Aujas US

An IDG Ventures Company

Phishers Target Social Media, Are You the Victim?

Phishers target social media

Phishers are targeting social media. Your company and employees have to play their part to fight them.

Social media has been all the buzz recently. While I am writing this post, there are more than 500 million active users on Facebook, with 50% of them logging on at least once a day from their office, home, coffee-shop, school, or while mobile. Today many organizations have an active presence across LinkedIn, Facebook or Twitter. Social media has emerged as an effective marketing tool to engage with a mass audience. As Natalie Petouhoff, Senior Researcher with Forrester Research, Inc., said, “Social media isn’t a choice anymore – it is a business transformation tool”.

This new and growing means of communication opens new channels for scammers to conduct social engineering attacks. Scammers have started using social media in a big way to retrieve vital information from users. They also use social networking malware for financial gains. Message or web links coming from immediate connections over Facebook or Twitter lead users to believe that they are genuine and there’s nothing wrong with clicking them. Scammers leverage on this fact and exploit human emotions such as greed, trust, fear, and curiosity to conduct phishing attacks. According to the latest Anti-Phishing Q2 2010 Report, there is a definite increase in social networking phishing attacks. While attacks were almost negligible in Q1 of 2010, they accounted for nearly 3 percent of reported attacks in Q2.

Any current hyped political situation, news stories, videos or mishaps are good enough to make the user click on the link and redirect to the desired (malicious) website.  The message is defined to pull your curiosity or it is made strong enough to create sympathy towards people affected by tragedy. It is very unlikely that you have not seen these kinds of messages on your wall or twitter box-

“Did you see how will u look like in 20 years from now? lol: http://bit.ly/gbdhuD 

“They need your help, Pls donate http://ntbnking.lnkd.it/jpn/donation 

“Hey, I am your old college friend! Just joined your company; why not reconnect? – http://biz.ty/23424 

“I bumped into some of your old friends the other day; they wanted me to send you this – http://facebooklink

The above websites could be asking for your Internet-banking credentials for donation to affected people, sensitive information about your organization or any other personal information which is valuable to scammers. By clicking on this link, the malware or virus gets downloaded your system is compromised.

Often scammers target one social networking site user account, compromise it using script, and this script gets propagated to the user’s friends’ accounts. This is called self-replicating malware, and uses application vulnerabilities such as invalidated redirects, click jacking, and cross-site request forgery to spread across multiple user accounts. For mobile users, it becomes even worse because it is not easy to verify authenticity of URLs.

I am sure you will agree that it is not easy to stop usage of social media completely even though there are definite risks involved. Organizations need to look beyond traditional technology controls, and look to continuous education and awareness to fight phishing attacks.

Organizations can take following steps to fight against phishing attacks:

  1. Establish a social media strategy. Clearly document and enforce what is allowed and not allowed to discuss and disclose in social networking sites.
  2. Conduct social media awareness programs which should include the rewards and risk of social media. It should also cover how to identify phish websites and differentiate between original and fraudulent websites.

As an employee, these best practices can help you avoid becoming prey of phishing attacks:

  1. Never click on a link or a bookmark which is associated with financial transactions or asks for any sensitive information; instead always have a practice to manually type URL in the address bar.
  2. Do not click on links which ask to download ActiveX or software on your system as they could be Trojan / malware which later becomes the control center to remotely control your and other systems inside the network.
  3. Ensure that the site is authentic and using secure layer (https) before providing any sensitive information about yourself or your organization.
  4. Report suspected links to your internal security team and the social networking site so that they can work with the hosting provider to bring down the phish website.

Both the organization and its employees have to play their part to fight against phishing risks over social media.

Aujas can help your company manage risk from phishing threats with its industry-leading Phishing Diagnostic Solution. Contact Karl Kispert, our Vice President of Sales, to learn more. He can be reached at karl.kispert@aujas.com or 201.633.4745.

Advertisements

April 27, 2011 Posted by | Cyber Crime, Identity Theft, Phishing, Risk management, Social Engineering | , , | Comments Off on Phishers Target Social Media, Are You the Victim?

Security Breaches Continue to Grow

Identity TheftWhat do Tulane University, South Carolina State Employee Insurance Program, National Guard Headquarters – Santa Fe NM, BlueCross/BlueShield –Michigan, Seacoast Radiology, and University of Connecticut -HuskyDirect.com have in common?  They were just a few of the companies that reported security breaches in January 2011.

Information management is critically important to all of us – as employees and consumers. For that reason, the Identity Theft Resource Center has been tracking security breaches since 2005, looking for patterns, new trends and any information that may better help us protect data and assist companies in their activities.

In prior issues of Risky Business, I posted this brief article and supporting statistics about security breaches.  I was curious to see how the data changed.  You can see for yourself below in the last line.

The following data was collected from Identity Theft Resource Center® website idtheftcenter.org and refers to the number of total data breaches that were reported with an estimate of how many records were exposed:

2005 Breach List: Breaches: 157 Exposed: 66,853,201
2006 Breach List: Breaches: 321 Exposed: 19,137,844
2007 Breach List: Breaches: 446 Exposed: 127,717,024
2008 Breach List: Breaches: 656 Exposed: 35,691,255
2009 Breach List: Breaches: 498 Exposed: 222,477,043

2010 Breach List: Breaches: 662 Exposed: 16,167,542

You must understand that the majority of the reported breaches do not reveal the actual number of exposed records so therefore the number is MUCH larger than what is listed here.

