• 		Enterprise Infrastructure
  Data Centre Servers and Mainframes Storage and Storage Sub-Systems Operating Systems Systems Management Peripherals Virtualization

• 		Communications Infrastructure
  Network and Management Planning Performance Management and Monitoring Network Devices Unified messaging Carriers and Cellular Wireless LAN

• 		Information Architecture
  Service Oriented Architectures Messaging and Collaboration Databases Data Warehousing Identity Management

• 		Integrating IT
  Development Environments Tools and Languages Project Management Middleware / Utilities Outsourcing and Application Service Providers (ASP)

• 		Departmental and End User Computing
  Personal Systems and Peripherals Personal and Portable Devices Personal and Office Productivity Applications Small-Area Networking (SAN) Help Desk and End-User Support Mobile Applications Future Technology

• 		Enterprise Business Applications
  Enterprise Resource Planning (ERP) Business Intelligence and Data Mining Enterprise Portals Open Source and Linux Online Retailing and Ecommerce Customer Relationship Management (CRM) and Customer Self-Service Supply Chain Management (SCM)

• 		Security
  Security Products, Practices and Infrastructure Disaster Recovery / Business Continuity Hacking and Viruses Alerts, Patches and Fixes Privacy Issues

• 		Voice Data and IP
  Carriers and Service Providers Protocols and Standards Hardware, Software and Emerging Applications Regulatory Issues

• 		IT Workplace
  Human Resources Issues Hiring and Retention Careers and the Job Market Salaries and Benefits Education and Training Consulting and Contracting Knowledge Management Knowledge Worker Tools

• 		Leadership
  Issues for CIOs Budgeting / IT Alignment Value Management and ROI Human Capital Management Best Practices Industry News IT Executive Development

• 		E-Government
  Case Studies and Best Practices From Canada and Internationally Legal and Government Policy Issues Management Issues Privacy and Security

• 		The good the bad and the ugly
  The good The bad and the ugly Useful and fun tips

• 		Green IT
  E-Waste and Recycling Hardware lifecycle management Power and cooling Paper and printers Green thinking

• 		News Briefs
  Breaking News

• 		IT Women
  Training and development Profiles Opinions and commentary Global perspectives

• Blogs

• Salary Calculator

• IT Executive Development Series

• Video Library

• IT World Canada Technology News Daily ITwire Global Newswatch

• Slide Show Library

• White Papers

• Product Reviews

• Careers

• ITWorld Canada RSS Feeds

Fear, greed and lust: Phishing's sure-fire lures

Advertisement

IT professionals may want to give their staff a refresher course on phishing attacks.

In a recent study, McAfee outlined the increasingly persuasive nature of phish attacks and the psychological “mind games” that cyber criminals use to trick their prey. The study said scammers play up to users’ emotions, using fear, greed and lust to ultimately steal personal and proprietary financial information. McAfee found the most important key to an Internet scammers’ success is creating the illusion of legitimacy and familiarity.

“The technique we’ve seen the most is mimicking another organization’s e-mail,” Jean Pascal Hebert, an account manager at McAfee, said. “Typically these are the most successful types of attack and can entice an individual to release information they should not be releasing.”

Hebert said that more education is needed to combat these sophisticated attacks, but some security experts say this will take a major change in the training process to succeed.

Rohit Sethi, manager of Security Compass, said that most IT managers have failed to provide interactive training to their staff in order to help them understand the fundamentals of phish attacks.

“A lot of times what you’ll have in an organization is an IT professional who understands the subject matter expertly, but they don’t have an understanding of how to train properly,” Sethi said. “So they’ll stand in front of their users and say – ‘don’t do this and don’t do that’ – and a lot of times users won’t pick up on it.”

Sethi said that traditional training strategies neglect to demonstrate how a user’s computer can be compromised and why the data leak occurs. He said that taking the time to develop this base understanding will allow users to apply their knowledge and adapt to future phishing attempts.

“A lot of companies will use a checklist approach, where you have somebody trained and, therefore, they can sign off and say that they’re trained,” Sethi said. “It follows policy, but they don’t really end up measuring the effectiveness of the training, so we’ll see a lot of [IT managers] frustrated with the effectiveness of their training and user awareness.”

Advertisement

Sahba Kazerooni, security consultant at Security Compass, sees most training policies as a substitute for competence, and in turn, makes users increasingly ineffective to changing phishing attacks.

“A SANS Institute top 20 list of vulnerabilities that effect Internet security, now has users listed as a threat for the first time,” Kazerooni said. “This has kind of led to the whole idea of phishing, all of a sudden, being a much bigger threat than it has been in previous years and users becoming a much bigger threat to IT security.”

Hebert agreed, saying that IT managers should take the time to develop internal campaigns to teach their users. He also said that implantation McAfee’s free SiteAdvisor tool, which flags potential danger sites, is one of the first steps that companies should take to help “lock the front door.”

And while Hebert said users are not falling for e-mail spam as often as they used to, phishing sites which emulate corporate Web sites are often successful in tricking them.

“The first [phishing sites] we saw a few years ago were full of typos and bad art,” Hebert said. “But nowadays you see a complete mimic of corporate identities and the language it utilizes is often flawless.” Even more advanced, according to Sehti, is cross-site scripting techniques, which exploit holes in Web applications. This means that a user can see a link that appears to be from a legitimate Web site, however, because of a code vunerbility in the site, users can be exposed to a phishing attack if they follow the link.

For example, if this was done at an online bank, users could have their username, password, and account information logged without suspicion. “This is the kind of area that is lacking in general user awareness training, so a lot of times people even general security people don’t know about cross-site scripting,” Sethi said.

Until better tools exist to defend against this type of attack, security experts say users should be cautious of long URLs because of they may include a harmful script tag. This is something that could go unnoticed by even the most computer-savvy users.

“If you want to click on the link, copy and paste the link into your web browser and look at it,” Sehti said. “This may be verging on paranoia, but to be really sure you may want to try to go to the main site in question and get to the particular desired area manually.”