Targeted Spear Phishing Attacks and ‘watering – holes’

Targeted spear-phishing attacks are going after not just individuals but entire websites that function as “watering holes” for groups of people with focused interests, according to security company Websense.

“Spear-phishing is most associated with targeted attacks, typically via malware-loaded email, intended to take over an individual’s computer to spy or steal something important from the victim. But a more recent trend in spear-phishing is the targeting of entire websites in order to have a crack at a community of individuals whose computers you’d like to compromise”, says Chris Astacio, security research manager at Websense.

Websearch Research found that the majority of phishing attacks are sent on Mondays and Fridays.

Top phishing days of the week (percentage): *Based on July-August 2012 research

Friday (38.5%)

Monday (30%)

Sunday (10.9%)

Thursday (6.5%)

Tuesday (5.8%)

Wednesday (5.2%)

Saturday (3.2%)

In an interview with PC Magazine Carl Leonard, senior security research manager, EMEA at Websense, said that spear phishing is not about sending 500,000 malicious emails in the hope that ten per cent of recipients will click on it, but it is targeted and dependent on timing.

Leonard went on to say: “The attacker doesn’t do any emails at all; they are waiting like an alligator to jump out. We see this being used in the last six months and it is efficient to me, as people can be targeted with spear phishing messages and social engineering techniques are used in these ‘watering hole’ attacks. The user sees something and thinks it is for them and clicks on it.”

New phishing attacks are more targeted and contain information that makes the recipient believe the information is legitimate. There is invariably a specific intention in mind.

Targeted spear-phishing attacks are going after not just individuals but entire websites that function as “watering holes” for groups of people with focused interests, according to security company Websense.

Spear-phishing is most associated with targeted attacks, typically via Malware-loaded email, intended to take over an individual’s computer to spy or steal something important from the victim. But a more recent trend in spear-phishing is the targeting of entire websites in order to have a crack at a community of individuals whose computers you’d like to compromise, says Chris Astacio, security research manager at Websense.

In this “watering hole” attack, the goal is to compromise a website to understand who visits it and why, and place Malware on it to try and target these visitors, Astacio says. For the attackers, “the idea is that they lie in wait,” he says, watching what individuals do in order to target them.


Cyber Attacks – How Seriously Do We Treat Them?

I was reading an article in an On-line PC Magazine where certain companies stage Mock Phishing Attacks in order to monitor how their staff react. It appears that no matter how many security systems companies have in place such as  your PC and Mobile devices being securely locked down with a strong complex password when not in use, a  cross-device security tool in order to block unwanted traffic on both your PC and Mobile device as well as protecting your sensitive data.  There appears to be one weak link irrespective of how good all the security measures are, and unfortunately the Achilles Heel is YOU.

We go to great lengths to physically protect our home with security gates and burglar bars that are strong and sturdy which almost guaranteed once installed to keep burglars OUT and our property securely and safely protected. Some additional security can be included such as electronic beams and alarm systems which will be set off whenever an unwanted intruder try’s to enter our home without our approval.

In both situations the potential intruders will try different methods in order to gain your trust with the aim of obtaining your approval in order to gain access to either your property or your PC and Mobile systems. These criminals are continuously looking for different ways to illegally obtain your possessions, whether they are physical or personal. In both situations we need to be aware that this can and does happen and that we need to be more diligent in who and what we trust.

We need to remember that we are in general the weakest link when it comes to digital security.The tools that we and our companies have in place can guard against known threats and can even identify and block suspicious activity from many unknown threats. But if we click on a malicious link in a phishing scam email, then our security tools are more likely to view the activity as legitimate because we were the ones to initiated it. If you open an attachment from an email that claims to be from the Bank or any other trusted source, and fill in sensitive, personal information as requested, there is little these security tools can do to protect us.


Protecting Yourself From Phishing Attacks

Phishing attacks — online trolling for personal information in order to raid your financial accounts — are soaring. According to cyber-security experts at RSA, phishing attacks jumped 37 percent last year and have proven to be exceptionally costly, with the average attack resulting in $4,500 in stolen funds.

