in a legitimate looking email.

There are all sorts of attack vectors present from an email message. To sweep it all up as "IT's Problem" is a very, very bad idea. It just takes one email fooling the right person to be a security problem.

PhishMe's philosophy is that at some point the technical protection will fail ... so you'd better ensure that your employees know what to look for. The best way to teach them what to look for is to let them actually experience safe emails using the same techniques that would be maliciously used against them.

Spear-phishing isn't an idle threat, it's a widely used attack method that has gotten data out of targets like the New York Times, Defense Department, Facebook, and Apple (http://www.theatlanticwire.com/technology/2013/02/spear-phishing-security-advice/62304/). I'm sure that each of those companies has a very robust and capable IT Department armed with email scanning and sanitizing software. You just can't catch everything with technology.

Re:More stupid victim-blaming

[h4rr4r]

1. See the other reply, it works
2. DO NOT FUCKING DO THAT. Email is a text transfer mechanism. Attach documents to that, not attempt to put formatting in the email.

It's not the slashvertisement

[i+kan+reed]

It's the fact that they treat us like eager morons, who won't recognize it. I mean the signs are dead simple.
1. Mentions a particular company by name.
2. Includes at least one buzz-word.
3. Entirely positive language.
Regular Slashdot stories pretty clearly have signs of concern or raise questions about their subject matter. These bare-naked slashvertisements are insulting. If you're going to be blatant, please fucking acknowledge that it's sponsored in the summary.

Re:It's not the slashvertisement

[ShanghaiBill]

I mean the signs are dead simple.
1. Mentions a particular company by name.
2. Includes at least one buzz-word.
3. Entirely positive language.

4. Pushes a stupid and unnecessary product or service.

Instead of training your staff not to open phishy emails, just ban any email client that allows execute-on-open.

Re:It's not the slashvertisement

[Peristaltic]

Same old shit. Disconnected suits, demanding more revenue, institute this kind of crap and gradually push away the users whose participation made /. a valuable site in the first place. If it gets worse, a site will eventually pop up that fills the niche left behind by /. Once the -new- one becomes valuable...... Around and around we go, ad nuaseum. In the meantime, before the new site has enough users / inertia, we're stuck with more and more "articles" like this one, which really should not have been put in front of this readership.

Re:It's not the slashvertisement

[i+kan+reed]

I'll acknowledge that I didn't even know slashdot had bans. I figured the built in moderation system was more than sufficient.

Re:It's not the slashvertisement

[PCM2]

Instead of training your staff not to open phishy emails, just ban any email client that allows execute-on-open.

I'm not sure that's the main problem, actually. Where spear phishing is concerned, I mostly hear about emails that are crafted to look like legitimate messages from companies like banks, FedEx, etc. If you can convince someone to click through to a website, it's not hard to ship them malware -- particularly if they have the Java plugin enabled.

Re:It's not the slashvertisement

[hairyfeet]

Not to mention their entire company is based on a STUPID IDEA that has NEVER worked. i've been building and selling PCs to SMB and home users for 25+ fricking years and I can tell you that EDUCATION WILL NEVER WORK when it comes to stopping threats, why? Because like real life viruses they mutate and common sense is not teachable, either you have it or you don't.

Here is a perfect example...smartphones. think Android is well on its way to a million infections because Google didn't make a good OS? Nope its the simple fact that because its a different medium you have to start from square one just like in Black Sept when we were drowning in noobs because people simply can't or won't equate a link between one medium and another. I've seen emails that have not worked IN YEARS that work like crazy as a smartphone because to Joe and Jane average the smartphone is NOT a general purpose computer, its a toaster and they treat it as such. The thought that it can get viruses and spam never enters their minds, the phone is a magical device that hooks up to cell towers and that's totally different from the net, don't you see?

Believe me, I know of which I speak. I've educated until I'm hoarse but the one thing you can't change is that for the education to actually work you have to have enough common sense to go "Well this is similar enough to what I was educated about so erring on the side of caution would probably be wise" and the simple fact is non geeks? They may as well be Martians, they just don't think like that for the most part. I'd love to see the unbiased results as five would get you ten that their "education" lasts only until new mutations arise and then the users go "Hey this isn't what we were told to watch out for, this prince is from Somalia so he must be legit!"

You try to solve the problem of malware and spear fishing with education and you had better get used to looking like this because the users will make that your natural look.

