To Keep Them Safe Online, Teach Them to Phish
Security experts in Hamilton, Bermuda, yesterday hosted a live hacking demonstration showing event attendees the ease with which attackers are able to gain access to a corporate network through a phishing email campaign.
The event, hosted by the (ISC)2 Bermuda Chartering Chapter, revealed the tricks that hackers use to get email recipients to click on malicious links and share their personal information. Dionach senior technical consultant Mark Phillips and business development manager Mathew Sofiyani simulated the phishing attacks.
According to the Royal Gazette, the demonstration warned that "having gained controlled of a compromised computer, an attacker is in a position to monitor everything that goes on, operate inbuilt microphones, webcams, and record key strokes to capture username and password details. If it is a company workstation that is compromised that could lead to serious and costly damage to an internal network, and the loss of valuable corporate data."
These events are an effort to raise awareness and share technical expertise, with good reason. Symantec's 2018 Internet Security Threat Report found that "spearphishing is the number one infection vector, employed by 71 percent of organized groups in 2017."
A classic example is the tech support scam, and since the GDPR has prompted many organizations to make customers aware of changes to their privacy policies, attackers have leveraged that communication as another avenue for scams.
Penetration testers and ethical hackers are increasing their efforts to help organizations educate their employees on not only the inherent dangers of phishing campaigns but also how to spot a malicious email.
On 29 May, The Wall Street Journal broke down the anatomy of a phishing attack as explained by Shawn Moyer, a founding partner at Atredis Partners.
Attackers look for a way into the company and use social engineering tactics to hack the trust of unsuspecting users. Then comes the attack. Yet there are several ways to avoid falling victim to an attack.
Phillips showed yesterday's event attendees that hovering over links reveals the actual URL destination and pointed out the distinctions between "http" and "https".
End users were also advised to read carefully in order to spot spelling errors. While phishing is far more problematic, brazen attackers also use "vishing" and engage with their targets over the phone. The goal is always to get the victim to reveal personal information, which Phillips said is very easy for attackers to do.
Source: Information Security Magazine