Reengineering Human Behavior Can Foil Phishing

Almost all cyberattacks these days require an element of social engineering. Spammers are always looking for that hot button to induce a click on a link or an attachment. Drive-by artists continually experiment with poisoned banner ads designed to steer the curious into an online dark alley. Spearphishers put together persuasive pitches pretending to be friends or a trusted institution.

What makes social engineering maddening to system defenders is there are no technology quick fixes to combat it. No matter how many spam mails or websites you block, some form of malicious enticement is bound to land in front of a pair of eyeballs unable to resist temptation.

While that may make some in the security industry throw up their hands in surrender, Rohyt Belani, CEO and cofounder of PhishMe, isn’t one of them.

PhishMe uses simulated phishing attacks to train employees to avoid the kind of social engineering pitfalls found in email. The first time an organization is hit with a simulated attack, an average of 58 percent of cubicle rats will click the cheese in a phishing email.

“By the time we’re through a program of 18 months and five or six more simulations, they’re down to 8 percent,” Belani told TechNewsWorld.

The key isn’t just simulations, he said, but following up the simulations with instant nuggets of education targeted at employees who showed they were susceptible to being fooled.

“We take advantage of a teachable moment with bite-sized instruction — 60 to 90 seconds — that we rinse and repeat over the course of time,” Belani observed. “After a while, you actually see people changing their behavior.”

WordPress Data Wave Attacks

For months, some security researchers have been warning of an epidemic of infections at sites hosting popular platforms like WordPress and Joomla. Last Friday, more evidence of that trend appeared as a botnet composed of more than 500 compromised WordPress blogs launched DDoS blizzard attacks on sites across the Web.

Among the sites reportedly in the botnet were blogs at Mercury Science and Policy at MIT, National Endowment for the Arts, Pennsylvania State University and Stevens Institute of Technology.

“WordPress servers have become just another easy target for nation-state supported hackers, electronic armies and technical extremists that happen to wake up on the wrong side of the bed on any given day,” Stephen Gates, chief security evangelist for Corero Network Security, told TechNewsWorld.

Hackers want to create botnets that are more powerful, have more reach, and can do more damage than in the past, he explained. WordPress or any other hosting platform gives them those capabilities.

For Gates, it’s a matter of simple math. To build a botnet that could generate 100 Gbps of attack traffic using older computers sitting behind DSL modems generating a modest 1 Mbps of attack traffic, you’d need 100,000 machines.

“That’s a rather sizable botnet that any hacker would be proud of,” he said.

However, if you infect a server sitting in a hosting environment, it could generate 1 Gbps of attack traffic, and you could generate 100 Gpbs of attack traffic with just 100 machines.

“That’s a very small botnet with some serious horsepower,” Gates observed.

Breaking Into the Brokers

Cyberbloodhound Brian Krebs broke a shocking story last week (see Breach Diary below) about a blackmarket identity broker who appeared to have penetrated some of the largest information brokers in America and had access to all sorts of goodies — from credit and background reports to birth records.

The identity theft outfit apparently used a small but well-focused botnet to directly communicate with the internal systems of the likes of LexisNexis and Dun & Bradstreet.

“This is an astonishing example of a stepping stone attack,” Patrick Peterson, founder and CEO of Agari, told TechNewsWorld.

In a stepping stone attack, high-value targets, which usually have tight security, are assaulted from trusted systems with less security but access to the high value target — a supplier, for example.

“While we don’t yet know whose data has been compromised, with this stolen data, millions of Americans are now at risk as the criminals knit the stolen data together with their attacks to go after identity theft and bank accounts,” Peterson said.

“Expect to see more targeted attacks leveraged from their stolen personal email,” he predicted.

Breach Diary

  • Sept. 24. Lawrence Hincker, associate vice president for university relations at Virginia Tech, blames human error for data breach exposing sensitive information about 145,000 job applicants over the last 10 years. A server containing the data was placed in service without deploying the university’s normal security protocols and was subsequently accessed illegally.
  • Sept. 24. Executive director of Minnesota’s online healthcare marketplace authorized by the federal Affordable Health Care Act tells legislative oversight committee the exchange’s data is secure and privacy of its participants protected. The exchange is scheduled to go online Oct. 1. Earlier, it was reported that an employee of the agency accidentally released the Social Security numbers and other personal data of at least 1,500 brokers participating in the marketplace.
  • Sept. 24. Ferris State University in Michigan announces it is closing its investigation into data breach of server containing some 62,000 names and Social Security numbers, including nearly 4,000 patients affiliated with the Michigan College of Optometry. There is no evidence that any information was viewed or removed from the server, the university said.
  • Sept. 24. Holy Cross Hospital in Fort Lauderdale, Fla., sends letters to 9,900 former patients alerting them that their personal data was accessed by a former employee. Information includes patient names, dates of birth, addresses and Social Security numbers. The employee may have wanted the information to file false tax returns, according to the hospital.
  • Sept. 24. ICG America informs Maryland Attorney General that its credit card processing system was subject to a cyberattack that lasted from January to August. Malware was installed on the system capable of decrypting and capturing payment card information. It is not yet known if any information was viewed or removed from the system. Some 6,105 Maryland residents were affected by the breach.
  • Sept. 25. Kaspersky Lab reports “Icefog” hackers who breached the computers of Japan’s parliament in 2011 also conducted surgical data attacks against other organizations in South Korea and Japan. After penetrating their targets, the hackers carefully copied selected files and stealthily left the systems. “In the future, we predict the number of small, focused APT-to-hire groups to grow, specializing in hit-and-run operations, a kind of ‘cyber mercenaries’ of the modern world,” Kaspersky noted.
  • Sept. 25. Security blogger Brian Krebs reports underground identity theft service has infiltrated some of the largest information brokers in the United States and obtained Social Security numbers, birth records, credit and background reports on millions of Americans. Brokers cited by Krebs include LexisNexis, Dun & Bradstreet and Kroll Background America, now part of HireRight, a background-checking firm managed by another company, Altegrity.
  • Sept. 26. South Carolina announces Oct. 1 as the launch date of a new Identity Theft Unit in the state’s Department of Consumer Affairs. A data breach at the state’s tax department compromised personal information of some 6.3 million taxpayers, businesses and children in 2012. Those affected by the breach were offered free credit monitoring under a US$12 million contract with Experian, but that contract expired in September.

Upcoming Security Events

  • Sept. 30-Oct. 4. INTEROP 2013. Javits Center, New York City. Registration: all access pass, $3,099 (Mon.-Fri.); conference pass, $2,199 (Wed.-Fri.); Mac & iOS IT, $1,899 (Mon.-Tue.)
  • Oct. 1-3. McAfee Focus 13 Security Conference. The Venetian / The Palazzo Resort-Hotel-Casino, 3325-3355 Las Vegas Blvd., South Las Vegas. Registration: Early Bird to July 31, $875/$775 government; Standard to Oct. 3, $995/$875 government.
  • Oct. 1-3. Governmentware 2013. Suntec Singapore International Convention & Exhibition Center. Registration: Government, $588.50; Others, $900, plus tax.
  • Oct. 2-4. 23rd Virus Bulletin International Conference. Maritim Hotel, Stauffenbergstrasse 26, Berlin, Germany. Registration: Standard, $1,895; Education, $947.50
  • Oct. 2. Visa Global Security Summit — Responsible Innovation: Building Trust in a Connected World. Ronald Reagan Building and International Trade Center, Washington, D.C. Free with registration.
  • Oct. 2. Information Security Conference. Charleston Civic Center. Sponsored by West Virginia Office of Technology. Free.
  • Oct. 5. Suits and Spooks. SOHO House, New York City. Registration: Early Bird, $395 (July 5-Aug. 31); $625 (Sept. 1 and after).
  • Oct. 8-9. Cyber Maryland 2013. Baltimore Convention Center., Baltimore, Md. Registration: $495; government, free; academic faculty, $295; student, $55.
  • Oct. 9. Induction Ceremonies at Cyber Security Hall of Fame for James Bidzos, David Bell, Eugene Spafford, James Anderson and Willis H. Ware. 6 p.m.-10 p.m. Hilton Baltimore, 401 W. Pratt Street, Baltimore. Dinner Admission (Black Tie Optional): $250.
  • Oct. 17-18. 2013 Cryptologic History Symposium. Johns Hopkins Applied Physics Laboratory’s Kossiakoff Conference Center, Laurel, Md. Registration information to be announced.
  • Oct. 29-31. RSA Conference Europe. Amsterdam RAI. Registration: Early Bird to July 26, 895 euros + VAT delegate / 495 euros + VAT one-day pass; Discount from July 27 – Sept. 27, 995 euros + VAT delgate / 595 euros + VAT one-day pass; Standard from Sept. 27-Oct.27, 1,095 euros + VAT delegate / 695 euros + VAT one-day pass; On site from Oct. 28-31, 1,295 euros + VAT.
  • Nov. 6. Government-Industry Security Summit. Crystal Gateway Marriott, 1700 Jefferson Davis Highway, Arlington, Va. Registration: government, free; academic, $100; industry, $599.
  • Nov. 18-20. Gartner Identity & Access Management Summit. JW Marriott at L.A. Live, 900 West Olympic Boulevard, Los Angeles, Calif. Registration: Early Bird to Sept. 27, $2,075; Standard, $2,375; Public Sector, $1,975.
  • Dec. 4-5. MENA Business Infrastructure Protection 2013 Summit (Risk Management and Security Intelligence for companies in the Middle East and North Africa). Dubai.
  • Dec. 9-13. Annual Computer Security Applications Conference (ACSAC). Hyatt French Quarter, New Orleans.
  • Jan. 20-21, 2014. Suits and Spooks. Waterview Conference Center, Washington, D.C. Registration: Sept. 20-Oct. 20, $415; Oct. 21-Dec. 1, $575; After Dec. 1, $725.

John Mello is a freelance technology writer and former special correspondent for Government Security News.

1 Comment

  • Phishing training is now essential and training programs need to be ongoing, not just once a year checkbox type training.

    Employees will only get better at identifying phishing emails with practice, and phishing simulations are essential in this regard. Any failures can be turned into learning opportunities.

    Employees may be the weakest link in security, but that can be changed.

    BTW, you refer to PhishMe in the article. Just to let you know the company has rebranded and is now called Cofense.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

Technewsworld Channels