Forgot your password?
typodupeerror
Security IT

Phishers Hone Skills, Craft More Impressive Attacks 63

Posted by Soulskill
from the practice-makes-perfect dept.
CWmike writes "Recent break-ins at high-profile targets like the International Monetary Fund demonstrate just how proficient hackers have become at so-called spear phishing, researchers said on Tuesday. 'Today's spear phishing is not only more prevalent but also much more technically proficient,' said Dave Jevans, chairman of the Anti-Phishing Working Group. 'They're not going for a password, anymore; they're getting people to install crimeware on their computers.' The trend highlights the need for defenses against such targeted threats, requiring companies to look beyond security strategies focused purely on dealing with traditional network threats, analysts said. Increasingly, companies also need to focus on approaches such as continuous monitoring of networks, databases, applications and users, outbound traffic filtering and whitelisting."
This discussion has been archived. No new comments can be posted.

Phishers Hone Skills, Craft More Impressive Attacks

Comments Filter:
  • by Anonymous Coward

    I have had the Indian MS helpdesk ring a few times about the viruses of my Windows PC, surely there has to be a way of "honey potting" them to shut them down?

    • by Billlagr (931034)
      Really??? So have I!! And friends and relatives. All you need to do is provide some credit card details, and bam! your machine is instantly remotely cleaned up. It's good to see MS taking such a proactive stance.
    • by syousef (465911)

      I have had the Indian MS helpdesk ring a few times about the viruses of my Windows PC, surely there has to be a way of "honey potting" them to shut them down?

      If I have time, I like to play with them. i use to put the phone down while they were talking and walk away but I worry they'll take silence as consent to switch my phone or do something else. So you egg them on. Keep saying "Sorry I don't understand" and "Could you explain a bit more?". Then agree to nothing. If you don't have time you just hang up.

      • Absolutely, I tell al the people I support to keep them on the phone as long as possible, when they ask, tell them your computer is on (But DONT switch it on) then give them false answers to thier questions. Some of the users have kept them on the phone for more than 1/2 hour (Getting right into the spirit of it). Whilst their time is wasted they cant rip off some other poor sucker.

        • by tehcyder (746570)

          Whilst their time is wasted they cant rip off some other poor sucker.

          As long as you don't mind wasting your own time too. Although presumably most people would do this on work time rather than their own.

      • by Anonymous Coward

        These scammers have been calling me weekly for about a year so a couple of months ago I fired up a freshly installed Windows 2000 VM and played along.

        I installed logmein at their request and they took control. The "engineer" showed me event viewer ("look, infections!"), opened a command-prompt, typed a few irrelevant commands (ping, nslookup and tree) and then typed the word "expired". The salesman assured me that this meant my "core security system" had expired.

        The engineer then took me to their website wh

        • by tehcyder (746570)
          Con men are con men. All the stuff people talk about elite hacking skills is irrelevant compared to the age-old techniques of social engineering..
  • The Art of Deception (Score:4, Informative)

    by DigiShaman (671371) on Wednesday June 15, 2011 @12:18AM (#36445996) Homepage

    The Art of Deception. By Kevin D. Mitnick. It's worth reading.

    • Re: (Score:3, Funny)

      by DeusExMach (1319255)

      It takes a thief...

      • Re: (Score:2, Funny)

        by Anonymous Coward

        The phrase “Set a thief to catch a thief had by this time (after strong representations from the Thieves’ Guild) replaced a much older and quintessentially Ankh-Morporkian proverb, which was “Set a deep hole with spring-loaded sides, tripwires, whirling knife blades driven by water power, broken glass and scorpions, to catch a thief.”

        • I wonder if thatd be legal to have. Like in your own home.

          • by trum4n (982031)
            Nope. No Deadly Scorpions without a license where i live. And you'd need a permit for the hydro power setup. And the water source. And the hole.
          • by tehcyder (746570)

            I wonder if thatd be legal to have. Like in your own home.

            Yes, because obviously that would just be using reasonable force to protect yourself. You fucking moron.

            • I wonder if thatd be legal to have. Like in your own home.

              Yes, because obviously that would just be using reasonable force to protect yourself. You fucking moron.

              Should it also be large enough to handle the entire SWAT team that might attempt to break into his home on a warrantless raid? Reasonable force for protecting yourself, it would seem, but perhaps not a reason a court might accept.

  • Maybe it's time... (Score:5, Insightful)

    by __Paul__ (1570) on Wednesday June 15, 2011 @12:53AM (#36446130) Homepage

    ...to stop employing people who are so clueless when it comes to IT. Personal computers have been commonplace for more than twenty years now, it's time people started learning how to use them correctly.

