Jan 25 2024

198% Surge In Browser Based Zero-Hour Phishing Attacks

Category: Phishingdisc7 @ 1:23 pm

The digital landscape is under siege. Surging browser-based phishing attacks, a 198% increase in just the second half of 2023, paint a chilling picture of cyber threats outsmarting traditional security. 

Menlo Security’s 2023 State of Browser Security Report unveils this alarming trend, sounding the alarm for organizations and individuals alike.

The Rise Of Evasive Attacks

Gone are the days of easily identifiable phishing scams. 

Cybercriminals are now armed with highly evasive techniques, bypassing conventional defenses like network filters and email scanners. 

These HEATs (Highly Evasive Adaptive Threats), making up 30% of all browser-based attacks, employ tactics like:

  • SMS Phishing (Smishing): Luring victims with seemingly legitimate text messages.
  • Adversary in the Middle (AITM): Intercepting and manipulating web traffic on the fly.
  • Image-Based Phishing: Embedding malicious code within seemingly harmless images.
  • Brand Impersonation: Mimicking trusted websites to steal login credentials.
  • Multi-Factor Authentication (MFA) Bypass: Finding ways to circumvent even two-factor security.

Traditional security, built for known threats, stumbles against the lightning speed of zero-hour attacks. 

These novel phishing campaigns, observed at over 11,000 in just 30 days, exploit the vast and vulnerable attack surface of modern browsers. 

Worryingly, 75% of these attacks hide on trusted websites, cloaked in a veneer of legitimacy.

Despite technological advancements, the human element remains the weakest link. 

Phishing preys on our inherent trust and cognitive biases, tricking us into divulging sensitive information. 

This makes browser security the ultimate line of defense, protecting users at the point of interaction with the web.

Menlo Security: Shining A Light On The Dark Web

The report paints a stark picture, but not a hopeless one. Menlo Security offers a beacon of hope with its advanced browser security solutions

Leveraging cutting-edge AI and machine learning, Menlo’s technology detects and thwarts even the most sophisticated evasive attacks.

Key Takeaways for a Safer Web:

  • Evasive threats demand a new approach: Traditional security falls short. Look to advanced browser security solutions powered by AI.
  • Zero-hour attacks lurk everywhere: Don’t let trusted websites lull you into a false sense of security. Remain vigilant and practice safe browsing habits.
  • Your browser is the frontline: Prioritize comprehensive browser security to shield yourself from evolving cyber threats

David Miller, Policy Advocate: “This report calls for increased collaboration between cybersecurity researchers, technology companies, and policymakers. We need to share threat intelligence, develop best practices, and create regulatory frameworks that incentivize stronger browser security measures.”

Organizations should adopt efficient incident response plans, regularly monitor email traffic for anomalies, and stay updated on emerging threats to stay ahead of the evolving email threat landscape with Trustifi AI-powered Email security solutions.

Phishing Attacks and Detection

Phishing for Phools: The Economics of Manipulation and Deception

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: phishing


Feb 09 2023

What is Social Engineering? How Does it Work?

Category: social engineeringDISC @ 12:09 am

Social Engineering is a technique that is performed by cybercriminals who indulge in exploiting human weaknesses. The act of Social Engineering involves various techniques all of which involve the manipulation of human psychology.

Threat actors rely especially on Social Engineering in order to easily gain sensitive information from victims. Social engineering attack depends on building trust with the victim so that he never suspects in giving out his/her personal information such as phone numbers, passwords, social security number, etc.,

This technique is proved to have been the most successful one when it comes to hacking into an organization’s network. Hackers can disguise themselves as an IT audit person or an external network administrator and easily gain access inside a building without suspicion. Once they are inside an organization, they follow various other social engineering techniques to compromise their network.

One of the greatest weaknesses, an organization can possess is the lack of information security knowledge with its employees. This lack of knowledge in cybersecurity gives a great advantage for hackers to perform attacks causing data breaches in the organization.

Social Engineering

Social Engineering attack Types

There are lots of social engineering attacks that can be used by threat actors. Some of them are,

1. Phishing
2. Vishing
3. Spoofing
4. Tailgating
5. Quid pro quo
6. Baiting

1. Phishing

Phishing is the most simple and effective attack a hacker can use to steal credentials like username, password, social security number, organization secrets, or credit card details. Sometimes phishing is also used to spread malware inside a network. In general,  Phishing involves Social engineering as well as Spoofing

2. Vishing

Vishing is similar to phishing, which involves calling the victim and pretending as a legitimate caller. Once the victim believes without suspicion, it will be easy for the hacker to gain sensitive information such as network structure, employee details, company account details etc., 

3. Spoofing

Spoofing is a type of attack where, “what we see will look like it, but it is not”.In terms of Cyber Security, Spoofing is nothing but disguising as a legitimate source in order to gain sensitive information or to gain access to something. An attacker can trick us into believing that he is from the original source by spoofing. 

4. Tailgating 

Tailgating or piggybacking is a technique followed by threat actors to enter an organization building. During this attack, the threat actors wait for an employee/ a person to enter inside a place where the access for outsiders is restricted and follow them inside the building once they use their access cards or access key to open the door.

