Video RSA: Phish Me If You Can (Video) 171
Tim: Aaron, could you introduce yourself please?
Aaron: Hi, my name is Aaron Higbee. I'm Co-Founder and CTO of PhishMe
Tim: Okay. Now explain PhishMe. It is a funny name.
Aaron: So every organization is worried about getting spear phished. So we provide a software-as-a-service that allows organizations to send real mock spear phishing emails to their employees and as soon as they may fall victim to one of our emails, they are immediately funneled to training about why you need to be worried about this, why people are targeting you at work, and why a spear phishing email at work is a little different than the phishing email you get at home.
Tim: So walk me through this a little bit. They are at their desk, they open their corporate Gmail or their corporate email account, and what happens?
Aaron: Well, there is a variety of things. An attacker might be motivated just to send them a malicious link and hope to take them to a website that is booby-trapped with malware. They might put together a lookalike website that is trying to solicit credentials to get them to log into a fake website. Or they might be including a malicious attachment where the payload is embedded in the attachment and trying to get them to do that.
Tim: How far do you let people go before you let them in on the game?
Aaron: We do it right away. The value in this is the experience, and the person realizing that, hey if they are not vigilant, if they are just mindlessly clicking through emails as fast as they can, they can be victimized by this. And that there really are people out there. So we want to funnel them into the training and awareness portion of it right away, to close out the example, to let them know that this wasn’t to make fun of them, to make them feel bad
Tim: It sounds like it could be embarrassing.
Aaron: Right. We just were trying to empathize and let them know that this was designed to help you get good practice on identifying and spotting this.
Tim: Now you have it for spear phishing specifically over email.
Aaron: That’s right.
Tim: There a lot of threats though over various social media, over Facebook, they can get their account hacked, and send messages through that. Are you addressing things like that yet?
Aaron: Yeah, we are still focused I mean this is the number one attack vector, if you read the recent APT 1 report by Mandiant, they said spear phishing is the most prevalent, aggressive way that people are trying to get in. But I do keep up on those trends. Google was compromised via an instant messaging vector and so that’s interesting to me and I try to keep on top of that.
Tim: The malicious messages that people get, they’ve evolved over the years. I know the ones I get certainly have changed, and now there is something a lot more competent sounding than they used to be.
Aaron: Sure, sure. They might have researched you, they might know your interests, but there are certain emotional triggers that are going to be in all of these emails. And it is up to us as humans to figure that out. They are either going to be baiting you with curiosity, with fear, with a reward, one of those triggers. And if you look at it, and you see the sense of urgency in the email, you should have some spidy senses that tingle that say, wait a minute, I need to spend a little bit more time, this might not be legitimate.
Tim: Now do employees know in advance that the system is even in place within their company?
Aaron: Sometimes they do, sometimes they don’t. Because we are a software-as-a-service, organizations choose to run their PhishMe program anyway they like. We encourage that. We tell people that they should be upfront with their staff to let them know that the purpose behind this isn’t to make fun, or belittle anyone. And that we are going to be doing this for the next 12 months to give people experience in spotting and identifying these.
Tim: Now how long has PhishMe been around? Where did it come from? Is this academic research or?
Aaron: So where PhishMe came from was, I used to be a pentester, and I did a lot of pentesting work, and I noticed in about 2005, the way that attackers were getting into organizations was starting to shift towards spear phishing instead of your traditional vulnerability scanning and finding some vulnerable service to compromise. So I started offering this as a pentesting service, and in about 2006 and 2007 that light bulb went off where I realized I am actually damaging a valuable teaching opportunity, that the way to correct this is through user awareness education. That the attackers are always going to come up with some new technical tactic, and so we really need to focus in on the social and the human aspect to go after this problem.
Tim: Speaking of the way the stuff has changed, what have you observed about that? What are the trends you see in how have the spear phishing things have changed?
Aaron: Well, one of the things that we’ve noticed is when an attacker is going on a spear phishing campaign, two to three years ago, they would lob in one or two emails to certain employees inside the organization, and they would wait to see if they would respond. What’s happening now is they are sending batches of 10, 20, 30, or 50, because they know those emails are getting analyzed and they know that the command and control infrastructure that the malware connects to is going to be burnt. It is not going to be _____4:59. So they are being a little more tenacious about the volume that they are sending in, which is good; that means some of our preventative technology is working, and also that means user initiative reports are valuable, because now they are going to be sending more of these emails into the organization.
