November 08, 2011, 11:10 AM — It may be the IT industry's equivalent of "Employees Must Wash Hands Before Returning to Work," but "Don't Open Attachments You're not Expecting," is a less on with far more dire consequences for failure than the possibility of making a few customers sick.
Of the long list of stratospherically successful hacks on governments and major corporations this year, nearly all began with a series of emails designed to sound like genuine requests from genuine employees but carrying attachments with malware that would give fraudsters free remote access to the secure network.
That's why corporate security is going crazy trying to retrain employees in precautions so basic they shouldn't need to be repeated.
Don't. Open. The. Attachment.
Just leaning on employees doesn't work, however, unless you also add additional processes that require the one making the request to prove his or her identity, according to Amit Klein, CTO of fraud-detection specialist service company Trusteer.
It's far simpler to do that in banking – where moving money from here to there requires a series of well-defined, enforceable processes that can be changed to respond to new threats.
In less structured industries, it's almost impossible to ferret out the fraud attempts or keep employees from ever opening the wrong attachment.
It doesn't work for the same reason their spam and phishing filters don't always work: If the emails are spoofed correctly, with all the right addresses, names of managers or other employees the victim should know, and a legitimate-sounding problem, there's no reason for the employee to assume that email is any different from 100 others containing the same kind of request.
If it doesn't sound fishy to the employee, content-analyzing filters aren't going to catch them, either. It's only after the attachments are open and the malware is loose that behavioral virus-pattern identifiers might catch the infection.
By then it's often too late.
Once you get the end user to do something reckless, you're home free.
For the spear phishers, however, it's hard to get to that point, and getting harder.
High-value target industries like banks and financial services companies especially, have been able to cut down the rate of infection using a combination of training and technology.
The biggest problem, at least for fraudsters targeting banks and financial institutions, is that malware such as Zeus and the recently discovered Ramnit, are designed to map the flow of transactions through an organization to help hackers slip in their own fraudulent transactions without alerting anyone.
REUTERS/Tamara Abdul Hadi