Phishers using Twitter and Facebook is nothing new, but the security community expects it is only a matter of time before social networks are used as a launch pad for phishing attacks against enterprises. Here are a few tips to keep in mind when talking to your employees about phishing.
Two of the Web's most popular social networks, Facebook and Twitter, made the news
last week when they were hit with phishing scams. Despite the publicity, most
phishers
targeting enterprise data are not hooking victims via social networks-at
least not yet.
"We've yet to respond to an incident where
messaging
from social networking sites like Facebook and LinkedIn was used to send
the phish ... but it's coming," said Rohyt Belani, CEO
of Intrepidus Group. "I think the reason why it's not a popular way to deliver
phishing attacks against companies is because companies are still figuring out
if they are going to embrace social networking or shun it. Companies are
currently spending money on carefully monitoring their brand and trademarks,
and they are wary to fully embrace social networking sites."
Still,
with companies looking to Twitter to reach out to customers, spear phishers may
soon have
a
fantastic weapon to target enterprises.
"Mostly
because of all of these
URL
length reduction services like
http://twitpic.com/ or tinyurl.com," Belani
said, "the user has no idea where they are going to be redirected to when
they click that link, and phishers are going to soon take advantage of that
user behavior."
Earlier
this year, the Intrepidus Group performed a study of 69,000 employees from
companies around the world using 32 phishing scenarios. What they found was 23
percent were susceptible to the attacks. Sixty percent of those who responded
to the phishing e-mails did so within 3 hours of receiving them, according to
the study.
"The
successful phishing attacks are very targeted these days," Belani said.
"Attackers carefully plan their phising e-mails and can extract valuable
information from a variety of sources. Of course, business social network sites
like LinkedIn are treasure troves of information for a phisher, but there are
many other contact aggregators that are goldmines for social engineers [such as
zoominfo.com and jigsaw.com]."
Over
at Netragard, officials performed a penetration test using a bogus Facebook
profile and tricked employees at an energy company into giving up credentials
that could have been used to access the majority of the systems on the network,
including the mainframe.
With
that in mind, here are a few tips for training employees to avoid phishers:
1.
Show, Don't Just Tell. It helps if employees see how what they are learning applies
to them. Consider showing them a real phishing e-mail and explain to them the
types of tactics spear phishers use to target people both in and out of the
office.
"If
they feel like they are learning security tips that will help them at home as
well as work, they will be more receptive to training," Belani said. "Send them
real mock phishing examples regularly to hone their skills. Make it fun."
2.
Evaluate Your Communication Policies. Businesses should take a look at their
own policies around corporate communication and gauge just how vulnerable to
phishing they are, Belani said.
"Do
they regularly send out links in e-mail? Consider altering that behavior
and in place of URLs in e-mail direct employees to the link on the intranet
page 'Intranet / Home / HR / New 401k.'"
3.
It's Not Paranoia If They Are Really After You. Some suspicion is a good thing.
Teach employees to question e-mail, especially from new senders. If you get an
unusual or unexpected message, attachment or question, try confirming its validity
offline.
Email
Print