5. Quid pro quo 

Quid pro quo in Latin means “a favor for a favor”. In this case, the hacker communicates with an employee of a company and offer them a deal. Either money in exchange for information or anything the employee would wish.

In most cases, money is the main motto. Hackers communicate with a present employee or an ex-employee and ask to give away sensitive information such as administrator privilege, administrator password, network structure, or any other data they require in exchange of the employee’s wish.

Hackers convince the employees to give away the information by making a personal deal with them. This is considered one of the serious threats in an organization because the information is given away intentionally by an employee.

 6. Baiting 

As the word describes, hackers create baits such as USB flash drives, CD-ROM’s, Floppy disk or Card readers.

They create folders inside the devices such as Projects, revised Payrolls of the organization and drop them in sensitive areas(Elevators, Rest Rooms, Cafeterias or Parking lots) where employees would keep it usually.

Once an employee picks up and inserts the USB in their computer, the script inside the device runs and gives full control to the hackers. This method of Social Engineering is called as Baiting.

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Baiting, phishing, Quid pro quo, spoofing, tailgating, vishing


Dec 16 2022

Facebook Infrastructure Used by Hackers in Phishing Attack Chain

Category: Hacking,PhishingDISC @ 9:39 am

This recent phishing campaign tricks victims by using Facebook posts in its chain of attacks. The emails that were sent to the targets made it appear as though one of the recipients’ Facebook posts violated copyright, and they threatened to remove their accounts if no appeal was made within 48 hours.

https://www.trustwave.com/media/19406/picture1yu.png?v=0.0.1
Phishing email message

“The content of this Facebook post appears legitimate because it uses a dummy ‘Page Support’ profile with the Facebook logo as its display picture. At first glance, the page looks legitimate, but the link provided in this post leads to an external domain”, according to Trustwave.

Here the Facebook post pretends to be “Page Support,” using a Facebook logo to appear as if the company manages it.

https://www.trustwave.com/media/19407/picture2yu.png?v=0.0.1
Facebook post masqueraded as a support page

The main phishing URL, hxxps:/meta[.]forbusinessuser[.]xyz/main[.]php, which resembles Facebook’s copyright appeal page, is reached by clicking the link in the post.

https://www.trustwave.com/media/19408/picture3yu.png?v=0.0.1

Particularly, any data that victims enter into the form after hitting the send button, along with the victim’s client IP and geolocation data will be forwarded to hackers.

Also, threat actors may gather more data to get through fingerprinting protections or security questions while gaining access to the victim’s Facebook account.

The victim is then redirected to the next phishing website, where a false 6-digit one-time password (OTP) request with a timer is displayed.

https://www.trustwave.com/media/19395/picture10yu.png?v=0.0.1
Phishing page with OTP request

Any code entered by the victim will fail, and if the “Need another way to authenticate?” button is pressed, the site will redirect to the real Facebook site.

According to Trustwave, multiple Facebook profiles have fake messages that look to be support pages and direct users to phishing websites.

Various Facebook accounts promoting the same fake alerts
Various Facebook accounts promoting the same fake alerts 

Therefore, these fake Facebook ‘Violation’ notifications use real Facebook pages to redirect to external phishing sites. Users are urged to take extreme caution when receiving false violation alerts and to not fall for the initial links’ seeming legitimacy.

The Totally Awesome Phish Trivia Book: Uncover The History & Facts Every Phish Head Should Know! 

InfoSecBooks | Tools | Services

Tags: facebook, Facebook Infrastructure, phishing


Apr 26 2022

Phishing goes KISS: Don’t let plain and simple messages catch you out!

Category: PhishingDISC @ 9:02 am

We’re sure you’ve heard of the KISS principle: Keep It Simple and Straightforward.

In cybersecurity, KISS cuts two ways.

KISS improves security when your IT team avoids jargon and makes complex-but-important tasks easier to understand, but it reduces security when crooks steer clear of mistakes that would otherwise give their game away.

For example, most of the phishing scams we receive are easy to spot because they contain at least one, and often several, very obvious mistakes.

Incorrect logos, incomprehensible grammar, outright ignorance about our online identity, weird spelling errors, absurd punctuation!!!!, or bizarre scenarios (no, your surveillance spyware definitely did not capture live video through the black electrical tape we stuck over our webcam)



all these lead us instantly and unerringly to the [Delete] button.

If you don’t know our name, don’t know our bank, don’t know which languages we speak, don’t know our operating system, don’t know how to spell “respond immediately”, heck, if you don’t realise that Riyadh is not a city in Austria, you’re not going to get us to click.

That’s not so much because you’d stand out as a scammer, but simply that your email would advertise itself as “clearly does not belong here”, or as “obviously sent to the wrong person”, and we’d ignore it even if you were a legitimate business. (After that, we’d probably blocklist all your emails anyway, given your attitude to accuracy, but that’s an issue for another day.)

