Aujas US

An IDG Ventures Company

Phishers Target Social Media, Are You the Victim?

Phishers target social media

Phishers are targeting social media. Your company and employees have to play their part to fight them.

Social media has been all the buzz recently. While I am writing this post, there are more than 500 million active users on Facebook, with 50% of them logging on at least once a day from their office, home, coffee-shop, school, or while mobile. Today many organizations have an active presence across LinkedIn, Facebook or Twitter. Social media has emerged as an effective marketing tool to engage with a mass audience. As Natalie Petouhoff, Senior Researcher with Forrester Research, Inc., said, “Social media isn’t a choice anymore – it is a business transformation tool”.

This new and growing means of communication opens new channels for scammers to conduct social engineering attacks. Scammers have started using social media in a big way to retrieve vital information from users. They also use social networking malware for financial gains. Message or web links coming from immediate connections over Facebook or Twitter lead users to believe that they are genuine and there’s nothing wrong with clicking them. Scammers leverage on this fact and exploit human emotions such as greed, trust, fear, and curiosity to conduct phishing attacks. According to the latest Anti-Phishing Q2 2010 Report, there is a definite increase in social networking phishing attacks. While attacks were almost negligible in Q1 of 2010, they accounted for nearly 3 percent of reported attacks in Q2.

Any current hyped political situation, news stories, videos or mishaps are good enough to make the user click on the link and redirect to the desired (malicious) website.  The message is defined to pull your curiosity or it is made strong enough to create sympathy towards people affected by tragedy. It is very unlikely that you have not seen these kinds of messages on your wall or twitter box-

“Did you see how will u look like in 20 years from now? lol: http://bit.ly/gbdhuD 

“They need your help, Pls donate http://ntbnking.lnkd.it/jpn/donation 

“Hey, I am your old college friend! Just joined your company; why not reconnect? – http://biz.ty/23424 

“I bumped into some of your old friends the other day; they wanted me to send you this – http://facebooklink

The above websites could be asking for your Internet-banking credentials for donation to affected people, sensitive information about your organization or any other personal information which is valuable to scammers. By clicking on this link, the malware or virus gets downloaded your system is compromised.

Often scammers target one social networking site user account, compromise it using script, and this script gets propagated to the user’s friends’ accounts. This is called self-replicating malware, and uses application vulnerabilities such as invalidated redirects, click jacking, and cross-site request forgery to spread across multiple user accounts. For mobile users, it becomes even worse because it is not easy to verify authenticity of URLs.

I am sure you will agree that it is not easy to stop usage of social media completely even though there are definite risks involved. Organizations need to look beyond traditional technology controls, and look to continuous education and awareness to fight phishing attacks.

Organizations can take following steps to fight against phishing attacks:

  1. Establish a social media strategy. Clearly document and enforce what is allowed and not allowed to discuss and disclose in social networking sites.
  2. Conduct social media awareness programs which should include the rewards and risk of social media. It should also cover how to identify phish websites and differentiate between original and fraudulent websites.

As an employee, these best practices can help you avoid becoming prey of phishing attacks:

  1. Never click on a link or a bookmark which is associated with financial transactions or asks for any sensitive information; instead always have a practice to manually type URL in the address bar.
  2. Do not click on links which ask to download ActiveX or software on your system as they could be Trojan / malware which later becomes the control center to remotely control your and other systems inside the network.
  3. Ensure that the site is authentic and using secure layer (https) before providing any sensitive information about yourself or your organization.
  4. Report suspected links to your internal security team and the social networking site so that they can work with the hosting provider to bring down the phish website.

Both the organization and its employees have to play their part to fight against phishing risks over social media.

Aujas can help your company manage risk from phishing threats with its industry-leading Phishing Diagnostic Solution. Contact Karl Kispert, our Vice President of Sales, to learn more. He can be reached at karl.kispert@aujas.com or 201.633.4745.

April 27, 2011 Posted by | Cyber Crime, Identity Theft, Phishing, Risk management, Social Engineering | , , | Comments Off on Phishers Target Social Media, Are You the Victim?

