Two of the Web’s most popular social networks, Facebook and Twitter, made the news last week when they were hit with phishing scams. Despite the publicity, most phishers targeting enterprise data are not hooking victims via social networks-at least not yet.
“We’ve yet to respond to an incident where messaging from social networking sites like Facebook and LinkedIn was used to send the phish … but it’s coming,” said Rohyt Belani, CEO of Intrepidus Group. “I think the reason why it’s not a popular way to deliver phishing attacks against companies is because companies are still figuring out if they are going to embrace social networking or shun it. Companies are currently spending money on carefully monitoring their brand and trademarks, and they are wary to fully embrace social networking sites.”
Still, with companies looking to Twitter to reach out to customers, spear phishers may soon have a fantastic weapon to target enterprises.
“Mostly because of all of these URL length reduction services like http://twitpic.com/ or tinyurl.com,” Belani said, “the user has no idea where they are going to be redirected to when they click that link, and phishers are going to soon take advantage of that user behavior.”
Earlier this year, the Intrepidus Group performed a study of 69,000 employees from companies around the world using 32 phishing scenarios. What they found was 23 percent were susceptible to the attacks. Sixty percent of those who responded to the phishing e-mails did so within 3 hours of receiving them, according to the study.
“The successful phishing attacks are very targeted these days,” Belani said. “Attackers carefully plan their phising e-mails and can extract valuable information from a variety of sources. Of course, business social network sites like LinkedIn are treasure troves of information for a phisher, but there are many other contact aggregators that are goldmines for social engineers [such as zoominfo.com and jigsaw.com].”
Over at Netragard, officials performed a penetration test using a bogus Facebook profile and tricked employees at an energy company into giving up credentials that could have been used to access the majority of the systems on the network, including the mainframe.
With that in mind, here are a few tips for training employees to avoid phishers:
1. Show, Don’t Just Tell. It helps if employees see how what they are learning applies to them. Consider showing them a real phishing e-mail and explain to them the types of tactics spear phishers use to target people both in and out of the office.
“If they feel like they are learning security tips that will help them at home as well as work, they will be more receptive to training,” Belani said. “Send them real mock phishing examples regularly to hone their skills. Make it fun.”
2. Evaluate Your Communication Policies. Businesses should take a look at their own policies around corporate communication and gauge just how vulnerable to phishing they are, Belani said.
“Do they regularly send out links in e-mail? Consider altering that behavior and in place of URLs in e-mail direct employees to the link on the intranet page ‘Intranet / Home / HR / New 401k.'”
3. It’s Not Paranoia If They Are Really After You. Some suspicion is a good thing. Teach employees to question e-mail, especially from new senders. If you get an unusual or unexpected message, attachment or question, try confirming its validity offline.