Indeed, as we’ve often urged on Naked Security, if spammers, scammers, phishers or other cybercriminals do make the sort of blunder that gives the game away, make sure you spot their mistakes, and make them pay for their blunder by deleting their message at once.

KISS, plain and simple

Phishing Dark Waters: The Offensive and Defensive Sides of Malicious E-mails

Tags: phishing


Apr 21 2022

Cybercriminals Deliver IRS Tax Scams & Phishing Campaigns By Mimicking Government Vendors

Category: Cyber Threats,Cybercrime,PhishingDISC @ 8:28 am

Threat intelligence firm Resecurity details how crooks are delivering IRS tax scams and phishing attacks posing as government vendors.

Cybercriminals are leveraging advanced tactics in their phishing-kits granting them a high delivery success rate of spoofed e-mails which contain malicious attachments right before the end of the 2021 IRS income tax return deadline in the U.S. April 18th, 2022 – there was a notable campaign detected which leveraged phishing e-mails impersonating the IRS, and in particular one of the industry vendors who provide solutions to government agencies which including e-mailing, digital communications management, and the content delivery system which informs citizens about various updates.

Cybercriminals purposely choose specific times when all of us are busy with taxes, and preparing for holidays (e.g., Easter), that’s why you need to be especially careful during these times.

The IT services vendor actors impersonated is widely used by major federal agencies, including the DHS, and other such WEB-sites of States and Cities in the U.S. The identified phishing e-mail warned the victims about overdue payments to the IRS, which should then be paid via PayPal, the e-mail contained an HTML attachment imitating an electronic invoice.

Cybercriminals Deliver IRS Tax Scams & Phishing Campaigns by Mimicking Government Vendors

Notably, the e-mail doesn’t contain any URLs, and has been successfully delivered to the victim’s inbox without getting flagged as potential spam. Based on the inspected headers, the e-mail has been sent through multiple “hops” leveraging primarily network hosts and domains registered in the U.S.:

Cybercriminals Deliver IRS Tax Scams & Phishing Campaigns by Mimicking Government Vendors

It’s worth noting, on the date of detection none of the involved hosts have previously been ‘blacklisted’ nor have they had any signs of negative IP or abnormal domain reputation:

Cybercriminals Deliver IRS Tax Scams & Phishing Campaigns by Mimicking Government Vendors

The HTML attachment with the fake IRS invoice contains JS-based obfuscated code.

IRS Internal Revenue Service

Scam Me If You Can: Simple Strategies to Outsmart Today’s Rip-off Artists

Tags: IRS Tax Scams, phishing, phishing countermeasures


Oct 21 2021

Problems with Multifactor Authentication

Category: 2FADISC @ 9:04 am

Tags: authentication, MFA, phishing, Problems with Multifactor Authentication, ransomware, social engineering, Two-factor authentication


Oct 13 2021

Cybersecurity awareness month: Fight the phish!

Category: Information Security,PhishingDISC @ 8:44 am

It’s the second week of Cybersecurity Awareness Month 2021, and this week’s theme is an alliterative reminder: Fight the Phish!

Unfortunately, anti-phishing advice often seems to fall on deaf ears, because phishing is an old cybercrime trick, and lots of people seem to think it’s what computer scientists or mathematical analysts call a solved game.

Tic-tac-toe (noughts and crosses outside North America), for example, is a solved game, because it’s easy to create a list of every possible play, and figure out the best possible move from every game position on the list. (If neither player makes a mistake then the game will always be a draw.)

Even games that are enormously more complex have been “solved” in this way too, such as checkers (draughts)



and in comparison to playing checkers, spotting phishing scams feels like an easy contest that the recipient of the message should always win.

And if phishing is a “solved game”, surely it’s not worth worrying about any more?

How hard can it be?

Phishing Dark Waters: The Offensive and Defensive Sides of Malicious Emails

Don’t Get Caught

Tags: Cybersecurity Awareness Month 2021, Fight the phish, phishing, phishing countermeasures, Phishing Dark Waters


Sep 16 2021

Phishing Staff Awareness Training

Category: PhishingDISC @ 10:08 am

Microsoft has been warning of a “widespread” phishing campaign in which fraudsters use open redirect links to lure users to malicious websites to harvest Office 365 and other credentials.

ITG Phishing Staff Awareness Training Program educates your staff on how to respond to these types phishing attacks 📧

Phishing Staff Awareness E-Learning Course

Phishing Staff Awareness E-Learning Course

Tags: phishing, phishing training


Oct 24 2017

10 most clicked phishing email subject lines

Category: PhishingDISC @ 10:13 am

10 most clicked phishing email subject lines

Ironically, the most successful phishing emails of Q3 2017 told recipients that they had been victims of a data breach.

This finding comes from a report from KnowBe4 that investigated the most effective phishing email subject lines. The report looked at tens of thousands of emails from simulated and custom phishing tests, and discovered that the most clicked subject line was ‘Official Data Breach Notification’.

