KnowBe4 Alerts Businesses to Latest Cybercrime Trends: Spear-Phishing Lawsuit Threats and “Whaling”
IT Security Expert Stu Sjouwerman Warns That Cybercriminals Are Using Publicly Available Email Addresses to Target Employees and Executives’ Spouses
CLEARWATER, Fla., November 7, 2011 – As cybercriminals continue to expand their arsenal of phishing tactics, Internet Security Awareness Training (ISAT) firm KnowBe4 remains committed to educating small and medium enterprises (SMEs) about emerging threats. IT security expert Stu Sjouwerman, founder and CEO of KnowBe4, is warning clients and the public of two new scams that have making the rounds – spear-phishing lawsuit threats and “whaling.”
“One of cybercriminals’ favorite tricks is to create emails that purport to be sent by a government agency, bank or other well-known entity, accusing the recipient of some illicit activity and threatening legal action,” explained Sjouwerman (pronounced “shower-man”). “Some of the more cunning crooks use spear-phishing. For example, they might target employees of a specific organization by sending emails that appear to be sent by a legitimate customer, partner or vendor. The urgency of the message and a desire to preserve the business relationship may lead the recipient to click without thinking.”
Sjouwerman cites a recent spear-phishing campaign detected by the Websense® ThreatSeeker® Network, in which cybercriminals sent emails threatening to sue the recipient for sending spam.(1) The emails were spoofed to make it seem as if they had been sent by established companies, and they claimed to have documented evidence of the spam messages in an attached ZIP file. However, the file actually contained an executable programmed to download malware to the user’s system.
“These types of scare tactics often prove particularly effective in highly regulated industries, such as insurance, finance and healthcare,” said Sjouwerman. “In these cases, the spear-phishing emails appear to be sent by a regulatory agency. The recipients’ fear of non-compliance often overrules their caution, leading well-meaning employees to take the bait.”
While employees are generally the primary mark for spear-phishing attacks, some cybercriminals have starting going after executives – an approach referred to as “whaling” – by targeting family members who may be less tech-savvy. A recent Network World article featured insights from two security specialists: Chris Larsen of Blue Coat Systems and Paul Wood of Symantec.cloud.(2) Larsen suggested that cybercriminals are banking on at least one executive having a poorly secured personal computer or home network shared by a spouse who may be vulnerable to spear-phishing. When cybercrooks compromise an executive’s home PC, they can often leverage it to gain access to corporate systems. Wood reported that these types of whaling incidents are on the rise: “Just a couple years ago, we saw one or two of these sorts of attacks per day. Today, we catch as many as 80 daily.”
Sjouwerman asserts that easy access to corporate email addresses is enabling the latest spate of spear-phishing attacks. “Cybercriminals will conduct a ‘deep search’ to locate email addresses for as many employees as possible within a specific organization. They’ll then use that information to develop a highly targeted spear-phishing email, and send it to individuals throughout the company,” he noted. “If you haven’t implemented formal Internet Security Awareness Training, chances are that at least one person will click on the email – thereby giving intruders open access to your network.”
To help SMEs determine their “attack footprint” in terms of publicly available email addresses, KnowBe4 offers a free email exposure check (EEC). The firm sends regular EEC updates to customers, and will provide a complimentary one-time EEC service to any company that requests it. In addition, KnowBe4 offers a free phishing security test that enables SMEs to determine what percentage of their workforce is Phish-prone™, or susceptible to phishing tactics.
KnowBe4’s clients have reported great success with their ISAT implementation. For example, one customer’s database/network administrator stated, “The training has helped a lot, although we still have a handful of people that just can’t seem to resist clicking on links. When we started the training in March, the phishing security test found about 20% of the folks clicked on the phishing link. After training, the next phishing campaign went down to 3%.”
The administrator ran a series of subsequent tests between July and September to determine which simulated phishing emails were most likely to elicit clicks. He found that banking emails netted fluctuating response rates – from 0% in July, to 7% in August, then back to 0% in September after retraining. Social networking messages garnered a 7% response in July, while August and September emails only lured 3% to click. The highest response rate was for a current events mailing in August (the email claimed to provide a link to the bin Laden kill video), with 15% of recipients taking the bait. These results helped the administrator and his employer determine where to focus the company’s retraining efforts, and which tactics they needed to teach employees to avoid – thereby minimizing the potential for cybercriminals to gain access to the network.
To learn more about KnowBe4’s Internet Security Awareness Training (ISAT) programs – or to take advantage of the free email exposure check (EEC), phishing security test and other cybercrime prevention resources – visit http://www.knowbe4.com.
About Stu Sjouwerman and KnowBe4
Stu Sjouwerman is the founder and CEO of KnowBe4, LLC, which provides web-based Internet Security Awareness Training (ISAT) to small and medium enterprises. A data security expert with more than 30 years in the IT industry, Sjouwerman was the co-founder of Sunbelt Software, an award-winning anti-malware software company that he and his partner sold to GFI Software in 2010. Realizing that the human element of security was being seriously neglected, Sjouwerman decided to help entrepreneurs tackle cybercrime tactics through advanced Internet security awareness training. He and his colleagues work with companies in many different industries, including highly regulated field such as healthcare, finance and insurance. Sjouwerman is the author of four books; his latest is Cyberheist: The Biggest Financial Threat Facing American Businesses Since the Meltdown of 2008.
(1) “‘We are going to sue you’ scare tactic used in malicious emails.” Websense® Security Labs Blog; September 20, 2011.
(2) Vance, Jeff. “The future of malware.” Network World; October 3, 2011.
No comments:
Post a Comment