Re:It's not the slashvertisement

[Midnight_Falcon]

Amen to this. IT professionals get enough cold calls, account managers doing "account reviews" (sales calls), and the like already. They often are people who like advertisement the least and believe they are smart enough to make their own decisions on vendors without being swayed.

That's why ads written like a PR News story posted on Slashdot are insulting to us -- it's obviously an ad, but it's not labelled so. They no longer label the author as associated with Dice Holdings, so it can be passed off as legit news. It also can't be blocked by ad blocking software or the "disable ads" button that appears as a thank you for positive contributions.

On top of that, they are using the moderation system to mod down complaints about this unscrupulous practice.

This is part of the growing trend of stripping content that users want in favor of content that pays the most money to the site's publisher, the same thing folks like Facebook are doing in activity feeds. Monetizing the site at the expense of the experience of the user. How long can this trend continue before users have had enough?

Re:It's not the slashvertisement

[hairyfeet]

In case you haven't figured it out these corps have figured out how to game the hell out of the system.

I USED to LMAO at all the people flinging "shill" around to basically say "You don't agree with me therefor you HAVE to have an agenda because I'm so fucking perfect in every way" but then a few months before Windows "Supergigantic Smartphone" 8 came out suddenly I started noticing all these posts that were EXACTLY alike, using the same buzzwords that normal folks don't use like "user experience" and "vertical integration"...I mean how many times in normal conversations with people who aren't marketing drones has those phrases come up? But not only that but suddenly there was a dozen "new users" who registered JUST to support the buzzword bingo and hammer home the same talking points,its become pretty damned obvious this isn't merely fanboys coming to defend "their team", this is waaay too thought out and organized for that.

So honestly it really wouldn't surprise me if the company who put out the ad pretending to be TFA aren't either sitting here themselves with a sock puppet brigade or even more likely hired one of the pro trolling groups to make sure their message was framed in a positive light.

Free Pizza in the Breakroom!1!

[undeadbill]

Lol, that one always works, and even though it is clear it doesn't need to be clicked, they click it anyways... I got to use that one when the Melissa virus was blocked based on the subject line "I have an attachment for your review", rather than on matching the payload of the email attachment. I made $5 on a bet with the Exchange admin, and got to watch hilarity ensue at the Exchange admin's desk when 40 hungry developers showed up, wondering why there was no free lunch and their Outlook clients were taking up all of their system resources.

Re:Free Pizza in the Breakroom!1!

[PPH]

That's just the boss, trying to round up some candidates for his Amway pitch.

I always delete all e-mail that claims to be from the boss. Now, thanks to PhishMe, I can claim to have been ahead of the curve fighting spearfishing all these years.

I deserve a raise.

Guide for Eliminating Background Noise

[mrbene]

Three videos posted over the last couple of days - all of which purport to provide insight, at least in summary. I've not made it through more than a few seconds of each since there is excessive background noise.

Use a more targeted mic? Do some post-processing? Find a quieter room to interview your subject in? Provide a transcript?

Otherwise, it's just a waste of effort.

Remember to check your legitimate e-mails

[Todd+Knarr]

When setting up a test like this, first look at the legitimate e-mails sent around your company. If your business routinely circulates e-mails containing attachments employees are expected to open or links they're expected to click on, then ask yourself why you've got an overlap between what you expect employees to do and what you want them to not do. If you expect employees to check addresses but your e-mail client hides addresses, ask yourself why you're hiding what you want recipients to check. If you're having to ask those kinds of questions then the first problem you need to address isn't employees being vulnerable to spearphishing attacks, it's your internal e-mail culture and standards that make those vulnerabilities normal and expected.

Expect a lot of resistance to fixing these things. Not from your regular workers, from the upper layers of management who like these things because they make life easy and look "Oooh, shiny!".

It's a lot like physical security. You can emphasize it all you want, but when managers get angry at employees who closed the door in the manager's face forcing them to use their own key you will not get employees to stop letting people tailgate through doors.

HOLY FUCK

[i+kan+reed]

I THINK THE EDITORS ARE MODERATING CRITICAL COMMENTS DOWN!!!
I got 5 troll mods in a matter of one minute, making a pretty reasonable post(I thought).

I thought it was bizarre the GP got modded down once, but I really think Dice. is modding the fucking comments.

This post = spearphished-slashvertisement?