Phishing subject lines

The top ten most clicked subject lines were:

  1. Official Data Breach Notification
  2. UPS Label Delivery 1ZBE312TNY00015011
  3. IT Reminder: Your Password Expires in Less Than 24 Hours
  4. Change of Password Required Immediately
  5. Please Read Important from Human Resources
  6. All Employees: Update your Healthcare Info
  7. Revised Vacation & Sick Time Policy
  8. Quick company survey
  9. A Delivery Attempt was made
  10. Email Account Updates

KnowBe4 also evaluated phishing email subject lines specifically from social networks. The most clicked subject lines were messages ostensibly from LinkedIn. This is worrying for organisations, as many people link their work email address to their LinkedIn account, and a successful phishing attack could expose the company to a data breach or further phishing emails.

Other common social media phishing emails claimed that someone had attempted to log in to their accounts, that they’d been tagged in a photo or that they’d received free pizza.

“Nearly impossible” for technology to protect you

Commenting on the study, KnowBe4’s chief evangelist and strategy officer, Perry Carpenter, said: “The level of sophistication hackers are now using makes it nearly impossible for a piece of technology to keep an organization protected against social engineering threats. Phishing attacks are smart, personalized and timed to match topical news cycles. Businesses have a responsibility to their employees, their shareholders and their clients to prevent phishing schemes.”

You can take action against targeted phishing attacks by enrolling your staff on ITG Phishing Staff Awareness Course.

This online course shows your staff how phishing works, what to look out for and how to respond when they receive a malicious message. It’s ideal for all employees who use the Internet or email in their day-to-day duties and, as such, it’s delivered in simple terms that everyone in your organisation can understand.

Find out more about our Phishing Staff Awareness Course >>




Subscribe to DISC InfoSec blog by Email




Tags: phishing, phishing countermeasures, spear-phishing


Jun 29 2011

The weakest link in computer hacking?

Category: Security AwarenessDISC @ 10:30 am

Hack

Image by copyfighting via Flickr

The weakest link in computer hacking? Human error
By Cliff Edwards, Olga Kharif,Michael Riley, Bloomberg News

The U.S. Department of Homeland Security ran a test this year to see how hard it was for hackers to corrupt workers and gain access to computer systems. Not very, it turned out.

Staff secretly dropped computer discs and USB thumb drives in the parking lots of government buildings and private contractors. Of those who picked them up, 60 percent plugged the devices into office computers, curious to see what they contained. If the drive or CD case had an official logo, 90 percent were installed.

“There’s no device known to mankind that will prevent people from being idiots,” said Mark Rasch, director of network security and privacy consulting for Falls Church, Va.’s Computer Sciences Corp.

The test showed something computer security experts have long known: Humans are the weak link in the fight to secure networks against sophisticated hackers. The intruders’ ability to exploit people’s vulnerabilities has tilted the odds in their favor and led to a spurt in cybercrimes.

In real-life intrusions, executives of EMC Corp.’s RSA Security, Intel Corp. and Google Inc. were targeted with e-mails with traps set in the links. And employees unknowingly post vital information on Facebook or Twitter.

It’s part of a $1 trillion problem, based on the estimated cost of all forms of online theft, according to McAfee Inc., the Santa Clara computer security company.

Hundreds of incidents likely go unreported, said Rasch, who previously headed the Justice Department’s computer crime unit. Corporate firewalls costing millions to erect often succeed in blocking viruses and other forms of malware that infect computers and steal data such as credit card information and passwords. Human error can quickly negate those defenses.

“Rule No. 1 is, don’t open suspicious links,” Rasch said. “Rule No. 2 is, see Rule No. 1. Rule No. 3 is, see Rules 1 and 2.”

A full report on the Homeland Security study will be published this year, Sean McGurk, director of the department’s National Cybersecurity and Communications Integration Center, said at a June 16 conference in Washington.

Tactics such as spear-phishing – sending a limited number of rigged e-mails to a select group of recipients – rely on human weaknesses like trust, laziness or even hubris.

That’s what happened in March, when attackers used a clever ruse to exploit their discovery that RSA – the company that provides network-access tokens using random secondary passwords – was in a hiring campaign.

Two small groups of employees received e-mails with attached Excel spreadsheets titled “2011 Recruitment Plan,” the company said in April. The e-mails were caught by the junk-mail screen. Even so, one employee went into the folder, retrieved the file and opened it.

The spreadsheet contained an embedded Adobe Systems Inc. Flash file that exploited a bug, then unknown to San Jose’s Adobe, that allowed hackers to commandeer the employee’s PC. RSA said information related to its two-factor SecurID authentication process was taken.

Banks may be forced to pay $50 million to $100 million to distribute new RSA SecurID devices, according to Avivah Litan, a Gartner Inc. research analyst.

“The team that hacked us is very organized and had a lot of practice,” Uri Rivner, head of new technologies at RSA Security, said at a June 17 conference in Spain. “I can compare them to the Navy Seals Team Six, which hit Osama bin Laden.”

The FBI began warning in early 2009 about a rise in spear-phishing attacks. To succeed, they require the target to open a link presumably sent by someone they know or trust.