Tim: It gives you a bigger corpus to write your own too.
Aaron: Sure, sure. We are building our human sensors to help fight this problem.
Tim: And who are your customers?
Aaron: Anyone that has been in the news, that has a spear phishing breach, it is likely that they are one of our customers. Our customers are people that have bought all of the technological solutions. They have good information security practices. Yet people are still getting in. And they are frustrated by this. And they want to change. And so if you look at who are the big targets of spear phishing, it is the people that you would imagine, the financial, the government contractors, the oil and gas industry, manufacturing, anyone that has got intellectual property to protect.
Tim: And you are based in Northern Virginia, so that gives you a pretty good access to the various hackable governmental offices there?
Aaron: Yeah, absolutely. I have some interesting lunches with my colleagues in Northern Virginia, and there is always some spear phishing incident that we are talking about that has come up.
Tim: Now Aaron, have you ever personally been tempted or actually clicked on a spear phishing link?
Aaron: You know I might have. Given the nature of our business, we know that we are targets. It would be good bragging rights to be able to phish someone here. And it has changed the way that we do business. Email is not really a very useful tool to us. We have to use a lot of other collaborative software and other internal tools in order to get work done and anytime something comes in to email, we have this very strict process on what we do before we interact with it. I don’t think anyone in my company would say, we are impervious to this. We know that this is a human condition. People can make mistakes. And that is one of our training messages, is even if you did something, and you have that uneasy feeling afterwards, that this might not have been legitimate, it is still something that you need to report to your IT department. Maybe it was benign, maybe it was okay, but it still should be reported as soon as you have that uneasy feeling.
Tim: Anything else you want to tell us about? You mentioned something to me earlier about your Slashdot effect.
Aaron: Oh okay. So we try to offer PhishMe as a true-to-life example. So we send spear phishing emails from the internet, our spear phishing websites are hosted on the internet, and our customers want to make it accurate, but they also want it to be contained. So they don’t want a situation where an employee receives one of our training emails and then forwards it to Slashdot, hey look what my employer is doing to me. So we actually designed our phishing pages to self-destruct. So that we don’t get on the cover of Slashdot.
LOL (Score:5, Insightful)
Your daily Slashvertisement brought to you by Dice Holdings, Inc.
It's not the slashvertisement (Score:5, Insightful)
It's the fact that they treat us like eager morons, who won't recognize it. I mean the signs are dead simple.
1. Mentions a particular company by name.
2. Includes at least one buzz-word.
3. Entirely positive language.
Regular Slashdot stories pretty clearly have signs of concern or raise questions about their subject matter. These bare-naked slashvertisements are insulting. If you're going to be blatant, please fucking acknowledge that it's sponsored in the summary.
Re:It's not the slashvertisement (Score:4, Insightful)
I mean the signs are dead simple.
1. Mentions a particular company by name.
2. Includes at least one buzz-word.
3. Entirely positive language.
4. Pushes a stupid and unnecessary product or service.
Instead of training your staff not to open phishy emails, just ban any email client that allows execute-on-open.
Re: (Score:2)
4. Pushes a stupid and unnecessary product or service.
Instead of training your staff not to open phishy emails, just ban any email client that allows execute-on-open.
Wow. You know how you can tell that the comments are being modded by people with a vested interest in the ad? Your comment was on-point and provided an alternative and is still getting modded down. Way to go, /. You bastards.
Re: (Score:3)
Instead of training your staff not to open phishy emails, just ban any email client that allows execute-on-open.
I'm not sure that's the main problem, actually. Where spear phishing is concerned, I mostly hear about emails that are crafted to look like legitimate messages from companies like banks, FedEx, etc. If you can convince someone to click through to a website, it's not hard to ship them malware -- particularly if they have the Java plugin enabled.
Re:It's not the slashvertisement (Score:5, Insightful)
HOLY FUCK (Score:4)
I THINK THE EDITORS ARE MODERATING CRITICAL COMMENTS DOWN!!!
I got 5 troll mods in a matter of one minute, making a pretty reasonable post(I thought).
I thought it was bizarre the GP got modded down once, but I really think Dice. is modding the fucking comments.