5 Hot Topics in Information Security for 2011

Hot topics in information securityAccording to the Aujas information security experts, these are the five crucial security topics that should be on the radar for business executives in 2011:

Data Governance and Data Leakage Prevention (DLP) – Some executives believe their employees know exactly what data should be protected and what data can be shared via website, conversation or social media.  These executives have a false sense of security. Many companies still do not have a strong data classification program or policy in place to educate employees on what is critical to an organization and what is not.  Some execs may also think that having a DLP tool and plugging it in is the answer. That’s like plugging in a power saw and saying you can build a house! Having a tool and knowing how to use it effectively are two different things.

Tip: Find a champion to drive your data governance and loss prevention initiative.  If your company has a CISO, this person is the most logical one to take on this role. If not, you can assemble a small team of stakeholders to work with guidance from a third party who specializes in information risk management.

Application Security – With so many applications being developed and used in companies of all sizes, some are being created without security in mind.  Some technology companies have a need to be the first on the street with a new application and are bypassing Security Development Lifecycle (SDL) protocol. They are thinking about security after the application is released and, sadly, are finding that they are spending more money to fix the application.

Tip: First perform a penetration assessment on your company’s critical applications to identify vulnerabilities. Then be proactive!  Create a framework in which security is part of the SDL.

 Social Media – The intentional and unintentional release of sensitive information via Facebook, Twitter, etc. can affect your company’s bottom line.  Your intellectual property may wind up on an underground website or, if your secrets are shared with the world, you may not be first to market with your new product or service. 

Tip: You don’t need to declare social media off limits to your employees. It is an important business tool that is not going away.  You do, however, need to understand the risks of social media, and make users aware.

 Cyber Security – Over the past year, more organizations have come to understand that there is a very real cyber security threat in the US and that the US Government cannot take care of every threat-related issue. Your company needs to develop a strong internal and external security programs to protect it.

Tip: Putting in place a robust information risk management (IRM) program is essential so that your stakeholders understand the people, process and technology risks and how they can affect your access, availability, and agility to conduct business.

Phishing – Hackers continue to use phishing, a type of social engineering, to solicit information from individuals.  Though the incidents of phishing were down in the second half of 2010, the attacks continue to get more and more sophisticated. 

 Tip: Perform a phishing diagnostic so that you are aware of the threat, specifically who in your organization is susceptible to this type of attack.

Aujas can help your company manage risk from these threats. Contact Karl Kispert, our Vice President of Sales, to learn more. He can be reached at karl.kispert@aujas.com or 201.633.4745.

Related Articles

January 24, 2011 Posted by | Data Leak Prevention, IT security, Phishing, Risk management, SDL, Social Engineering | , , , , , , | Leave a comment

New Trends in Phishing Attacks

Quick Introduction to Phishing

Trends in PhishingThe convenience of online commerce has been embraced by both consumers and criminals alike. Phishing involves stealing consumers’ personal identity data and financial account credentials. Social-engineering schemes use fake e-mails purporting to be from legitimate businesses to lead consumers to counterfeit websites designed to trick recipients into divulging financial data such as account and PIN numbers. Technical-subterfuge schemes plant crime-ware on PCs to steal credentials directly, often using systems to steal customers’ or organizations’ sensitive information.

Besides the obvious threats associated with phishing, other adverse effects include decreasing customer confidence in online commerce, and financial losses experienced by both businesses and consumers.

Although progress has been made in identifying threats and developing countermeasures, there has also been a simultaneous increase in attack diversity and technical sophistication in phishing and online financial fraud. Technical crime-ware resources are readily available and have been streamlined and automated, allowing for use by amateur criminals, making phishing economically viable for a larger population of less sophisticated criminals.

Latest Phishing Attacks

  • Tab Napping – Imagine you open the login page for your Intranet portal, but then you open a new tab to visit another website for a few minutes, leaving the first tab unattended. When you return to your Intranet Portal the login page looks exactly how you left it. What you haven’t realized is that a fake page has taken its place, so when you type in your authentication credentials, you have inadvertently given the fraudster easy access to your account.

