Could you say no to these adorable kittens? Apparently, you’re not alone. Nearly half of all people who receive an email containing an image of a cute cat will automatically open it, according to security training firm PhishMe. But behind those fallacious felines lies danger – or at least, the potential for it.
The Wall Street Journal’s Geoffrey A. Fowler has a fascinating story today about how companies are using faux phishing attacks – including links to bogus cat videos -- to teach employees how to handle real ones. Per Fowler:
Many big network breaches begin not with brainy hacker code but with workers who are tricked by so-called social engineering, which manipulates people into revealing sensitive information. So companies are trying to get workers to act badly before the bad guys do.
Interestingly, last week I interviewed the CEO of a company that does just that. Stu Sjouwerman is CEO of KnowBe4, which trains employees at mostly small and medium size businesses to detect cyber attacks before they do any damage. Sjouwerman knows of what he speaks; he’s the founder of security software firm Sunbelt Software (now called ThreatTrack Security).
For months, Sjouwerman worked with famed hacker-turned-journalist Kevin Mitnick to devise phishing tricks that would fool all but the savviest users. He then sends these bogus emails to employees using a fake return address, and notes which ones take the bait.
Sjouwerman’s tests are tough. They’ll sometimes look like they came from the company’s HR department and contain information about employee benefits. But when employees click the link inside the message, they'll see something that looks like this:
Typically 20 to 30 percent of users automatically click on links and attachments in his test emails, says Sjouwerman. Those “phish prone” users are the ones companies need to focus on training. KnowBe4 charges $15 to $20 per user annually to teach them how not to become victims. He says that after a few weeks of training the rate of people who reflexively click on potential phishing links drops by 70 to 80 percent.
But the most fascinating part of our conversation concerned the role that social networks like Facebook and Twitter play in crafting attacks targeted to specific individuals – known as “spear phishing.” Cyber crooks will use information gleaned from social media to target important people in an organization, like a CFO or CEO.
“These guys are adept at penetrating C-level executives, who are actually the easiest to social engineer because they think the usual security rules don’t apply to them,” he says. “And if they get nailed they just blame IT for not protecting them.”
Attacks like this can be both sophisticated and subtle, Sjouwerman says. For example, using information gleaned from the Web, attackers can learn that a firm's CFO has lost a family member to cancer and is active in an anti-cancer foundation. They also learn what his favorite restaurant is. They then sent him an email to him pretending to be from the charity, asking for his feedback on a new fundraising campaign and offering a free dinner at that restaurant as a reward. The “fundraising campaign” contained in a PDF attachment is, of course, infected with malware.
“Once an executive opens a file like this, the attackers own him,” Sjouwerman says. “They can install a remote access program onto his PC, or a keylogger that records his name and password the moment he logs onto his bank or the company network and sends it on to the attackers, who may not use that information until months later.”
If that doesn’t worry you, it should. Most of us have large digital footprints that are hard to suppress. If you’ve got a LinkedIn account, tweet about your life, or make parts or all of your Facebook profile public, an attacker can learn enough about you to make it seem like he knows you. And even if you’ve locked down all your social media accounts so that only people you know can see this stuff about you, you’re still at risk. All it takes is for an attacker to befriend one of your friends or connections, and then gain access to your information from them.
The best defense, says Sjouwerman, is for users to get a lot smarter about identifying and avoiding attacks. KnowBe4 publishes a list of 22 red flags that indicate whether an email that looks legit really isn’t. My advice would be to memorize that list, and to never click a link in an email or open an attachment unless you’re truly sure it is what it appears to be – and not a backdoor into your network or your life.
Got a question about social media or privacy? TY4NS blogger Dan Tynan may have the answer (and if not, he’ll make something up). Visit his snarky, occasionally NSFW blog eSarcasm or follow him on Twitter: @tynanwrites. For the latest IT news, analysis and how-to’s, follow ITworld onTwitter and Facebook.
Now read this: