Phishers Hone Skills, Craft More Impressive Attacks 63
CWmike writes "Recent break-ins at high-profile targets like the International Monetary Fund demonstrate just how proficient hackers have become at so-called spear phishing, researchers said on Tuesday. 'Today's spear phishing is not only more prevalent but also much more technically proficient,' said Dave Jevans, chairman of the Anti-Phishing Working Group. 'They're not going for a password, anymore; they're getting people to install crimeware on their computers.' The trend highlights the need for defenses against such targeted threats, requiring companies to look beyond security strategies focused purely on dealing with traditional network threats, analysts said. Increasingly, companies also need to focus on approaches such as continuous monitoring of networks, databases, applications and users, outbound traffic filtering and whitelisting."
What about turning the tables on them? (Score:1)
I have had the Indian MS helpdesk ring a few times about the viruses of my Windows PC, surely there has to be a way of "honey potting" them to shut them down?
Re: (Score:2)
Re: (Score:3)
I have had the Indian MS helpdesk ring a few times about the viruses of my Windows PC, surely there has to be a way of "honey potting" them to shut them down?
If I have time, I like to play with them. i use to put the phone down while they were talking and walk away but I worry they'll take silence as consent to switch my phone or do something else. So you egg them on. Keep saying "Sorry I don't understand" and "Could you explain a bit more?". Then agree to nothing. If you don't have time you just hang up.
Re: (Score:2)
Absolutely, I tell al the people I support to keep them on the phone as long as possible, when they ask, tell them your computer is on (But DONT switch it on) then give them false answers to thier questions. Some of the users have kept them on the phone for more than 1/2 hour (Getting right into the spirit of it). Whilst their time is wasted they cant rip off some other poor sucker.
Re: (Score:2)
Whilst their time is wasted they cant rip off some other poor sucker.
As long as you don't mind wasting your own time too. Although presumably most people would do this on work time rather than their own.
Re: (Score:1)
These scammers have been calling me weekly for about a year so a couple of months ago I fired up a freshly installed Windows 2000 VM and played along.
I installed logmein at their request and they took control. The "engineer" showed me event viewer ("look, infections!"), opened a command-prompt, typed a few irrelevant commands (ping, nslookup and tree) and then typed the word "expired". The salesman assured me that this meant my "core security system" had expired.
The engineer then took me to their website wh
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
you are a goat fucking goat fucker, obviusl youy are also illiterate and obese and fat.
Wow, the ghost of Oscar Wilde is posting on slashdot.
Comment removed (Score:4, Informative)
Re: (Score:3, Funny)
It takes a thief...
Re: (Score:2, Funny)
The phrase “Set a thief to catch a thief had by this time (after strong representations from the Thieves’ Guild) replaced a much older and quintessentially Ankh-Morporkian proverb, which was “Set a deep hole with spring-loaded sides, tripwires, whirling knife blades driven by water power, broken glass and scorpions, to catch a thief.”
Re: (Score:2)
I wonder if thatd be legal to have. Like in your own home.
Re: (Score:1)
Re: (Score:2)
I wonder if thatd be legal to have. Like in your own home.
Yes, because obviously that would just be using reasonable force to protect yourself. You fucking moron.
Re: (Score:2)
I wonder if thatd be legal to have. Like in your own home.
Yes, because obviously that would just be using reasonable force to protect yourself. You fucking moron.
Should it also be large enough to handle the entire SWAT team that might attempt to break into his home on a warrantless raid? Reasonable force for protecting yourself, it would seem, but perhaps not a reason a court might accept.
Re: (Score:2)
You could say its a work of art
Re: (Score:1)
network security so closely resembles societal security
No, and you are dumb for posting this, and you made everyone who read this, a little bit dumber.
Re: (Score:2)
Is it any wonder, that network security so closely resembles societal security. And when religion finally dies, the only security we will have is an all pervasive police state. It is a paradox unimaginable.