 

  • Spear Phishing – This is a  rising phenomena that uses official-looking e-mails to lure people to fake websites and trick them into revealing personal information. However, unlike traditional phishing, spear phishers do not send thousands of emails randomly, but target select groups with something in common—they work at the same company, bank at the same financial institution, attend the same college, order merchandise from the same website, etc. The e-mails are ostensibly sent from organizations or individuals the potential victims would normally get e-mails from, making them even more believable.

 

  • URL Obfuscation – As users learn to detect fake emails and websites, phishers use techniques such as URL obfuscation to make phishing emails and sites appear more legitimate. This mechanism misleads the victims into believing that a link and/or web site displayed in their web browser or HTML-capable email client is that of a trusted site but are then redirected to a phishing site. For example, if the legitimate URL is http://www.login.example.com, the phishing URL may be http://www.login-example.com, thus tricking the customer into trusting the site by using an easily overlooked substitution.

 

  • Filter Evasion – This is an another e-mail phishing attack where attacker sends mail with picture images attached to malicious websites to retrieve personal details.

 

  • SMishing – Attacker uses SMS to launch phishing attack on cell phones to steal sensitive information. Scam message direct you to click on malicious banking websites or call a phone number. If you visit the link it downloads viruses into your system or if you dial the number will be asked for personal information.

 

  • Specialized Malware – Over the last couple of years, malware has been increasingly used for criminal activity against users of online banking and commerce sites. Specialized malware available today can easily be reconfigured to target information from a number of different websites. Malware also provides several mechanisms for stealing data that is then used for identity theft or stealing money from a victim’s account.

Conclusion

Though people today are more aware of phishing, countermeasures need to be designed in order to deal with the increasing technical sophistication of criminals conducting phishing scams exploiting human vulnerabilities.

Phishing awareness needs to grow to include law enforcement and employees of targeted businesses so that they are able to accurately recognize scams targeting them. It is also important to remain vigilant by developing and enforcing countermeasures, making the resources for phishing both scarce and expensive with increased policing and thereby making phishing less profitable.

The message is clear – the key to protecting oneself starts with continuous education and awareness.

The Aujas Phishing Diagnostic Assessment can help your company assess and remediate phishing risks. For more information about the Diagnostic, or other Aujas services, contact Karl Kispert, VP of Business Development at 201 633 4745 or karl.kispert@aujas.com.  

Related Articles

November 29, 2010 Posted by | Cyber Crime, Phishing, Social Engineering | , , | 5 Comments

How I Hacked My Car Manufacturer

There are very few articles that I would consider ‘rerunning” in Risky Business however this is one that is worth repeating. 

How-I-HackedWhen I read there was going to be a social engineering competition at this year’s Defcon (the annual hacker gathering held every summer in Las Vegas) I knew I had to enter. It was the perfect chance to hone my sweet talking skills in a judged and neutral setting, and also to test my hypothesis that not only is social engineering a risk to regular end users in an enterprise, but that even corporate InfoSec teams are not immune from the threat.

Social engineering is essentially “pretexting” yourself into getting people either to divulge sensitive information or getting into areas you otherwise shouldn’t be in. You’re a sprinkler inspector who shows up unannounced at the front desk or the harried internal auditor racing to meet a deadline who calls an employee seeking information about their computer system. Given most people’s inherently trusting and helpful nature, social engineering attacks are surprisingly successful, which is why most corporate information security training programs address the threat. One would assume this would mean the InfoSec groups should be aware of any such attempt. As Gershwin would say, “it ain’t necessarily so.”

For the Defcon contest, each entrant was randomly assigned a major corporation as a target. Mine just so happened to be the manufacturer of my car. Sweet revenge. The first task was to create a dossier on the target company, solely from information gleaned from the Internet and public sources. There were to be no pre-contest calls, visits to the company’s headquarters, or contact with the company in any way whatsoever.