Re: (Score:2)
Similar thing happened to me on the last so called RSA conference posting by RobLimo-sine-o:
That was an article called RSA: From Apple Keys to Biometric Security Devices (Video) [slashdot.org], which at last I checked 30 seconds ago had:
score . . . . . number of comments
-1 . . . . . . . . . 19 comments
0 . . . . . .
Re: (Score:2)
Re: (Score:2)
And I don't think it was the people with mod points changing it. I had +4 about a couple minutes ago. That screams editor control. They don't even want the idea of it being a advertisement discussed.
Re: (Score:2)
Slashvertisement or not, I've noticed the past couple months a large decrease in the / stories i bother to read and post to, the ones that looked OK... weren't worth reading TFA for, and yet others had shitty discussions going on. It seems like i didn't post for a week and came back to a bunch of moronic posts & news stories that were biast, irrelivant, or just plain out boring. Oh well, I think this article is more or less about a technique you can implement yourselves presented as an advertisement m
Re: (Score:2)
Replying to my own post a lot, but it's nice to see it back up to +4(and the parent back up too). I checked and the 5 troll mods are still there, so in spite of someone trying to bury it, slashdot moderators aren't that stupid. Thanks you guys.
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
You're right. Education in a formal setting simply doesn't convert to practical knowledge. That's a method best left to theoretical subjects.
But you're going to have a tough time arguing that *training* doesn't work: which is what PhishMe is selling. Teach employees to recognize phishing emails by actually sending them inoculated phishing emails. When employees fall for it you let them in on the game immediately and seize that invaluable teachable moment.
Re: (Score:2)
Re:It's not the slashvertisement (Score:5, Insightful)
That's why ads written like a PR News story posted on Slashdot are insulting to us -- it's obviously an ad, but it's not labelled so. They no longer label the author as associated with Dice Holdings, so it can be passed off as legit news. It also can't be blocked by ad blocking software or the "disable ads" button that appears as a thank you for positive contributions.
On top of that, they are using the moderation system to mod down complaints about this unscrupulous practice.
This is part of the growing trend of stripping content that users want in favor of content that pays the most money to the site's publisher, the same thing folks like Facebook are doing in activity feeds. Monetizing the site at the expense of the experience of the user. How long can this trend continue before users have had enough?
Re:bare-naked slashvertisements (Score:3)
Yeah, and while we knew there were a bunch before, I think we're def. seeing Dice's hand in all this.
The other posters are right about the shift to video, and Roblimo, who really was off the radar until last month. Here is a Reuters article describing specifically how this company is a spinoff of some other one a couple years ago. So yes, it's absolutely a Slash-vertisement. http://www.reuters.com/article/2012/03/20/idUS120683+20-Mar-2012+BW20120320 [reuters.com]
Besides your heuristics, let's go even farther. It's these
Comment removed (Score:4, Insightful)
Re:It's not the slashvertisement (Score:4, Interesting)
I'll acknowledge that I didn't even know slashdot had bans. I figured the built in moderation system was more than sufficient.
Re: (Score:2)
Re: (Score:2)
Actually the stripes problem is a DSLR problem often seen in Cannon cameras and is a great example of a moire pattern at work. There are filters for that, but that would be to difficult for /. editors...
Open an email (Score:5, Informative)
Open an email? You mean text? Not really a problem. if you're not blocking images and JavaScript, you're headed for trouble, targeted or not.
Re:Open an email (Score:5, Insightful)
Re:Open an email (Score:4)
It's not that simple. (Score:3, Informative)
Many corporate users use Outlook. When viewing (or previewing) HTML-formatted messages, it uses the same rendering as Internet Explorer, and is thus susceptible to the same vulnerabilities.
I can remember a happy time when I could tell people with confidence "you'll never infect your computer by merely viewing an e-mail". Or a JPG. Or a PDF. Or ...
Re: (Score:2)
Yes exactly! The sheer number of exploit hooks into even modern/patched operating systems is simply depressing.
Re: (Score:2)
Sandboxing? Works in the browser*, should work in the email client.
*proper browsers, not IE...
Re:Open an email (Score:4, Funny)
Text email is vulnerable too! I'm in the habit of: after reading every email, I save it to malware.sh, then I go to a shell, type "chmod +x malware.sh" and then either "./malware.sh" or "sudo ./malware.sh" depending on the flip of a coin. And in spite of my weird habit of doing this, I never check to see who sent me the email and whether or not it's PGP signed and if their signature checks out.
