Author: Todd Becker, PCI QSA, ISO 27001 Auditor
Phishing is by no means a new topic in today’s news. But the increasing complexity and targeted nature of attacks have evolved to a level of sophistication that is even phooling knowledgeable members of the IT community. The end result could just be embarrassing, but it could also cost millions of dollars, or your professional reputation.
Gone are the days when simply hovering over a link in an e-mail will reveal the nefarious nature of the message that you have received. Spear phishing, an enhanced approach to phishing that includes a low volume of targeted and customized messages to specific individuals, has become so effective that it is working on knowledgeable, cautious professionals that you would think know better. Even more troubling, Longlining, is a phishing technique that utilizes previously compromised machines to combine the targeted stealth of spear phishing with the broad volume of standard phishing. Longlining sends multiple variations of customized messages, leveraging trusted (but compromised) domains and tens of thousands of unique IP addresses, making these campaigns virtually undetectable.
In mid-May, the Financial Times was compromised as the result of a well-organized and targeted phishing attack that included members of its IT organization. In this situation, utilization of the compromised system led to additional exposure as the attacking entity used the IT organization’s communications against them.
Also in May, arrests were made related to two separate cyber thefts totaling $45MM. These new age bank heists were believed to be initiated using spear phishing of bank employees.
As you know, phishing isn’t the only risk that you can help to manage. Using strong passwords and multi-factor authentication can help to minimize your exposure. In August, a journalist from Wired.com was involved in a hack that leveraged his interconnected electronic profile and took advantage of security vulnerabilities in Amazon and Apple’s online systems, resulting in loss of control of multiple accounts and personal devices.
Security Awareness Training and Incident Response Planning, including simulation exercises and specific response procedures, are crucial activities that will help to reduce the risk of compromise as well as preparing you and your organization if a threat is successful in penetrating your systems.
Contact HALOCK and find out how we can help you phend off the phishers.