Total phishing attacks increased by 6.7 percent from June 2010 to May 2011, according to Symantec Corp.’s State of Spam & Phishing monthly report. The number of non-English phishing sites increased 18 percent month over month.

Spear-phishing is evolving into what Rasch calls whale phishing: Targeting senior-level executives whose computers may have access to far more sensitive information that rank-and-file workers.

Technology executives are attractive targets because their positions give them access to a trove of information, and they tend to believe they’re better protected from computer hackers than their employees, Rasch said.

Hackers research decision makers by browsing social networks, reading up on news about the company, and creating e-mails and links that appear to be genuine and come from people that the targets know.

“Phishing is on a different trajectory than it’s been in the past,” said Malcolm Harkins, Intel’s chief information-security officer.

This article appeared on page D – 2 of the San Francisco Chronicle on June 28, 2011

Hacking: The Art of Exploitation




Tags: hackers, International Monetary Fund, McAfee, phishing, RSA SecurID, RSA Security, RSA The Security Division of EMC, SecurID


Apr 25 2011

Phishing emerges as major corporate security threat

Category: Email SecurityDISC @ 9:11 pm

A picture of the EVEREST visualization facilit...

Image via Wikipedia

Source: Computer World

The successful use of phishing emails to breach secure organizations like Oak Ridge National Laboratory and RSA are stark reminders of the serious threat posed by what some experts have dismissed as as a low-tech method of attack.

Oak Ridge, a U.S. Department of Energy-run research lab, this week disclosed it had shut down all Internet access and email services after discovering a sophisticated data stealing malware program on its networks.

According to the lab, the breach originated in a phishing email that was sent to about 570 employees. The emails were disguised to appear as notes about benefits changes written by the lab’s HR department. When a handful of employees clicked on the embedded link in the email, a malware program was downloaded onto their computers.

In terms of internal security, people are the weakest link – which makes phishing the emerging threat to any organization. Regular awareness training is one of the key control to countermeasure Phishing.

Latest titles on Phishing and countermeasures




Tags: Internet access, Malware, Oak Ridge National Laboratory, phishing, RSA, U.S. Department of Energy, United States, United States Department of Energy


Feb 10 2011

China-based hackers targeted oil, energy companies in ‘Night Dragon’ cyber attacks

Category: cyber securityDISC @ 8:34 pm

Utility

Image by lisbokt via Flickr

From the LA Times

China-based hackers may have been stealing sensitive information from several international oil and energy companies for as long as four years, cyber-security firm McAfee Inc. said in a report Thursday.

The company said it traced the “coordinated covert and targeted cyberattacks” back to at least November 2009 and that victims included companies in the U.S., Taiwan, Greece and Kazakhstan. McAfee has dubbed the security breach “Night Dragon.”

McAfee said the hackers, using techniques and tools originating in China and often found on Chinese hacking forums, grabbed details about company operations, project financing and bidding that “can make or break multibillion dollar deals.”

Operating through servers in the U.S. and the Netherlands, the company said, the hackers exploited vulnerabilities in the Microsoft Windows operating system. Techniques included social engineering, spear-phishing, Active Directory compromises and remote administration tools, or RATs.

Although elaborate, Santa Clara-based McAfee said the hacking method was “relatively unsophisticated.” And because most of the Night Dragon attacks originated between 9 a.m. and 5 p.m. Beijing time on weekdays, the cyber-security firm said it suspects that the hacking was not the work of freelancers.




Tags: Active Directory, china, Greece, Kazakhstan, McAfee, Microsoft Windows, phishing, Taiwan


Mar 24 2010

8 tips for safer online shopping

Category: Information SecurityDISC @ 6:14 pm

By Microsoft.com
Online threats today come in the form of attacks on you and attacks on your computer. Here are eight (8) ways for you to have a safer online shopping experience:

1. Keep your computer software up to date.
Keep all software (including your web browser) current with automatic updates. If you are not already running Internet Explorer 8, the latest version of our web browser, click the button to the right to get it.

2. Defend your computer.
Use firewall, antivirus, antispam, and antispyware software. For an added layer of protection on your PC, you can download Microsoft Security Essentials for free or find other antivirus solutions.

3. Avoid phishing scams and malware.
By default Internet Explorer 8 runs SmartScreen Filter to help block and warn you of malicious software or phishing threats. SmartScreen Filter alerts you if a site you are trying to open has been reported as unsafe and allows you to report any unsafe sites you find.

4. Protect yourself from emerging threats
Cross-site scripting attacks are one of the increasingly sophisticated methods online criminals use to get your personal information. By default Internet Explorer 8 helps protect you against these attacks with a built-in Cross Site Scripting (XSS) Filter that is always on.

5. Identify fake Web addresses.
Internet Explorer 8 helps you avoid deceptive websites that can trick you with misleading addresses. The domain name in the address bar is highlighted in black to make it easier to identify a site’s true identity.

6. Browse more privately.
When you’re using a public computer to check e-mail or you’re shopping for a “surprise” gift on a family PC, it’s a good idea to use InPrivate Browsing—a feature that helps prevent your browsing history, cookies, and other information from being retained on your computer.