See? Spearphishing is a really hard problem to solve! Reading email is dangerous! DAAANGEROUSSS!!!!11
Re: (Score:3, Informative)
Several years ago, Outlook did something similar with Visual Basic scripts attached to a mail. Loading the email into the preview window was sufficient to trigger the script.
IMHO the greatest security fuckup in the history of Microsoft (and Autorun on CDs was the second biggest).
More stupid victim-blaming (Score:3, Insightful)
The problem is 100% technical. How could viewing an email ever result in malware being installed? Somebody failed -- they're called the IT department.
Re:More stupid victim-blaming (Score:4, Insightful)
Yeah, they failed when they let you have admin on your pc. They failed when they did not enforce updates. They failed when they let you run a vulnerable email client.
Yet, if they don't let anyone have admin, ban outlook from the network and force updates and reboot that come with them you would be bitching up a storm.
Re: (Score:2)
Yup, it's never the management who insist on having outlook because "thunderbird doesn't work correctly".
Re: (Score:2)
If they insist on it AND your manager cannot shield you THEN it might be time to look for a different job.
In the meantime, make sure that those are fully patched AND monitor them (and firewall as much as possible) because they WILL be cracked, eventually. Although you should be doing this for all your systems any way.
And keep looking for a better job.
Re: (Score:2)
OK, I'll bite. Have you ever tried to embed a table pulled from Excel into an email under Thunderbird? Nothing fancy, just a 3x4 grid with some numbers on it.
Let me know when you succeed in sending it in a viewable format.
(probably the best way to never hear from someone again)
Re: (Score:3)
1. See the other reply, it works
2. DO NOT FUCKING DO THAT. Email is a text transfer mechanism. Attach documents to that, not attempt to put formatting in the email.
Re: (Score:2)
Tell "DO NOT FUCKING DO THAT" to that VP who wants that useless data in THAT format, in HIS inbox, NOW.
I love it when people just live in la-la-Land and tries to adapt people to software instead of the other way around.
Re: (Score:2)
Those same VPs are the types that demand all sorts of stupid shit if they think it gets in the way of how they feel things should work.
They're the problem. They're the exact reason training never works, because even if you explain the problem to them, they demand that you work around their shortcomings, because fuck you, why should they change to solve your petty problems, asshole.
People who are receptive to any type of training like what's being blatantly advertised to us here or what the GP is talking abo
Re: (Score:2)
Um, no, while those VPs certainly have their share in the general stupidity, it's the clueless Average Joe who usually does that. For each "retarded" VP (in a true IT sense) there's a thousand "retarded" Average Joes (And Janes).
Re: (Score:2)
You show him a better way.
All he is going to do is end up with an email that can't be sent since it is 100MB and even if you change your mail server setting to allow it no other mail server will ever accept it.
Re: (Score:2)
What the hell are you talking about?
Re:More stupid victim-blaming (Score:4, Informative)
Its rarely about just opening an email. Its about opening attachments in that email, or opening links that lead to sites with malware. There have been enough vulnerabilities (OS, Adobe, Java, etc.) that have been around which don't require any special privileges. Just a user to click through warning prompts.
It cannot be solely IT's responsibility - especially in this day of BYOD (Bring your own device). IT isn't always able to remove admin privileges from corporate/organization owned computers - much less the Sales guy's personal laptop.
Re: (Score:2)
Its rarely about just opening an email. Its about opening attachments in that email, or opening links that lead to sites with malware.
Why are you not stripping attachments from external email? Or are you arguing that stripping attachments isn't a technical measure?
Think about how phishing works. They are trying to get you to open at attachment, or visit a resource which is fake (could be a URL, phone number, etc.) So strip attachments and resource identifiers (URLs, phone numbers) from external email. Pro
Re: (Score:2)
I'm sure the Sales people will be very happy when they receive an e-mail saying "amended contract" with zero attachments. Oh yes.
Re: (Score:2)
I'm sure the Sales people will be very happy when they receive an e-mail saying "amended contract" with zero attachments. Oh yes.
Right. Because there's no sort of technology that could apply different policies to different people... We all know computers can't do shit like that.