There are still 5 simple ways to catch a phishing attempt before it catches you (Source Kathy Kristof) . Specifically:

Don’t click. If your bank or credit card company sends a warning message saying that your account has been compromised and you need to click through an emailed link to “verify your account information,” don’t. Banks and credit card companies don’t communicate that way. Neither does the IRS. If there’s a problem with a bank or credit card account, they’ll call you.

Go direct. If you get one of these emails and are worried that there may be a real problem with your account, open up a new browser window, go directly to your bank site and sign in there. Chances are, you’ll see something along the lines of: “(Your bank) DOES NOT send emails instructing you to click on a link to enter your personal information.” When you sign on without trouble and there’s no other message from your bank saying that your account is compromised, you know that it’s not. Delete the email that caused you to worry, but remember it — and the fact that it was a scam — for next time.

 Don’t try to “win” anything. Phishing is done with more than emails. Contests are big: “Win a free iPad!” or “Get a $500 Target Gift Card!” The come-ons are all over the web. All you have to do supposedly to get this awesome swag is click on a link that is likely to take you to a toxic site. Increasingly, these toxic sites embed a virus into your computer that allows the crook to capture your every keystroke. That means it gets all your passwords and user IDs for your bank and brokerage accounts. You know you’re really not going to get something for nothing, right? So don’t pretend you will. When you see the word “free,” think “danger.” Don’t go there.

Don’t panic. The other brilliant scam that can pull you into the vortex of a toxic site is the pop-up warning: “Your computer has been compromised! Click here to download a security fix!” When you click, you open the gates of your computer to all sorts of nasty viruses. If you don’t panic, you won’t click and you won’t regret it later.

Get security. If you don’t have security software on your computer, now is the time to invest in it. Good services like SentryBay will set you back about $30 a year for 3 licences. If you compare that to the $4,500 you could lose in a phishing attack, it’s a bargain.


Phishing – what does this mean?

Phishing! Do you know what Phishing is? Have you heard this term before?  Do you know how a “Phishing Attack” can affect you?

Phishing is commonly acknowledged as one of the greatest threats to PC and Internet security.

Phishing is an attempt to fraudulently obtain sensitive data such as login details, credit card details etc. by masquerading as a trusted entity. Typically, the phisher  entices the victim via email to enter their details at a malicious web site. The malicious web site masquerades as a legitimate known site.

One form of protecting against a Phishing Attack is to install PhishLock. The basic premise behind the success of PhishLock is that although humans find it difficult and almost impossible to identify a malicious phishing site, software is able to make extremely accurate identifications simply and quickly. This is particularly the case for PhishLock as it is focused on protecting a specific website and its users. When PhishLock identifies a phishing site, it automatically prevents the user from submitting data. In addition, the software also notifies the organization of the existence of the phishing site so that steps to close it down can commence immediately.

Focussed Phishing Attacks

Dave Waterson, CEO at data security provider. SentryBay said in a statement “We have noticed an increase in the number and sophistication of phishing attacks over the last few months. The Xbox Live is a good example of a focussed phishing attack, by targeting an exact user type and using elements of social engineering, the attacks are more tailored and thus more believable. By pretending to offer an incentive (Microsoft gaming points), hackers were having a higher hit-rate. Subsequently further social engineering techniques are used to extend the amount of information gained (including getting credit card information) via communications from what appears to be a trusted source.

Conventional anti-phishing approaches are not geared to protect against this attack (especially when the web pages can easily disappear and resurface), what you need is an approach that specifically protects targeted attacks on brands.”

If you are an Xbox user and are part of the Xbox community, don’t be tempted by an email that tells you to go to a website and buy tokens for games, extra levels and all that gamey stuff.

Earlier this year Sony found its information had been attacked and hundreds of thousands had their accounts and security compromised. This is different.The Xbox network has not been breached, people are receiving emails and uploading their details voluntarily.