Slashdot Mirror

← Back to Stories (view on slashdot.org)

RSA: Phish Me If You Can (Video)

Posted by Roblimo on from the hooks-often-lurk-inside-the-tastiest-bait dept.

Spearphishing. The deluxe (but easy) way to get unwary employees to put malware on your network. It's basically the same as phishing, except more targeted. That is, a plain phishing scam might offer an unwary web-browsing employee a chance to see a famous starlet naked, while a spearphishing attack might purport to be an urgent request from your Bizzaro County office for 200 Kg of Unobtainium Oxide. Open that email, and... ZAP! So this is social hacking (cracking for the old-timers), and cannot necessarily be fought entirely by technical means. So how about setting up fake spearphishing attempts and immediately sending employees who fall for them to an IT security class with an emphasis on how to avoid phishing scams? You can do this yourself, possibly with help from a bright person or two from a nearby University. Or you can contact PhishMe or another anti-phish training company and have them help you teach spearphishing awareness to your people. Either way, every computer-using person in your company should know about phishing -- and should know how to avoid getting hooked by phishers.

12 of 171 comments (clear)

  1. LOL by Anonymous Coward · · Score: 5, Insightful

    Your daily Slashvertisement brought to you by Dice Holdings, Inc.

  2. Open an email by Nerdfest · · Score: 4, Informative

    Open an email? You mean text? Not really a problem. if you're not blocking images and JavaScript, you're headed for trouble, targeted or not.

    1. Re:Open an email by cusco · · Score: 4, Insightful

      In network security, just the same as physical security, the main problem is not the hardware or the software, it's the wetware.

      --
      "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
  3. It's not the slashvertisement by i+kan+reed · · Score: 5, Insightful

    It's the fact that they treat us like eager morons, who won't recognize it. I mean the signs are dead simple.
    1. Mentions a particular company by name.
    2. Includes at least one buzz-word.
    3. Entirely positive language.
    Regular Slashdot stories pretty clearly have signs of concern or raise questions about their subject matter. These bare-naked slashvertisements are insulting. If you're going to be blatant, please fucking acknowledge that it's sponsored in the summary.

    1. Re:It's not the slashvertisement by ShanghaiBill · · Score: 4, Insightful

      I mean the signs are dead simple.
      1. Mentions a particular company by name.
      2. Includes at least one buzz-word.
      3. Entirely positive language.

      4. Pushes a stupid and unnecessary product or service.

      Instead of training your staff not to open phishy emails, just ban any email client that allows execute-on-open.

    2. Re:It's not the slashvertisement by Peristaltic · · Score: 4, Insightful

      Same old shit. Disconnected suits, demanding more revenue, institute this kind of crap and gradually push away the users whose participation made /. a valuable site in the first place. If it gets worse, a site will eventually pop up that fills the niche left behind by /. Once the -new- one becomes valuable...... Around and around we go, ad nuaseum. In the meantime, before the new site has enough users / inertia, we're stuck with more and more "articles" like this one, which really should not have been put in front of this readership.

    3. Re:It's not the slashvertisement by Midnight_Falcon · · Score: 4, Insightful
      Amen to this. IT professionals get enough cold calls, account managers doing "account reviews" (sales calls), and the like already. They often are people who like advertisement the least and believe they are smart enough to make their own decisions on vendors without being swayed.

      That's why ads written like a PR News story posted on Slashdot are insulting to us -- it's obviously an ad, but it's not labelled so. They no longer label the author as associated with Dice Holdings, so it can be passed off as legit news. It also can't be blocked by ad blocking software or the "disable ads" button that appears as a thank you for positive contributions.

      On top of that, they are using the moderation system to mod down complaints about this unscrupulous practice.

      This is part of the growing trend of stripping content that users want in favor of content that pays the most money to the site's publisher, the same thing folks like Facebook are doing in activity feeds. Monetizing the site at the expense of the experience of the user. How long can this trend continue before users have had enough?

  4. Remember to check your legitimate e-mails by Todd+Knarr · · Score: 4, Insightful

    When setting up a test like this, first look at the legitimate e-mails sent around your company. If your business routinely circulates e-mails containing attachments employees are expected to open or links they're expected to click on, then ask yourself why you've got an overlap between what you expect employees to do and what you want them to not do. If you expect employees to check addresses but your e-mail client hides addresses, ask yourself why you're hiding what you want recipients to check. If you're having to ask those kinds of questions then the first problem you need to address isn't employees being vulnerable to spearphishing attacks, it's your internal e-mail culture and standards that make those vulnerabilities normal and expected.

    Expect a lot of resistance to fixing these things. Not from your regular workers, from the upper layers of management who like these things because they make life easy and look "Oooh, shiny!".

    It's a lot like physical security. You can emphasize it all you want, but when managers get angry at employees who closed the door in the manager's face forcing them to use their own key you will not get employees to stop letting people tailgate through doors.

  5. This post = spearphished-slashvertisement? by DontBlameCanada · · Score: 5, Informative

    I got duped into clicking the story thinking it was a legitimate article. Instead I got a slashvertisement... ./suckered

    1. Re:This post = spearphished-slashvertisement? by i+kan+reed · · Score: 4, Interesting

      I'm watching this thread to see if you get modded down. I think they've gone as far as telling editors to mod down those who point out it's a slashvertisement. Regular mods never mod down this far down in a discussion, so I'd like to see if my hypothesis is substantiated.

  6. Re:More stupid victim-blaming by Gulthek · · Score: 4, Insightful

    This is what passes for +5 insightful these days?

    The issue isn't opening an email: but clicking a link in that email or, worse, clicking a link that takes you to a legitimate looking site and entering data, or opening an attachment in a legitimate looking email.

    There are all sorts of attack vectors present from an email message. To sweep it all up as "IT's Problem" is a very, very bad idea. It just takes one email fooling the right person to be a security problem.

    PhishMe's philosophy is that at some point the technical protection will fail ... so you'd better ensure that your employees know what to look for. The best way to teach them what to look for is to let them actually experience safe emails using the same techniques that would be maliciously used against them.

    Spear-phishing isn't an idle threat, it's a widely used attack method that has gotten data out of targets like the New York Times, Defense Department, Facebook, and Apple (http://www.theatlanticwire.com/technology/2013/02/spear-phishing-security-advice/62304/). I'm sure that each of those companies has a very robust and capable IT Department armed with email scanning and sanitizing software. You just can't catch everything with technology.

  7. PWNED! by Kookus · · Score: 4, Funny

    Everyone who clicked on this link needs to now attend a phishing training class, you have all been suckered into clicking on this blatant advertisement!