Re: (Score:2)
You haven't worked with Sales people before, I presume. It's okay, you're one of the happy ones, good for you.
Re: (Score:2)
Re:More stupid victim-blaming (Score:5, Insightful)
This is what passes for +5 insightful these days?
The issue isn't opening an email: but clicking a link in that email or, worse, clicking a link that takes you to a legitimate looking site and entering data, or opening an attachment in a legitimate looking email.
There are all sorts of attack vectors present from an email message. To sweep it all up as "IT's Problem" is a very, very bad idea. It just takes one email fooling the right person to be a security problem.
PhishMe's philosophy is that at some point the technical protection will fail ... so you'd better ensure that your employees know what to look for. The best way to teach them what to look for is to let them actually experience safe emails using the same techniques that would be maliciously used against them.
Spear-phishing isn't an idle threat, it's a widely used attack method that has gotten data out of targets like the New York Times, Defense Department, Facebook, and Apple (http://www.theatlanticwire.com/technology/2013/02/spear-phishing-security-advice/62304/). I'm sure that each of those companies has a very robust and capable IT Department armed with email scanning and sanitizing software. You just can't catch everything with technology.
Re: (Score:2)
How could viewing an email ever result in malware being installed?
Tee hee.. You must not be old enough to remember Outlook or Excel Macros.
Re: (Score:2)
Tee hee.. You must not be old enough to remember Outlook or Excel Macros.
I'm old enough to remember the Stoned virus. Anyway, how are incorrectly implemented security models in crappy products the user's problem? Why don't you give the user software that isn't full of holes?
Re: (Score:2)
There don't have to be software "holes" or bad security models for malware to get through; users are always the lowest common denominator, and given they're cross-platform, it can be very advantageous for bad guys to target the user over specific technical systems.
And generally, effective user education is a great additional layer of security. Not sure why you're 100% blaming IT [slashdot.org].
Not new, still cool (Score:2)
Re: (Score:2)
The main proof that this is a slashvertisement seems to be that Roblimo didn't mention wombatsecurity or other ways to teach fellow employees how to avoid spearphishing attacks. How dare he not!
Except.... I did!
What does that tell you about the conspiracy yowlers?
They're kind of fun, aren't they? :)
- Robin
cracking? (Score:2)
I guess the years have accumulated and I'm now and old timer but I don't see how that's cracking by anyone's definition.
Re: (Score:2)
Seeing if anyone mentioned that little bit of stupidity is the only reason I bothered to open this "story."
Re: (Score:2)
Back in the day we were trying to get any exploitative hacking to be called "cracking". Note Jurassic Park's "I prefer to be called a hacker." line.
It didn't take completely. We got "hacking" to be relatively accepted into the mainstream vernacular but "hacker" remains in a kind of grey area and "hacked" is entirely negative.
Re: (Score:2)
Only if you think that spearphishing is purely social engineering. Sure that's a critical aspect of it but phishing emails can also contain technical exploits...cracking.
Free Pizza in the Breakroom!1! (Score:3)
Lol, that one always works, and even though it is clear it doesn't need to be clicked, they click it anyways... I got to use that one when the Melissa virus was blocked based on the subject line "I have an attachment for your review", rather than on matching the payload of the email attachment. I made $5 on a bet with the Exchange admin, and got to watch hilarity ensue at the Exchange admin's desk when 40 hungry developers showed up, wondering why there was no free lunch and their Outlook clients were taking up all of their system resources.
Re: (Score:3)
That's just the boss, trying to round up some candidates for his Amway pitch.
I always delete all e-mail that claims to be from the boss. Now, thanks to PhishMe, I can claim to have been ahead of the curve fighting spearfishing all these years.
I deserve a raise.
So how about setting up fake spearphishing attempt (Score:2)
So how about not running software vulnerable to malware?
Re: So how about not running vulnerable software? (Score:2)
If only that were feasible. Unfortunately, we have created a septic environment and the only way to be sure of staying clean is to live in a bubble.
Not that I'm excusing the irresponsible decisions that are routinely made over security issues. That's how we got into this mess in the first place - one small, dumb step after another.
Re: (Score:2)
Re: (Score:2)
This may off-topic, but by 'septic environment', I was also thinking of the fact that we have to live with the bad decisions of businesses and government agencies that we have to deal with.