    I'm still coming across businessmen of a certain vintage (typically 50+) for whom it's a matter of pride that they "don't know anything about computers". FFS, it's 2011. Get a grip or retire.

    • by Mathinker (909784) on Wednesday June 15, 2011 @01:04AM (#36446162) Journal

      No, I think the best is to provide super-special sandboxing for them. One could even periodically send "test probes" to random people on one's network to better judge their level of acumen vs. current phishing techniques. Those who fail (or originally admit to being clueless) get:

      • all email which isn't a direct reply to something they originated "held up for review" by some luckless soul in IT
      • extra lockdown of their computer, perhaps including physically disabling USB ports and DVD drives
      • extra automatic monitoring of their computer for unusual behavior
      • segregating them into a special segment of the LAN which is only connected to the rest of the company via a special filtering/monitoring gateway
      • by AmiMoJo (196126)

        I think the best is to provide super-special sandboxing for them.

        Etch-a-Sketch

      • by Anonymous Coward

        I've been studying phishing attacks and spear-phishing attacks for the past few years. And to be blunt, if you don't think that you are vulnerable, then you are truly the clueless one. You really don't understand the level of sophistication that these attackers have, in using the right kinds of email formatting, the right kind of language, the right kinds of events, and the right kinds of names of people in your organization.

        Are you good enough to avoid PDF exploits? What if you got an email in your inbox a

        • by kmoser (1469707)
          But how do we know that article you pointed us to isn't itself a spear phishing attack?
      • by Anonymous Coward

        Yeah, what do you do when that special someone is the ceo? Technically clueless, but needs access to sensitive data.

      • by tehcyder (746570)
        The thing is, this policy would probably have to be applied to 90% of users.
    • In my organization, it's not the old dinosaurs that create security problems, it's the idiot 20 something that bypasses Sonic Firewall (the dipshit product that it is) to get to Facebook by using HTTPS and then proceeds to play Farmville for hours. Unless you can employ security experts in every slot in your organization you have these problems. Remember this is about SOCIAL engineering, not technical issues.
      • it sounds like you work for my old employer...

        the had an SonicWall in every location (~300 stores) that they relied on for everything security related, and as soon as some of the younger kids realized they could just https to whatever they wanted, it was game over and the PC's stopped working.

        what was even better, was when the kiddies figured out they could unplug the ethernet cable from the laptops we had as our POS systems, and plug in their iPhone and tether that way, completely bypassing everythin
    • by badzilla (50355)

      It originates from a time when anyone with aspirations to status in an organisation also had a secretary to perform manual tasks involving keyboards and typing. Admitting to doing one's own typing was a bit of a career depressant. These days I can't believe that anyone of whatever age in business can make serious claim to non-use of computers.

      • by tehcyder (746570)

        It originates from a time when anyone with aspirations to status in an organisation also had a secretary to perform manual tasks involving keyboards and typing. Admitting to doing one's own typing was a bit of a career depressant. These days I can't believe that anyone of whatever age in business can make serious claim to non-use of computers.

        Meanwhile, in the real world, there are still plenty of secretaries, admin assistants and directors' PAs. If you're a successful business person, time spent reading non-essential emails or typing letters is still wasted time.

    • ...to stop employing people who are so clueless when it comes to IT. Personal computers have been commonplace for more than twenty years now, it's time people started learning how to use them correctly.

      I'm still coming across businessmen of a certain vintage (typically 50+) for whom it's a matter of pride that they "don't know anything about computers". FFS, it's 2011. Get a grip or retire.

      No, for most people they have not developed any more technical competence for the computer than they have for the toaster. Once you could buy a computer from Wal-Mart at the same time as getting a loaf of bread and a gallon of milk, while having your oil changed, computers have become commodities. Why would you expect people to develop such deep understanding of using and securing their toasters?

      Who is to blame? Start with Apple, then Dell. Gateway. The early "computer in a box, use color coded wires and

    • Re: (Score:2, Flamebait)

      by AmiMoJo (196126)

      To be fair to some of these guys I think people of older generations were not taught to solve problems like we were, instead they learned by committing a series of steps to memory. There was a great XKCD about this, but basically they are stuck if the sequence they learnt doesn't work for some reason. Even something as simple as their USB flash drive being drive X instead of drive Y is enough if your brain works that way.

      You can see this effect at work in IQ tests. Since the 50s they have been getting stead

      • by tehcyder (746570)

        To be fair to some of these guys I think people of older generations were not taught to solve problems like we were, instead they learned by committing a series of steps to memory.