7. Make sure payment websites use encryption.
To confirm that a website uses encryption when processing credit card information, look for:

■ An “s” after http in the Web address—it should read https:

■ A tiny closed padlock in the address bar, or at the lower-right corner of the window.

■ A green address bar—Internet Explorer 8 uses this to indicate a trustworthy site.

8. Never respond to unsolicited requests to update your account information.
These e-mail messages might be scams for stealing your identity. Most legitimate companies never send unsolicited e-mail or instant message requests for your passwords or other personal information. And remember, if it sounds too good to be true, it probably is.




Tags: cross site scripting, Internet Explorer, Internet Explorer 8, Malware, Microsoft Security Essentials, phishing, Web browser


Feb 16 2010

Security risk assessment process and countermeasures

Category: Security Risk AssessmentDISC @ 4:01 pm

The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments

The following are the common steps that should be taken to perform a security risk assessment. These are just basic common steps which should not be followed as is but modified based on organization assessment scope and business requirements.

‱ Identify the business needs of the assessment and align your requirements with business needs.
‱ Assess the existing security policies, standards, guidelines and procedures for adequacy and completeness.
‱ Review and analyze the existing assets threats and vulnerabilities
‱ Analyze the impacts and likelihood of threats and vulnerabilities on assets
‱ Assess physical controls to network and security infrastructure
‱ Assess the procedural configuration review of network and security infrastructure based on existing policies and procedures
‱ Review logical access and physical access and other authentication mechanism
‱ Review the level of security awareness based on current policies and procedures
‱ Review the security controls in service level agreement from vendors and contractors
‱ At the end of review develop a practical recommendations to address the identified gaps in security controls

To address the existing gaps in infrastructure we have to select the appropriate countermeasures to address the vulnerability or thwart a threat of attack. Four types of techniques are used by countermeasures:

‱ Deterrent controls reduce the likelihood of an attack. Blocking phishing sites at ISP is an example of deterrent control
‱ Preventive controls reduce exposure. Firewall is an example of preventive control
‱ Corrective controls reduce the impact of successful attacks. Antivirus is an example of corrective control
‱ Detective controls discover attacks and trigger preventive or corrective controls. IDSs and SIEM systems are example of detective control.




Tags: authentication, countermeasure, Firewall, phishing, Risk Assessment, security controls, Security policy, security review, Security Risk Assessment, security risk assessment process


Dec 16 2009

Internet security breach found at UCSF

Category: hipaa,Security BreachDISC @ 2:38 pm

University of California, San Francisco
Image via Wikipedia

By Erin Allday, SF Chronicle

Hackers may have had access to personal information for about 600 UCSF patients as a result of an Internet “phishing” scam, campus officials said Tuesday.

The security breach occurred in September when a faculty physician in the UCSF School of Medicine provided a user name and password in response to a scam e-mail message. The e-mail had been sent by hackers and made to look as though it came from UCSF workers who are responsible for upgrading security on internal computer servers.

The university is not identifying the physician.

A UCSF audit in October found that e-mails in the physician’s account included personal information about patients, including demographic and clinical data, and the Social Security numbers of four patients. It is unknown whether hackers actually accessed the e-mails.

The patients have all been notified of the security breach.

Phishing scams are designed to get people to reveal private information – such as Social Security numbers, credit card information and passwords – when they reply to e-mails that pretend to come from legitimate organizations.

For years, financial institutions and other corporations have been educating people to be cautious of such scams and wary of revealing private information on the Internet.

In response to the latest scam, UCSF officials said the university has been re-educating employees about protecting their user names and passwords.


Here we have another unnecessary healthcare data breach in a university due to phishing which resulted in a loss of private data demonstrating poor baseline security and lack of security awareness training. Healthcare organizations are not ready for HIPAA (ARRA and HITECH provision) compliance. Checkout why Healthcare Organizations May Not Be Prepared for HITECH and Other Security Challenges
Review my threats page and evaluate your current business and system risks to make sure this does not happen to you.


Considering healthcare standard electronic transaction (compliance date, Jan 1, 2012) and HITECH provision (compliance date, Feb 17, 2010) are in the pipeline for healthcare organizations. Do you think it’s about time for them to get their house in order?

Reblog this post [with Zemanta]




Tags: arra and hitech, arra hitech provisions, Computer security, Credit card, Health Insurance Portability and Accountability Act, hipaa, Identity Theft, phishing, social security, Social Security number


Nov 10 2009

Facebook, MySpace users hit by cyber attacks

Category: CybercrimeDISC @ 1:27 am

facebook
Image by sitmonkeysupreme via Flickr

NZ HERALD reported that Facebook users – already being targeted in a malware campaign – are now under threat from a phishing scam.

Security specialists Symantec report that the company’s systems have picked up fake messages that appear to be sent by the social networking service.

Users will receive an email that looks like an official Facebook invite or a password reset confirmation.