After crawling various search engines for email addresses, phone numbers, addresses, press releases, and other valuable information, I moved onto social networking sites like LinkedIn and Facebook. Soon I had accumulated almost 1,000 email addresses, hundreds of recent press releases, and a couple of employee handbooks as a good starting point. Next, any email addresses not correlated to a name were cut, as were any that couldn’t be verified as current or recent employees. The remaining email addresses were then fed into the various search engines to pick out only employees that worked in my target’s information security group. These were in turn fed back into the search engines to see if anything interesting fell out; information like hobbies, school affiliation, etc.

Soon the file was whittled down to approximately 75 people that I had gathered at least two points of information with which I could engage them during my pretexting in order to gain an elevated level of trust. If the target person had an interest in flying, I’d be sure to work a local air show into the conversation. Building any sense of familiarity or commonality with a target boosts the success rate of a social engineering attack exponentially.

Next I had to develop the attack vector I would use. Since I was targeting the InfoSec group, I knew I couldn’t use the old standby of posing as an auditor for the company. That is such a commonly used ploy that most if not all InfoSec employees should be able to sniff that attack out a mile away. Instead, I settled on posing as a survey taker for CSO Magazine. That would give me cover for calling the security group and asking questions about their security environment.

Three weeks later I was in the soundproof booth at Defcon, dialing through my list of numbers in front of a live audience as I perused the list of “flags” the judges had given me to collect; essentially pieces of information useful for a hacker attack. The first number to answer gave me hope that my hypothesis might be wrong. The security engineer at the other end of the line was very hesitant to speak with me, and very quickly shut me down, refusing to answer any questions that would reveal any technical information about the company. That was a promising sign – perhaps training of InfoSec personnel was starting to become effective.

Not so much. My next target was another security engineer, who, although initially having misgivings about speaking with me, was quickly convinced to participate through both my pleading that I only needed 10 minutes of his time and that I was risking losing my job if I didn’t meet my daily target, but more importantly, that there was a $25 iTunes gift card waiting for him upon completion of the “survey”. Greed is always a good motivator. Within 15 minutes I had sweet talked the guy into revealing everything from the OS version and service packs installed, browser type and version, to his anti-virus engine and signature version. Basically anything needed to launch a successful targeted attack.

So much for training

In the end I had proven my point; InfoSec people are no different from other end users. While they may have more security awareness training than others, they are still susceptible to the same weaknesses of others; greed, a desire to assist, and a fear of getting in trouble or creating delays in “mission critical” tasks. More important is that they suffer from the same weakness that everyone seems to suffer from – the belief that they would know if they were ever being “snookered.”

So what can be done to protect against social engineering attacks? To prevent on-site attacks make this the golden rule that is *never* broken – “unannounced visitors aren’t let in if their corporate sponsor isn’t reachable to validate the visit.” To prevent general social engineering attacks focus your efforts on ongoing awareness training (once a year is not enough), routine testing of personnel to see how effective the training is, and most important of all, reducing information leakage. The amount of information that companies allow employees to post about their jobs and corporate environment is shocking (not to mention the information the companies themselves leak). Take an hour and peruse the various social networking sites liked LinkedIn and Plaxo and see what information you can glean about your employees, the projects they are working on, and what software they are using. Regularly run your company’s name through the various search engines to look for information coming from unlikely sources (it’s not unusual for contractors or suppliers to post information about dealings with other companies which inadvertently leaks helpful information to an attacker). Doing this exercise from the point of view of an attacker or competitor who knows nothing about your company will allow you to quickly see how many pieces of seemingly disparate information can eventually form a cookbook for a successful attack.

Train and monitor your staff, plug the leaks, monitor the web. Take these three steps and you will be on your way towards reducing (but never eliminating) the threat of social engineering attacks.

Shane MacDougall is a principal partner in Strategic Intelligence, a Canadian-based corporate intelligence gathering firm. He has been a professional white hat hacker, security consultant, and speaker since 1989.

November 8, 2010 Posted by | Risk management, Social Engineering, White Hat Hacking | , , , | Leave a comment