WTF? What security has religion ever provided?
Re: (Score:1)
WTF you say? Considerable social cohesion for starters. But more specifically, the way individuals manage the chaos. That is, the framework for a brain to function in the world. You may say "that is simply opiate for _lame persons_", but the amazing Zizek can certainly help disabuse you of that naivety. I dish off to him bc to attempt to describe it is beyond the scope of a few paragraphs, (plus I'm never going to come close to doing it adequately anyway). Bu
Maybe it's time... (Score:5, Insightful)
...to stop employing people who are so clueless when it comes to IT. Personal computers have been commonplace for more than twenty years now, it's time people started learning how to use them correctly.
I'm still coming across businessmen of a certain vintage (typically 50+) for whom it's a matter of pride that they "don't know anything about computers". FFS, it's 2011. Get a grip or retire.
Special sandbox for 'em (Score:5, Interesting)
No, I think the best is to provide super-special sandboxing for them. One could even periodically send "test probes" to random people on one's network to better judge their level of acumen vs. current phishing techniques. Those who fail (or originally admit to being clueless) get:
Re: (Score:3)
I think the best is to provide super-special sandboxing for them.
Etch-a-Sketch
Re: (Score:1)
I've been studying phishing attacks and spear-phishing attacks for the past few years. And to be blunt, if you don't think that you are vulnerable, then you are truly the clueless one. You really don't understand the level of sophistication that these attackers have, in using the right kinds of email formatting, the right kind of language, the right kinds of events, and the right kinds of names of people in your organization.
Are you good enough to avoid PDF exploits? What if you got an email in your inbox a
Re: (Score:1)
Re: (Score:1)
Yeah, what do you do when that special someone is the ceo? Technically clueless, but needs access to sensitive data.
Re: (Score:2)
Re: (Score:3)
Re: (Score:1)
the had an SonicWall in every location (~300 stores) that they relied on for everything security related, and as soon as some of the younger kids realized they could just https to whatever they wanted, it was game over and the PC's stopped working.
what was even better, was when the kiddies figured out they could unplug the ethernet cable from the laptops we had as our POS systems, and plug in their iPhone and tether that way, completely bypassing everythin
Re: (Score:2)
It originates from a time when anyone with aspirations to status in an organisation also had a secretary to perform manual tasks involving keyboards and typing. Admitting to doing one's own typing was a bit of a career depressant. These days I can't believe that anyone of whatever age in business can make serious claim to non-use of computers.
Re: (Score:2)
It originates from a time when anyone with aspirations to status in an organisation also had a secretary to perform manual tasks involving keyboards and typing. Admitting to doing one's own typing was a bit of a career depressant. These days I can't believe that anyone of whatever age in business can make serious claim to non-use of computers.
Meanwhile, in the real world, there are still plenty of secretaries, admin assistants and directors' PAs. If you're a successful business person, time spent reading non-essential emails or typing letters is still wasted time.
Re: (Score:3)
...to stop employing people who are so clueless when it comes to IT. Personal computers have been commonplace for more than twenty years now, it's time people started learning how to use them correctly.
I'm still coming across businessmen of a certain vintage (typically 50+) for whom it's a matter of pride that they "don't know anything about computers". FFS, it's 2011. Get a grip or retire.
No, for most people they have not developed any more technical competence for the computer than they have for the toaster. Once you could buy a computer from Wal-Mart at the same time as getting a loaf of bread and a gallon of milk, while having your oil changed, computers have become commodities. Why would you expect people to develop such deep understanding of using and securing their toasters?
Who is to blame? Start with Apple, then Dell. Gateway. The early "computer in a box, use color coded wires and
Re: (Score:2, Flamebait)
To be fair to some of these guys I think people of older generations were not taught to solve problems like we were, instead they learned by committing a series of steps to memory. There was a great XKCD about this, but basically they are stuck if the sequence they learnt doesn't work for some reason. Even something as simple as their USB flash drive being drive X instead of drive Y is enough if your brain works that way.