If a duped user clicks on the ‘update’ button they will be redirected a fake Facebook site. They will then be asked to enter a password to complete the updating process.

As soon as the unwitting Facebook user does this, their password is in the hands of cybercriminals.

Dodgy subject lines for the phishing emails are: ‘Facebook account update,’ New login system’ or ‘Facebook update tool’.

The malware campaign that is still targeting Facebook is also propagated via email. This time, the message looks like a Facebook notification that the recipient’s password has been reset.

It includes a zip file that, if opened, launches an .exe file, which Symantec’s Security Response centre says is a net nasty called Trojan.Bredolab.

Once a users’ machine is infected by this malware, it secretly dials back to a Russian domain and, Symantec says, “is most likely becoming part of a Bredolab botnet.”

But it isn’t just Facebook that is being lined up by cybercriminals, News Corp’s MySpace is also under attack.

Potentially dangerous email subject lines to look out for are: ‘Myspace Password Reset Confirmation,’ ‘Myspace office on fire’ and ‘Myspace was ruined’.

Symantec believes their will be another attack on MySpace in the next day or two. “We also think that social networking sites with huge user bases are currently being targeted to infect maximum machines or gather passwords for more malicious activities in future,” the security team said in a statement.

It advised users to be extra-careful of suspicious attachments, especially those including password reset requests. Legitimate websites will not send an attachment for resetting a password, it said.

– NZ HERALD STAFF

Reblog this post [with Zemanta]




Tags: botnet, facebook, Malware, MySpace, News Corporation, phishing, Social network, Social network service, trojan, Website


Oct 01 2009

Sophisticated phishing attack and countermeasures

Category: Cybercrime,Email Security,Identity TheftDISC @ 12:36 am

phishing

Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft

Phishing is a practice of luring unsuspecting Internet users to a fake Web site by using authentic-looking email with the real organization’s logo, in an attempt to steal passwords, financial or personal information. In daily life people advise to retrace your steps when you lose something. The question is how you retrace your steps on cyberspace where some uber hackers know how to erase their footsteps to avoid detection. It is difficult to find phishers in cyberspace, and jurisdictional issues make it even harder to prosecute them. Then there is an issue of trust that phishers dupe people to believe that their web site is not fraudulent to collect personal/financial information.

Below is an example of sophisticated phishing attack
Link to phishing email

It looks very legit, with all the correct data, logos, graphics and signatures.

One giveaway: the TSA rule change has nothing to do with rental cars. It only affects your airline ticket vs your photo ID (drivers license, passport, whatever.)

To verify that this is bad stuff, right click on the links. You get “http://click.avis.com/r/GDYHH9/16HY8/6V5I29/M93XX4/YCCJP/A5/h”, which looks OK on first glance, since it says “avis.com”. But myAvis should not send me to “click.avis.com”. I also noticed that all the other links send you to the same location.

The clincher (here comes the geeky stuff:)

To open a terminal window, press the “Windows key” and the letter “R”.

You will see the “Run Dialog Box”. Type “cmd”, and press “OK

Open a terminal window and run nslookup:

C:\> nslookup
> www.avis.com <<< check IP address of the real AVIS web site Server: 4.2.2.3 Address: 4.2.2.3#53 Non-authoritative answer: www.avis.com canonical name = www.avis.com.edgekey.net. www.avis.com.edgekey.net canonical name = e2088.c.akamaiedge.net. Name: e2088.c.akamaiedge.net Address: 96.6.248.168 <<< get IP address of the real AVIS web site > click.avis.com <<< now check IP address of the bogus AVIS web site Server: 4.2.2.3 Address: 4.2.2.3#53 Non-authoritative answer: click.avis.com canonical name = avis.ed10.net. Name: avis.ed10.net <<< not the same domain as the real AVIS domain Address: 208.94.20.19 <<< note IP address is in a totally different sub net > 208.94.20.19 <<< now do a reverse lookup of the fake AVIS web site Server: 4.2.2.3 Address: 4.2.2.3#53 ** server can't find 19.20.94.208.in-addr.arpa.: NXDOMAIN <<< it should give you the web site name > avis.ed10.net <<< bogus AVIS web site name Server: 4.2.2.3 Address: 4.2.2.3#53 Non-authoritative answer: Name: avis.ed10.net Address: 208.94.20.19 > 208.94.20.19

Moral of the story: be very careful with links in emails and web pages. To check the authenticity of the link, right click on the link, copy that to a text file and take a good look.
Don’t click on the phisher’s email. Type URL into web browser yourself

——————————————————————————————————————————–
In the table below are the 12 threats to your online identity which can be manipulated in phishing scams, and possible countermeasures to protect your personal and financial information. Some threats are inadequate or no security controls in place. The last row of the table is a monitoring control to identify the warning signs of identity theft.
——————————————————————————————————————————–
[TABLE=7]



Download a free guide for the following cloud computing solutions

Hosted email solution
Hosted email archiving
Hosted web monitoring
Hosted online backup




Tags: email archiving, Email Security, Identity Theft, online backup, phishing, phishing countermeasures, phishing threats, web security


Oct 21 2008

12 Phishing Threats and Identity Theft

Category: Email Security,Identity TheftDISC @ 7:22 pm

Have you ever thought of losing something and you cannot live without it? Yes, that something can be your identity. Phishing is a practice of luring unsuspecting Internet users to a fake Web site by using authentic-looking email with the real organization’s logo, in an attempt to steal passwords, financial or personal information. In daily life people advise to retrace your steps when you lose something. The question is how you retrace your steps on cyberspace where some uber hackers know how to erase their footsteps to avoid detection. It is difficult to find phishers in cyberspace, and jurisdictional issues make it even harder to prosecute them. Then there is an issue of trust that phishers dupe people to believe that their web site is not fraudulent to collect personal/financial information.

