Unfortunately, in the hacker “sport” of phishing, it only takes one lapse for an entire organization to be on the hook.
New York, NY (PRWEB) August 14, 2012
In the realm of cyber security, summertime creates an excellent opening for one of the most effective delivery systems for worms, Trojans and other devious malware to “breach the walls” of any organization simply by crafting a lure (a phishing email) convincing enough to get a “mark” to either open a malicious attachment, or innocently click a link that leads to a malicious site, not to mention introducing a perfect gateway for identity theft when it is done convincingly enough to entice the input of personal information on a bogus hacker-created site.
There are vacation bills, airfare notifications, restaurant bills and other unusual purchases from unusual places clogging millions of inboxes this time of year. But with vacations now in the near past, or even still in progress, unusual emails tend to get a closer look, sometimes even posing as a security alert about suspicious account activity, which really hits home as a possibility and strikes the right chord during the vacation months.
Thankfully, most people have learned to avoid basic spam, like winning a foreign lottery or the never ending string of wealthy, long lost relatives and dying altruists that seem have chosen YOU as the beneficiary of their grand estate. All with a fee and some hoops to jump through before the promised mega-riches can be collected of course. Hoops like account information, social security numbers, family history and other gems a hacker would love to mine.
Phishing is the next step in the evolution of spam and it’s all about deception. It is also based on a “mass-blast” concept, but uses the ploy of masquerading as a familiar and/or popular site, like eBay, PayPal, Facebook or any one of hundreds of other sites familiar to large swaths of the population. A phishing email will, for instance, inform the recipient they need to update their account information and directs the victim to a bogus site which looks a lot like the real thing. A good phishing attack will also “spoof” the header information to make it look like it comes from a trusted source, but mousing over some of the internal links (without clicking) can tell a very different tale.
Then there are hackers that like more of an extreme version of phishing, one which requires a lot more effort, but offers chances for enormous rewards – spear phishing. Spear phishing is all about personal touches, touches which better connect with the marked individual or organization. A successful spear phishing email will be built around three important criteria. First, a spear phishing email has to look like it comes from a trusted source, usually someone familiar to an individual or organization, or even from within the organization itself. Second, there has to be some kind of information in the email which reinforces its validity, and third, it has to make enough sense that it seems reasonable to follow a link or open an attachment. The more research a hacker puts into it, the craftier and harder to distinguish from the real thing it becomes.
Joe Caruso, founder and CEO/CTO of Global Digital Forensics, has seen these delivery methods ravage organizations, having responded to breaches for Fortune 100 companies and small to medium sized businesses alike. “If there is one way hackers gain access to organizations and their networks that dwarfs all others, it’s phishing type of emails. But without a doubt, spear phishing is the hardest to avoid. Social networking has made mining for information to use in successful spear phishing attacks more effective than ever. A hacker just has to find a list of personnel on a company website, match that up to an individual or individuals on a social networking site and do some good old-fashioned intelligence. Tom, the “IT guy” for the Acme Widget Factory can’t wait for his vacation to Cancun next week, so who would be suspicious about an email that comes from Betty in the IT department at the Acme Widget Factory that says, so sorry to bother you, Tom usually takes care of this kind of thing but he is on vacation in Cancun this week and we have a problem to fix on the network, could you verify your account information so we can straighten it out?” And that’s it, simple and surprisingly effective.”
“Right now is a perfect opportunity for penetration testing on an organizational network, which is letting the good guys try to infiltrate a system just like the bad guys would. Things are typically a little slower in August and penetration testing with an additional focus on social engineering is less disruptive, yet just as revealing and beneficial. When we do penetration testing for a client, we orchestrate attacks from our GDF Attack Center in Florida and let’s just say our success rate is often eye-opening. With the free consultation we are currently offering, we eliminate a lot guesswork for the client and can get right to the heart of what’s needed, because our experts are trained to know what to ask and what’s needed to achieve the most beneficial results.”
For your free two hour consultation with a Global Digital Forensics cyber security expert, call 1-800-868-8189 and let them help customize a plan specifically suited for your unique needs. For more information you can also visit http://www.evestigate.com