Guide for Eliminating Background Noise (Score:3)
Three videos posted over the last couple of days - all of which purport to provide insight, at least in summary. I've not made it through more than a few seconds of each since there is excessive background noise.
Use a more targeted mic? Do some post-processing? Find a quieter room to interview your subject in? Provide a transcript?
Otherwise, it's just a waste of effort.
Re: (Score:2)
Remember to check your legitimate e-mails (Score:5, Insightful)
When setting up a test like this, first look at the legitimate e-mails sent around your company. If your business routinely circulates e-mails containing attachments employees are expected to open or links they're expected to click on, then ask yourself why you've got an overlap between what you expect employees to do and what you want them to not do. If you expect employees to check addresses but your e-mail client hides addresses, ask yourself why you're hiding what you want recipients to check. If you're having to ask those kinds of questions then the first problem you need to address isn't employees being vulnerable to spearphishing attacks, it's your internal e-mail culture and standards that make those vulnerabilities normal and expected.
Expect a lot of resistance to fixing these things. Not from your regular workers, from the upper layers of management who like these things because they make life easy and look "Oooh, shiny!".
It's a lot like physical security. You can emphasize it all you want, but when managers get angry at employees who closed the door in the manager's face forcing them to use their own key you will not get employees to stop letting people tailgate through doors.
This post = spearphished-slashvertisement? (Score:5, Informative)
Re:This post = spearphished-slashvertisement? (Score:5, Interesting)
I'm watching this thread to see if you get modded down. I think they've gone as far as telling editors to mod down those who point out it's a slashvertisement. Regular mods never mod down this far down in a discussion, so I'd like to see if my hypothesis is substantiated.
Re: (Score:2)
Re: (Score:3)
Since editors are payed employees, I can't imagine the others don't know what's going on. Whatever it is, they don't seem intent on telling anyone.
Re: (Score:2)
Here's the email exchange between admdrew and me:
From: Andy George
To: roblimo@yahoo.com
Sent: Wednesday, March 6, 2013 3:09 PM
Subject: Your Slashdot submissions
Hi,
Why are you the only Slashdot editor that submits your own content, instead of submissions from readers? It's like you're treating Slashdot as your marketing blog, which only serve to degrade the quality of the site. I'm a long-time reader and commenter who has never seen this level of consistent slashvertising before.
-----
I'm paid by the hour to
Re: (Score:3)
Re: (Score:2)
Why did you put that alter
Re: (Score:2)
Whoops!- Guess when I hit Ctrl-C I hadn't highlighted the entire email - was in a huge rush. Sorry.
I know it's always fun to imagine a conspiracy, but I was rushing to meet a friend and carpool to a LUG meeting. Back now. :)
Re: (Score:2)
.
http://it.slashdot.org/story/13/03/04/1721233/rsa-from-apple-keys-to-biometric-security-devices-video [slashdot.org] Especially the comments by RocketRabbit.
Re: (Score:2)
I have no idea. I did my editing & upload task and moved on to write a Cheap Computing [techtarget.com] column or something else not related to Slashdot.
I rarely if ever moderate, and it's obvious that I did not moderate any comments on this story because I'm posting comments on it.
It's entirely possible that other readers didn't like the false "it's an ad" accusations and moderated them down. Or it could have been one of the full-time editors. Got me. If I knew, I'd tell you.
The thing that always puzzles me on Slashdot
Re: (Score:2)
Re: (Score:2)
It's not unthinkable that real people would mod this down. It's fine to point out that it's an advertisement, but when the first thread just keeps going on and on about it, I could see how some people would consider that to be off topic.
Re: (Score:2)
The obvious "first post" shit is always at the bottom. It's boring stuff posted by bored people refreshed the front page too often. The same copy 'n paste answers to the same dupe story themes.
A few hours after the story is posted, the insightful comments start. Happy days.
Roblimo as an "editor" (Score:4, Interesting)
Re: (Score:2)
.
What's with all of the down-voting on comments on the "key caps" article that dared to ask if the article itself was a slashvertisement? There's something bizarre about 13 out of 19 comments being down-modded to (-1) scores so rapidly, particularly when some of the were obviously not troll postings but merely questioning the usefulness of the article itself.