Amongst the financial crisis, phishing might be on the rise because for many organizations information protection might be the last thing on their mind. The FDIC has created a webpage to inform and warn consumers about “phishing.” These days phishers have targeted social network organizations LinkedIn and Facebook where their members have been duped into revealing their sensitive data.

Mainly phishing attacks are targeted to steal the identity. Now the question is, how easy it is to steal somebody’s identity? Let’s say a phisher has your name and address, and then he/she can get your Social Security number with the search on AccurInt or other personal database website. A Social Security number is not the only bounty a fraudster can find on these websites, other personal/private information is available as well at minimal cost.

In the table below are the 12 threats to your online identity which can be manipulated in phishing scams, and possible countermeasures to protect your personal and financial information. Some threats are inadequate or no security controls in place. The last row of the table is a monitoring control to identify the warning signs of identity theft.

[Table=7]

Organizations should take necessary steps to protect against identity fraud and apply whatever state and federal legislation applies to your business. Organizations which are serious about their information security should consider implementing the ISO 27001 (ISMS) standard as a best practice, which provides reasonable due diligence to protect and safeguard your information.

US Bank phishing attack exposed
httpv://www.youtube.com/watch?v=n2QKQkuSB4Q


(Free Two-Day Shipping from Amazon Prime). Great books




Tags: accurint, countermeasure, cyberspace, due diligence, equifax, experian, facebook, fdic, financial crisis, fraudster, identity fraud, information protection, isms, iso 27001, jurisdictional, legislation, linkedin, phishing, prosecute, safeguard, social security, threats, transunion, uber hacker


Sep 04 2008

Web 2.0 and more data

Category: Information Security,Web 2.0DISC @ 5:52 pm

According to the Identity Theft Resource Center of San Diego, “the data breaches are on the rise in 2008” and with more data breaches so are the impact and amount of losses. Web 2.0 is next phase of internet creation, where huge social networks are built and citizens of the network enjoy the interactive and conversational approach of the new web frontier. Does the web 2.0 introduce new threats which can be exploited by cyber criminals?

To aid a social communication, users are required to input personal profile including birth date and residence addresses into these social networks to participate, which happens to provide a target rich environment for cyber criminals. These days new attacks are already taking advantage of personal information, some of which is retrieved from social network sites. If the account is hacked/breached from one of these social network sites, the impersonator can damage the (personal and professional) reputation by modifying the profile or changing/inserting the contents or comments.

Cross site scripting is one of the major threat facing Web 2.0, below is an example of XSS.

“In an incident reported in early December 2006 by Websense, hackers compromised the MySpace social networking site and infected hundreds of user profiles with a worm. This malicious code exploited a known vulnerability to replace the legitimate links on the user profiles with links to a phishing site, where victims were asked to submit their username and password. In addition, according to Websense, the worm embedded infected video in victims’ user profiles.”

AJAX is one of the main programming languages used to develop Web 2.0.

“A traditional Web site is like a house with no windows and just a front door. An AJAX Web site is like a house with a ton of windows and a sliding door. You can put the biggest locks on your front and back doors, but I can still get in through a window.”

What if you happen to be a peace activist or a whistle blower in your company? Then perhaps Uncle Sam or your employer wants to settle scores with you for some reason. The question is who is monitoring them or for that matter stopping them from getting into your account to steal or modify data to damage your reputation or career? The point is, besides all the functional benefits, web 2.0 comes with new threats which we need to be aware of. Without knowing these risks we can’t manage or mitigate them to a point which is acceptable to the society at large.

Web 2.0 contents are mostly interactive or dynamic in nature. The tools which were used to defend static contents might not be feasible for dynamic web 2.0 contents. Non-repudiation, validating the source and real time verification of the contents might be necessary to stay on top of the dynamic nature of web 2.0 threats.

Web 2.0 – Opportunity 2.0 or Threat 2.0?

How freely available online infomation on Web 2.0 was utilized to break into online banking account

Web 2.0 … The Machine is Us/ing Us

httpv://www.youtube.com/watch?v=6gmP4nk0EOE


(Free Two-Day Shipping from Amazon Prime). Great books




Tags: ajax, cross site scripting, cyber criminals, data breaches, identity theaft, mitigate, non-repudiation, phishing, Web 2.0, web 2.0 threats, websense, xss