You can see this effect at work in IQ tests. Since the 50s they have been getting stead
Re: (Score:2)
To be fair to some of these guys I think people of older generations were not taught to solve problems like we were, instead they learned by committing a series of steps to memory.
As someone of an "older generation" can I just say please fuck off you patronising, ignorant little shit?
Hopefully with your 1337 problem solving skills you can find an amusing way to kill yourself for our amusement.
Re: (Score:2)
As someone who is just trying to be helpful and promote a bit of understanding can I just say please try not to be a twat and take it personally. Obviously my statement does not apply to everyone, I am just making a general point about school level education back then.
It is also the reason arse holes like you like to make out the youth of today are all dumb as shit and couldn't pass the exams you did. Yeah, they couldn't, because these days they don't teach the same way. I wish someone would do it the other
Re: (Score:2)
I'm still coming across businessmen of a certain vintage (typically 50+) for whom it's a matter of pride that they "don't know anything about computers". FFS, it's 2011. Get a grip or retire.
What makes me grumpy is that there are qualified applicants for many of these jobs who DO have computer skills, but they hire based on something other than the ability to actually do the job. Pretty much every college job requires familiarity with Office. Pretty much nobody knows WTF they are doing. Then they have to hire additional IT staff to destink their computers because they're always trying to find ways to screw them up by doing something both unauthorized and stupid.
Re: (Score:2)
I'm still coming across businessmen of a certain vintage (typically 50+) for whom it's a matter of pride that they "don't know anything about computers". FFS, it's 2011. Get a grip or retire.
Hey, I'm a businessman in my 50s, you insensitive clod!
Re: (Score:2)
I'm still coming across businessmen of a certain vintage (typically 50+) for whom it's a matter of pride that they "don't know anything about computers". FFS, it's 2011. Get a grip or retire.
Well, if you can't produce compelling arguments to these businessmen for why they should know about computers, why would they bother?.
Re: (Score:1)
typically 50+
Hmmmm, I am 56 and work in an office full of clueless keyboard bangers who I scare away by threatening them with the "Linux Virus"
There is no age band for clueless people, maybe you might oughta' try that age thing on a few others, like RMS say, or Steve Wozniak, both of whom have more creds than you will probably get in a life of tech work.
Last week I was chief invigilator for an exam that included a listening component. I created a set of USB pendrives with portable apps and VLC player loaded
English is our only hope (Score:1)
I don't think we have to worry too much until they learn English.
Not phishing (Score:3, Informative)
Locked down computers (Score:3)
Fact of the matter is, the less companies, governments, organizations, etc trust their employees the less control they will give them. Every time a phisher is successful more control over the PC is taken away by security (in general).
I've seen this happen in my organization. The flexibility of having a computer you can install software that helps you do your job without permission is vanishing very quickly. Before long I expect that you will not be able to download any executable (even archived in zip) or run them. Of course this not saying they will not
Basically people's desktops at work are going to become less "personal computer" and more "web/document processing workstation".
Re: (Score:2)
If you are allowing common users to install their own software, you are doing it wrong.
Re: (Score:2)
Security groups tend to define "the way it should be" by whatever makes life most convenient for them. In their ideal environment, no software can run, no hardware can be introduced, no websites can be visited, and no emails can be received. Or at least, they'd like to get as close as possible to that environment as they can without managemen
For the first time I've seen in years . . . (Score:2)
Someone used the word hone correctly, and without appending "in" to it. I am going to go weep for joy.
A major contributor (Score:2)
And the malware that they're installing continues to evade antivirus software
Support: Hello this is anti-virus/malware company XYZ how can I help you.
Caller: Yes I have this software called Anti-something 2010 that just popped up on my screen. I have your software installed and it still came up.
Support: You can call our 1-900-BLAH number and they can assist you for $39.95 a minute to remove the software.
Caller: So why did I buy your software in the first place?