Hmmm, Phishing Works

Specifically spear-phishing, where the target is deliberately selected, as opposed to a random untargeted attack.

An article at Dark Reading.com discusses the entirely unsurprising results of a test that concluded that the iPhone, BlackBerry, and Palm have essentially no protection against spear-phishing attacks. http://www.darkreading.com/insiderthreat/security/app-security/showArticle.jhtml?articleID=221100150&cid=nl_DR_WEEKLY_T

LinkedIn was used as the service to send a fake invitation from. LinkedIn users are completely ripe for spear-phishing attacks as LinkedIn supports and embraces anti-phishing worst practices with incredible gusto. Of course, MySpace, FaceBook, Twitter, and a myriad of other social networking site also do all in their power to assure the success of phishing and spear-phishing attacks.

There’s no problem with getting an email inviting you to add a contact, a follower, etc., but including a link in the email is simply ignorant. Yes, it is very convenient, but even more so for cyber criminals to exploit. If you knew that a legitimate social networking email never contained a link then the phishing attacks would be much more ineffective.

If you don’t want to be the victim of a phishing attack, then don’t click on the links in the emails for any sites you must log on to. If you click on a link and it leads to a log on page, close your browser, delete yout temporary internet files, and then open your browser and type in the Url for the service (not using the email you received as a reference. Log into your account and then make decisions knowing that you logged into your real account.

The researcher is right that technology provides little protection against social engineering attacks, but missed the fact it is the abuse of technology by social engineering sites, banks, credit unions, credit card companies, and others that make phishing so effective!

Randy Abrams
Director of Technical Education