        As someone of an "older generation" can I just say please fuck off you patronising, ignorant little shit?
        Hopefully with your 1337 problem solving skills you can find an amusing way to kill yourself for our amusement.

        • by AmiMoJo (196126)

          As someone who is just trying to be helpful and promote a bit of understanding can I just say please try not to be a twat and take it personally. Obviously my statement does not apply to everyone, I am just making a general point about school level education back then.

          It is also the reason arse holes like you like to make out the youth of today are all dumb as shit and couldn't pass the exams you did. Yeah, they couldn't, because these days they don't teach the same way. I wish someone would do it the other

    • by drinkypoo (153816)

      I'm still coming across businessmen of a certain vintage (typically 50+) for whom it's a matter of pride that they "don't know anything about computers". FFS, it's 2011. Get a grip or retire.

      What makes me grumpy is that there are qualified applicants for many of these jobs who DO have computer skills, but they hire based on something other than the ability to actually do the job. Pretty much every college job requires familiarity with Office. Pretty much nobody knows WTF they are doing. Then they have to hire additional IT staff to destink their computers because they're always trying to find ways to screw them up by doing something both unauthorized and stupid.

    • by Kittenman (971447)

      I'm still coming across businessmen of a certain vintage (typically 50+) for whom it's a matter of pride that they "don't know anything about computers". FFS, it's 2011. Get a grip or retire.

      Hey, I'm a businessman in my 50s, you insensitive clod!

    • by tehcyder (746570)

      I'm still coming across businessmen of a certain vintage (typically 50+) for whom it's a matter of pride that they "don't know anything about computers". FFS, it's 2011. Get a grip or retire.

      Well, if you can't produce compelling arguments to these businessmen for why they should know about computers, why would they bother?.

    • by nobodie (1555367)

      typically 50+
      Hmmmm, I am 56 and work in an office full of clueless keyboard bangers who I scare away by threatening them with the "Linux Virus"
      There is no age band for clueless people, maybe you might oughta' try that age thing on a few others, like RMS say, or Steve Wozniak, both of whom have more creds than you will probably get in a life of tech work.

      Last week I was chief invigilator for an exam that included a listening component. I created a set of USB pendrives with portable apps and VLC player loaded

  • by Anonymous Coward
    "Ass a security measure we hat to temporarily suspend your account. To restore your account Please download the form and fallow the instructions on your screen."

    I don't think we have to worry too much until they learn English.
  • Not phishing (Score:3, Informative)

    by lavagolemking (1352431) on Wednesday June 15, 2011 @01:51AM (#36446336)
    Phishing [wikipedia.org] means tricking users into divulging sensitive data, usually a password. It is just one type of social engineering [wikipedia.org]. What is being described here is another form of social engineering, where users are told instead to install malware or something like that. It is not phishing, or even spear phishing. When you get a lot of information together to plan out an effective attack on human psyche, it's called pretexting.
  • by Danathar (267989) on Wednesday June 15, 2011 @07:54AM (#36448304) Journal

    Fact of the matter is, the less companies, governments, organizations, etc trust their employees the less control they will give them. Every time a phisher is successful more control over the PC is taken away by security (in general).

    I've seen this happen in my organization. The flexibility of having a computer you can install software that helps you do your job without permission is vanishing very quickly. Before long I expect that you will not be able to download any executable (even archived in zip) or run them. Of course this not saying they will not

    Basically people's desktops at work are going to become less "personal computer" and more "web/document processing workstation".

    • That's the way it should be, and that's definitely the way it is at my job. Every good sysadmin knows that the biggest idiot in the whole system is the user.

      If you are allowing common users to install their own software, you are doing it wrong.
      • That's the way it should be, and that's definitely the way it is at my job.... If you are allowing common users to install their own software, you are doing it wrong.

        Security groups tend to define "the way it should be" by whatever makes life most convenient for them. In their ideal environment, no software can run, no hardware can be introduced, no websites can be visited, and no emails can be received. Or at least, they'd like to get as close as possible to that environment as they can without managemen

  • Someone used the word hone correctly, and without appending "in" to it. I am going to go weep for joy.

  • And the malware that they're installing continues to evade antivirus software

    Support: Hello this is anti-virus/malware company XYZ how can I help you.
    Caller: Yes I have this software called Anti-something 2010 that just popped up on my screen. I have your software installed and it still came up.
    Support: You can call our 1-900-BLAH number and they can assist you for $39.95 a minute to remove the software.
    Caller: So why did I buy your software in the first place?

Never put off till run-time what you can do at compile-time. -- D. Gries

Working...