CyberheistNews Vol 1, #22
Editor's Corner
[caption id="attachment_1367" align="alignleft" width="150" caption="Stu"][/caption]
Warn Your Users: 4 Spear-Phishing Hooks For The Holidays
Expect some of the typical phishing lures to be cast this year, but more
targeted 'spear-phishing' twists raise the potential for damage. The CSO
website warned about this: "Cybercriminals are increasingly abandoning
the technique of casting a wide net by blasting thousands of email
accounts with a phishing scam. That's not nearly as lucrative as a
spear-phishing attack, which might take more work, but has the potential
for a much bigger payoff, according to Rohyt Belani, CEO of
phishing-awareness-training company PhishMe.
"The kind of phishing attacks that are working now involve targeting
specific employees at an organization," said Belani. "Every major breach
we have heard about this year has been initiated by a targeted phishing
attackbe it RSA, Epsilon, numerous defense contractors, Oak Ridge
National Laboratory and on and on.
Here are the highlights, the details are in their story:
1) Kick off your holiday shopping with this 10% off coupon for any store
at [your local mall]"
2) "[Your company] thanks for your hard work this year and invites you
to enter our holiday raffle"
3) "A year-end inspection has turned up mold in offices in our building
at [your work address]"
4) "[Your company] is migrating its payroll system before the end of
the year. Please enter your updated information to avoid interruption
of your direct deposit."
More:
http://www.csoonline.com/article/693966/4-spear-phishing-hooks-for-the-holidays?
The State Of Phishing
This week, I have found three reports for you, that all give a much
deeper insight in the current state of phishing. Two of these are
very recent, and the third one took some digging to find, as I was
looking for the actual cost of a phishing attack to a company.
Luckily I was able to find a report that Cyveillance created a few
years ago that calculates the shocking cost if your company is on
the receiving end of a phishing attack. This is all great ammo if
you need to get budget approval for a security training program.
And then here are 5 tips to get approval for budget as well!
http://www.knowbe4.com/getting-approval/
Quotes of the Week
"You may delay, but time will not." - Benjamin Franklin
"A man cannot be comfortable without his own approval." Mark Twain
"Diligence is the mother of good luck." - Benjamin Franklin
Please tell your friends about CyberheistNews! They can subscribe here:
http://www.knowbe4.com/about-us/cyberheist-news/
"We Discovered A Serious Human Vulnerability"
"I'm a system administrator and we regularly get user's workstations
infected with malware. Then Microsoft reported that 45% of the infections
are caused by the users being 'social engineered', so we decided to test it
out for ourselves."
"First we did the Email Exposure Check. Out of our 197 users, 87 email
addresses were found on the Internet. Then we did the Phishing Security
Test, and sent these 87 a relatively simple simulated phishing attack,
that could have been sent by any bad guy."
"We were shocked to see that our spam filters and antivirus did not
catch the phishing email, and that 24 of these 87 clicked on the link.
We discovered a serious human vulnerability." -- P.H. System Admin
Find out for yourself how big this human security hole is in your
organization. Fill out this form, you will the results for free:
http://www.knowbe4.com/eec/
Anti Phishing Working Group Phishing 2011 First Half Report
The Anti Phishing Working Group just released their first half 2011 report.
The full report is available via the PDF below. They started out with:
"Phishers are an ingenious lot, and the successful ones develop their
own specialties and business plans. For example, in this report we
describe how Chinese phishers are using resources outside of their
country to attack users and companies inside of China. And elsewhere,
phishers have taken an old hacking trick and used it to great advantage,
multiplying the number of phish they can deploy against their favorite
targets. These and other tactics have significant implications for
phishing targets, service providers, and antiphishing responders. MORE:
http://www.antiphishing.org/reports/APWG_GlobalPhishingSurvey_1H2011.pdf
MarkMonitor Fraud Intelligence Report Third Quarter 2011
This is an interesting report, and it shows a host of detailed fraud
numbers. One section is on phishing attacks by industry: "The Financial
sector continued to be the most phished industry, accounting for 44%
of phish attacks, while the Payment Services sector accounted for 20%.
The Retail/Service sector increased again to include over 14% of
total phish last quarter. Auctions, Online Gaming and Social Networking
remained important sectors attracting 4 - 5% of total phish attacks.
Here is the whole report:
https://www.markmonitor.com/download/report/Fraud_Report-Q3_2011.pdf
Cyveillance Report On True Cost Of Phishing
Cyveillance is one of the leading companies in cyber intelligence. A few
years ago they published a report that still holds water and provides
value, as it shows you how much phishing attacks really cost. That price
tag has not changed much, but the amount of attacks has.
"How much do phishing attacks really cost organizations? This question
has intrigued and frustrated the security industry since attacks began
to appear. According to Gartner study released in December 2007, phishing
attacks represent a staggering amount of fraud, costing organizations
more than 3 billion dollars annually. Even more shocking than this cost
is the fact that phishing is a steadily growing problem with no end in
sight.
This increase in phishing is hardly a surprise, as this form of online
fraud has grown into one of the most common and most profitable scams
for criminals. The schemes vary, but they typically involve using some
combination of spoofed junk email (spam), malicious software (malware),
and fake Web pages to harvest personal information from unwitting
consumers.
Customers of both well-known brands and lesser-known companies alike
have fallen victim to this pervasive form of online fraud. In fact,
over the past three years, Cyveillance, the world leader in cyber
intelligence, has detected phishing attacks against more than 2,000
brands across 30 countries.
Organizations often have a difficult time assessing how phishing affects
their finances, as there are numerous factors to take into account when
trying to measure the cost as well as the impact phishing has on
customers, productivity and reputation. In this document, Cyveillances
phishing experts explain the costs of phishing attacks, in a manner that
can be easily adjusted to any organizations specific business model
or support process". More:
http://www.antiphishing.org/sponsors_technical_papers/WP_CostofPhishing_Cyveillance.pdf
Cyberheist 'FAVE' LINKS:
* This Week's Links We Like. Tips, Hints And Fun Stuff.
Surfer rides a 90 foot wave and sets a new World Record:
http://www.flixxy.com/surfer-rides-90-foot-wave-world-record.htm
Dance breaks out at Dubai International Airport:
http://www.flixxy.com/dubai-airport-flash-mob.htm
Robin Williams has a tickle fight with a Gorilla:
http://www.flixxy.com/robin-williams-has-a-tickle-fight-with-a-gorilla.htm
National Geographic presents some amazing pictures and facts about our
planet in "Visions of Earth":
http://www.flixxy.com/visions-of-earth.htm
Modern Samurai Isao Machii shows his amazing skill with a Samurai sword:
http://www.flixxy.com/modern-samurai-isao-machii.htm
In 1995, during the making of his TV series "Triumph of the Nerds" about
the birth of the PC, Bob Cringely did a memorable hour-long interview with
Steve Jobs. Only a small portion of that interview was used and the rest
was lost, until just a few days ago when a copy was found in the director's
garage:
http://www.flixxy.com/steve-jobs-the-lost-interview.htm