phishing - know your enemy

spoonfork



Wednesday, May 18. 2005

phishing - know your enemy

The Honeynet Project has just realeased a paper about phishing:

Phishing is the practice of sending out fake emails, or spam, written to appear as if they have been sent by banks or other reputable organisations, with the intent of luring the recipient into revealing sensitive information such as usernames, passwords, account IDs, ATM PINs or credit card details. Typically, phishing attacks will direct the recipient to a web page designed to mimic a target organisation's own visual identity and to harvest the user's personal information, often leaving the victim unaware of the attack. Obtaining this type of personal data is attractive to blackhats because it allows an attacker to impersonate their victims and make fraudulent financial transactions. Victims often suffer significant financial losses or have their entire identity stolen, usually for criminal purposes. This KYE white paper aims to provide practical information on the practice of phishing and draws on data collected by the German Honeynet Project and UK Honeynet Project. This paper focuses on real world incidents that the Honeynet Project has observed in the wild, but does not cover all possible phishing methods or techniques. Attackers are constantly innovating and advancing, and there are likely to be new phishing techniques already under development or in use today.

Most companies assume that enough user awareness and education are sufficient to increas the awareness level on phishing attack. However, education and awarenes is not enough enough. Proactive is one of the most effective way to prevent phishing, and increase the awareness level tenfold. How? If you can afford to pay for consultants, get your money worth by asking them to include phishing as part of the security audit. If you can't get your system administrator to do it.

I did this recently, and had a success rate of almost 30% (which means that out 100, 30 staff fell for my phishing trick). Besides phishing, I also did a spamming exercise for the same company. The result was a 20% success rate.

This is an amazing result, considering that the said company values its privacy. It also shows that no amount of control, policy and technology can prevent spammers and phishers from entering your staff's mailboxes. Companies have to be proactive in fighting spam and phish.




Posted by at 00:17 | Comments (0) | Trackbacks (0)
Tag(s):
Related entries by tags:
Migrating from Wordpress to Serendipity
bashing the shell
Gimp.app: Fixing Random Crashes on OS X Leopard
Installing PostgreSQL 8.2.5 on Leopard
Leopard - First Glimpse

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

No comments

Add Comment



Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA
 
 

About

This is the personal blog of Mel Mudin (spoonfork). All data and information provided on this site is for informational purposes and on an as-is basis.

This weblog does not represent the thoughts, intentions, plans or strategies of my employers. It is solely my opinion and views as a kambing biri-biri.

Feel free to challenge me, disagree with me, or even tell me that I am a kambing biri-biri wannabee in the comment section of each blog entry.

Quicksearch

Archives

September 2008
August 2008
July 2008
Recent...
Older...

Show tagged entries

Syndicate This Blog