.
http://it.slashdo [slashdot.org]
Lost fight (Score:2)
Re: (Score:2)
It IS hard to teach common sense, but it's not hard to demonstrate it. That's what PhishMe does. Shows employees how to recognize phishing emails by exposing them to safe phishing emails. Think of it as a vaccine.
Re: (Score:2)
If you aren't sending generic mails, but something tailored for the recipient (and in particular, the weakest link between the possible ones) t
PWNED! (Score:5, Funny)
Everyone who clicked on this link needs to now attend a phishing training class, you have all been suckered into clicking on this blatant advertisement!
Open that email (Score:2)
If merely opening an email can do anything more that let you see and hear its content (and stop the instant you close it) then there is something wrong with your computer. And even that much is risky.
Antiphishing (Score:3)
Re: (Score:2)
if you can't even recognize or take steps to recognize whats real
Simply call the company to ask, so I can blame the users in that case.
Re: (Score:3)
cracking/hacking (Score:2)
eh? cracking, to old timers, is the act of bypassing software locks. hacking is trick/cool repurposing/extension. spearphishing is plain old social engineering.
Well that's easy (Score:2)
Spearphishing. The deluxe (but easy) way to get unwary employees to put malware on your network.
Hey, if i want to put malware on my network it's even easier to just do it myself.
Microsoft Spearphishing © (Score:2)
We tried this in 2001 (Score:2)
We didn't get any kind of authorisation or even discuss it with anyone first and yes, we got in trouble with management for embarrassing staff (we did not name and shame, so we d
Re: (Score:2)
Re:This is stupid and useless. (Score:4, Insightful)
It's not about being dumb, it's about not being aware. If the first phishing email you come across is one that's technically advanced and well written enough to slip through the technological filter: then you as a corporate employee are probably going to fall for it. Especially if it's a true spear-phishing email that's targeting *you*. It'll look like an email from your boss with yet another emailed PDF or DOCX report to review. Bam.
The solution that PhishMe proposes is to safely expose employees to phishing emails on a regular basis and teach everyone to recognize actual phishing emails from those demonstrations. The human reading the email and about to click the link or open the attachment is your last line of defense and shouldn't be neglected as such.
Re: (Score:2, Funny)
While that's entirely true, lots of my co-workers have troubles even recognizing obviously fake stuff. if I need a coleague to speed up on a project, I send him a stern e-mail and CC "his b0ss" (and replace the "o" with "0" or "i" with "1" or something similar). They always fall for it, think I also told their boss, and double their efforts... from 30 minutes a day to 60, but still better than zero.
And you want THEM to be TRAINED on PHISHING? Ha!
Re: (Score:2)
Not quite true. Your company might rely on "software as a service" companies (ironically companies just like phishme,) which means you will get a lot of false positives!
Consider Joe Lowlypeon getting an email from Jane Q. Important, the Senior VP of HR, asking them to take an employee satisfaction survey, and it contains a link to surveymonkey.com. The survey has their company logo on the top, it's done up in the company colors, and it's filled with mundane questions such as if the coffee in the break roo
Re: (Score:2)
Not quite true. Your company might rely on "software as a service" companies (ironically companies just like phishme,) which means you will get a lot of false positives!
Consider Joe Lowlypeon getting an email from Jane Q. Important, the Senior VP of HR, asking them to take an employee satisfaction survey, and it contains a link to surveymonkey.com.
This.
At a previous employer, I got an email "from" the HR department that hit every "phish/scam" warning. There was nothing in the Received: header IP addresses or the actual domains in the links that had anything to do with the company. The HREFs in the email were of the classic "fraudulent link" form <a href="12horses.com/long-serial-number-path"> hr.companydomain.com </a>. I had never heard of, "12 Horses", which name (before I knew who they were) just screams "Fly-by-night randomly gener
Re: (Score:2)
It should be trivial, but it's not. When you create one of those surveys, if you pay enough money they allow you to import a list of contacts, and the survey company will send out the official invitations to take the survey. So when you're looking at it the link is to takeoursurvey.com, the email is from takeoursurvey.com, and nothing in the process authenticates that it originated from mycompany.com other than the pasted-in name of a VIP (which is readily available from most companies public SEC filings.
Re: (Score:2)
I especially like the bit where they guy doges the "Who are your customers?" bit.