Your call to action is to ensure your Information Risk Management Program is as secure as you think it is and as secure as your stakeholders, customers, Board of Director’s believe it to be.  Aujas is helping organizations manage risk and enhance information value with practical, innovative solutions!

January 31, 2011 Posted by | Data Losss Prevention, Identity Theft, IT security | , , | Leave a comment

HIMSS Survey of Security Pros Is Food for Thought

HIMSS security surveyThe Healthcare Information and Management Systems Society (HIMSS) in November published results of a survey that focused on key issues surrounding the tools and policies in place to secure electronic patient data at healthcare organizations. Though your company may not be in the healthcare industry, read the results discussed below, and think about how they might compare to your organization.

The 2010 HIMSS Security Survey included feedback from information technology and security professionals from healthcare provider organizations across the U.S. Here’s an overview of respondents’ input:

Maturity of Environment: Respondents characterized their environment at a middle rate of maturity.

Security Budget: Approximately half of respondents reported that their organization spends three percent or less of their organization’s IT budget on information security.

Formal Security Position: Slightly more than half (53%) of respondents reported they have either a CSO/CISO or full-time staff in place to handle their organizations’ security functions.

Risk Analysis: Slightly more than half of respondents (59 %) who said that their organization conducts a formal risk analysis reported that this analysis is conducted annually.

Patient Data Access: Surveyed organizations most widely employ user-based and role-based controls to secure electronic patient information.

Management of Security Environment: Nearly all respondents reported that their organization actively works to determine the cause/origin of security breaches. Two thirds reported having a plan in place for responding to threats or incidents related to a security breach.

Security in a Networked Environment: Approximately 85% of respondents reported that their organization shares patient data in an electronic format.

Future Use of Security Technologies: Mobile device encryption, e-mail encryption and single sign-on and were most frequently identified by respondents as technologies that were not presently installed at their organization but were planned for future installation.

Patient Identity: Half of respondents indicated that they validate patient identity by both requiring a government/facility-issued ID and checking the ID against information in the master patient index.

Medical Identity Theft: One-third of respondents reported that their organization has had at least one known case of medical identity theft at their organization.

December 7, 2010 Posted by | Identity Theft, IT security | , , , | Leave a comment

Identity and Access Management – This must be your project, not your partners’!

Lessons Learned

Identity and Access RiskHaving been through numerous Identity and Access Management (IAM) implementations, we see two common denominators in terms of customer expectations that rear their ugly heads rather frequently:

  1. Let’s integrate everything that we have, and
  2. Let’s do it all at once

One can understand the excitement we all go through when we contemplate having a solution that allows us link so many applications, streamline processes with workflow automation and synchronize attributes across the board. While that excitement is infectious and contagious, the sound voice of reason must be heard and listened to.

It is natural for you to want to do as much as you can with a product, and it is human to want all of it done yesterday. Hence, the onus lies on the domain experts to work closely with customers (as partners, not vendors) and plan out a deployment that gives the customers the most results as soon as possible and additional benefits over subsequent phases.

The “good” partner helps the customer prioritize their needs and requirements, and establish plans to achieve those objectives over phases. Strong project management and planning are the keys to a successful IAM program. The products from various vendors are unlike those of 5 years ago, they are now mature, stable and scale exceptionally well, unless hacked to death to fulfil a few exotic requirements.

We cannot lose sight of the top benefits of having a robust IAM program toa company:

  1. IT systems and applications are constantly compliant with a variety of regulations, there are few gaps in access recertification
  2. Processes and access governance have been streamlined – business demands, business approves, and business gets – with minimal or no IT intervention
  3. Password reset is automated and secure, and helpdesk costs are under control
  4. Peace of mind

 

So next time you want to know whose side the “partner” is on, throw a plan too ambitious at them. While most will try to give you what you demand, you will know during the course of their approach whose interests they have in mind, yours or their own.  After all, it is your project and responsibility.

November 22, 2010 Posted by | identity and access management, Identity Theft, IT security, Risk management | , , , | Leave a comment

Number of Breaches Going Up and Up!

Identity TheftInformation management is critically important to all of us – as employees and consumers. For that reason, the Identity Theft Resource Center has been tracking security breaches since 2005, looking for patterns, new trends and any information that may better help us protect data and assist companies in their activities.

In issue 17 of Risky Business, I posted this brief article and supporting statistics for you to read.  I was curious to see in one month how the data changed, I assumed it would go up, but by how much.  You can see for yourself below in the last line.

The following data was collected from Identity Theft Resource Center® website idtheftcenter.org

2005 Breach List: Breaches: 157 Exposed: 66,853,201
2006 Breach List: Breaches: 321 Exposed: 19,137,844
2007 Breach List: Breaches: 446 Exposed: 127,717,024
2008 Breach List: Breaches: 656 Exposed: 35,691,255
2009 Breach List: Breaches: 498 Exposed: 222,477,043
2010 Breach List (as of 10-5-10): Breaches: 533 Exposed: 13,517,866

2010 Breach List (as of 11-2-10): Breaches: 571 Exposed: 14,000,609

November 8, 2010 Posted by | Cyber Crime, identity and access management, Identity Theft, Risk management | , | Leave a comment