[DontBlameCanada]

I got duped into clicking the story thinking it was a legitimate article. Instead I got a slashvertisement... ./suckered

Re:This post = spearphished-slashvertisement?

[i+kan+reed]

I'm watching this thread to see if you get modded down. I think they've gone as far as telling editors to mod down those who point out it's a slashvertisement. Regular mods never mod down this far down in a discussion, so I'd like to see if my hypothesis is substantiated.

Re:This post = spearphished-slashvertisement?

[i+kan+reed]

Since editors are payed employees, I can't imagine the others don't know what's going on. Whatever it is, they don't seem intent on telling anyone.

Re:This post = spearphished-slashvertisement?

[admdrew]

...and my response below, since we're being so transparent today (although it feels in bad taste for you to have published my full From common name from my original email to you):

Robin,

Thanks for your response (I found your yahoo email just off of a whois of your main domain).

Your posts aren't marked as paid ads, but they're consistently construed as such by /. commentators, which is certainly of note.

The thing that many Slashdotters may be missing (I certainly did) is that you're not an official /. editor, per the FAQ, which could help explain how your posts differ so much from the actual editors. I certainly find the commentator confusion and frustration understandable.

My apologizes for any vitriol you felt from my original email to you, I really didn't intend on any! Penny Arcade sums it up best - http://www.penny-arcade.com/comic/2004/03/19

Thanks

It's not that simple.

[nuckfuts]

Many corporate users use Outlook. When viewing (or previewing) HTML-formatted messages, it uses the same rendering as Internet Explorer, and is thus susceptible to the same vulnerabilities.

I can remember a happy time when I could tell people with confidence "you'll never infect your computer by merely viewing an e-mail". Or a JPG. Or a PDF. Or ...

Roblimo as an "editor"

[admdrew]

Can someone tell me why all of Roblimo's posts 1) are his own content, versus edited reader submissions, and 2) read exactly like advertisements?

PWNED!

[Kookus]

Everyone who clicked on this link needs to now attend a phishing training class, you have all been suckered into clicking on this blatant advertisement!

Re:This is stupid and useless.

[Gulthek]

It's not about being dumb, it's about not being aware. If the first phishing email you come across is one that's technically advanced and well written enough to slip through the technological filter: then you as a corporate employee are probably going to fall for it. Especially if it's a true spear-phishing email that's targeting *you*. It'll look like an email from your boss with yet another emailed PDF or DOCX report to review. Bam.

The solution that PhishMe proposes is to safely expose employees to phishing emails on a regular basis and teach everyone to recognize actual phishing emails from those demonstrations. The human reading the email and about to click the link or open the attachment is your last line of defense and shouldn't be neglected as such.

Antiphishing

[Murdoch5]

Does every one remember a few weeks ago when a company sent out a real email asking for users to change passwords and some people thought incorrectly it was a phishing email..... Basically that single event proved that people don't understand how to read / detect phishing scams. if you can't even recognize or take steps to recognize whats real from whats fake then I don't know what to tell you, the issue isn't always the scammer or lack there of, sometimes just blame the users.

Re:Antiphishing

[pclminion]

Why are you blaming the users at all? They erred on the side of caution.

Re:bare-naked slashvertisements

[TaoPhoenix]

Yeah, and while we knew there were a bunch before, I think we're def. seeing Dice's hand in all this.

The other posters are right about the shift to video, and Roblimo, who really was off the radar until last month. Here is a Reuters article describing specifically how this company is a spinoff of some other one a couple years ago. So yes, it's absolutely a Slash-vertisement. http://www.reuters.com/article/2012/03/20/idUS120683+20-Mar-2012+BW20120320

Besides your heuristics, let's go even farther. It's these companies that seem to specialize in "protecting/training", with unclear extra motives buried in there. To paraphrase xkcd: "My hobby: watching Anonymous bust open these companies purporting to specialize in providing privacy/security services." Because they're in a position where they can't have ANY incident on their record with the services they sell. Yeah, I sorta don't care if Walmart hoses their data records in some random location branch because that store manager was an idiot. It's Walmart. These security companies are in a different league. Remember HBGary?

And these Slashverts are coming *fast*. No subtle sneak-in. Fast. The question is whether the rest of what used to be slashdot is worth reading anymore if these aggressive slashverts keep barreling at us. It's like a game of Ad-DonkeyKong. Jump over the barrels!