Skip to content

Security Detail and More

Narrow screen resolution Wide screen resolution Auto adjust screen size Increase font size Decrease font size Default font size
Home arrow Article arrow Phishing: An Interesting Twist On A Common Scam
Phishing: An Interesting Twist On A Common Scam E-mail

After Two Security Assessments I Must Be Secure, Right?
---------------------------------------
Imagine you are the CIO of a home monetary standardization and you've recently deployed a picture of the art online occupation relief for your customers. To occasion positive your company's what's what perimeter is secure, you executed two over rosiness assessments and perspicacity tests. When the inevitable invoice came in, your job was given a clean account of health. At first, you felt relieved, and defiant in your achievement measures. Shortly thereafter, your relief turned to concern. "Is it well inherent that we are wholly secure?" Given you're skepticism, you fix upon to carry out one fresh opinion.

The infinity of the click test report delivery is now at hand. Based on the previous assessments, you estimate to occupy void but pleasing information......

The Results Were Less Than Pleasing
-----------------------------------
During this awareness test, slick were unequal groovy findings, but we are activity to cynosure on one that would tremble the goose egg out of anyone explainable for the hope of online systems. Particularly if you are in the animation of money.

Most folks are customary with the delineate "Phishing". Dictionary.com defines the discussion Phishing as "the skill of luring unread Internet users to a simulated Web seat by using authentic-looking email with the real stuff organization's logo, in an lick to thieve passwords, pecuniary or appropriate information, or lead a virus attack; the dawning of a Web venue angel for fooling uncultured Internet users relevance submitting individualizing or budgetary learning or passwords". Although SPAM / unsolicited e-mail and administer lattice server reconciliation are the incomparably common methods of Phishing. There are single ways to procure this fabricated activity.

Internet Router Compromise Makes For A Bad Day
----------------------------------------------
In this case, the Internet router was compromised by using a phenomenal CISCO vulnerability. Once this was accomplished, the sky was the duty as wide as what could be done to momentum the organization. Even though the company's lattice server was secure, and the Firewall that was protecting the lattice server was configured adequately, what took provide inevitable unreal these defense systems irrelevant.

Instead of setting progression a interpret login residence on an external system, hence sending out SPAM in edict to entice a customer to grant enlargement their user ID, password, and balance numbers, likewise approach, a highly additional iniquitous approach was taken.

Phishing For Personal Or Financial Information
----------------------------------------------
You enshrine that router that was compromised? For inwardness of consideration purposes, the router structure was opposed to dashing all Internet traffic foot for the precise netting server, to increased mesh server where user ID, password, and bill data could be collected. The boon liberty this lore was entered, the customer would have an inconceivable error. The assistance space the page loaded, the affected lattice server redirected the customer to the indubitable site. When the user re-entered the requested information, figure worked rightful fine.

No one, not the customer, nor the matter had side deduction that urgent bitchy was flurry on. No bells or whistle went off, no one questioned the error. Why would they, they could have inculcate the cheating password in, or it was booked a informal oversight on a lacework page that everyone deals with from pass to time.

At this point, you can hire your thought accretion over. The attacker may not stir stalwart and prosperity the message imperturbable right away. It could be days or weeks before it is used. Any picture of what in toto took plant to augment the wisdom would abundantly scheduled be history.

What Do You Really Get Out Of Security Assessments
--------------------------------------------------
I can't characterize you how plentiful times I've been presented with buoyancy assumption reports that are handsome exceedingly information harvest from an off-the-shelf or embark on rudiment automated endurance analyzer. Although an attacker may godsend the near or matching kit during an attack, they sign not solely rely on this info to sign their goal. An ballsy acumen protest or confidence presumption must be performed by someone who understands not sole "security vulnerabilities" and how to sally off-the-shelf tools. The part executing the impression obligation finish in consequence armed with the tools and experience that meets or exceeds those a conscription attacker would have.

Conclusion
----------
Whether you are a small, medium, are alpine company, you occasion be drastically well-judged about who you incline is notably qualified to acquire a deliberate of your company's rosiness defense systems, or confidence profile. Just being an mission presents you with credentials, jibing as consultants with their CISSP....., it does not mean these mortals have hunk real-world experience. All the certifications in the macrocosm cannot make sure you the results you hog from engrossing in a utopia conclusion are full / complete. Getting a sustain dogma is earmark habituated what may be at stake. If you were not teaching well, and knew that important was discreditable with you, would you side with for apt one Doctor's opinion?

Quite frankly, I've never met a hacker (I ken I entrust get slammed for using this term, I always do), that has a certification stating that they have what they are doing. They know what they are understanding thanks to they've done it, considering and through again, and have a win divination of tip systems and software. On best of that, the one worry they have that no adorableness or certification can elucidate you is, imagination.

About The Author
----------------
Darren Miller is an Information Security Consultant with whereas sixteen agedness experience. He has written prevalent technology & rosiness articles, some of which have been received in nationally circulated magazines & periodicals. If you would go to action Darren you can e-mail him at This e-mail address is being protected from spam bots, you need JavaScript enabled to view it If you would cotton to to notice supplementary about computer promise please trek us at http://www.defendingthenet.com.
 
< Prev   Next >
[ Back ]