Double Barrel Throwdown Contest Terms and Conditions

Please read before entering, as entry in this contest constitutes acceptance of these rules.

No purchase is necessary to participate. The contest is open to all entrants who submit a valid entry form using a qualified email address.

ENTRY IN THIS CONTEST CONSTITUTES YOUR ACCEPTANCE OF THESE OFFICIAL RULES

The Double Barrel Throwdown (the “Contest”) is a competition to produce the most original, persuasive, and realistic Double Barrel phishing scenarios. PhishMe’s panel – composed of PhishMe employees – will select the best entry according to those criteria, with the winner receiving a Google Nexus tablet. To submit a valid entry into the contest, an individual must complete and submit the web form available on PhishMe’s website, ensuring to complete all required fields.

Submission Guidelines:

All submissions become the property of PhishMe, Inc. and we reserve the right to use any and all submission content in future PhishMe products, services, or marketing efforts.

All submissions must come from a qualified email address (such as corporate, government, or other recognized organizational emails).

All submissions must be received no later than 12 AM EDT on Thursday, July 25, 2013.

A valid entry must comply with the following content limitations:

  • Entries may not use trademarked material, logos, domains, images and any content that does not belong to the entrant. Any use of unauthorized content will automatically disqualify the entry.
  • Entries that are lewd, obscene, pornographic, or otherwise contain objectionable material will be disqualified at PhishMe’s discretion.

Prize

The contest winner will be announced on July 31, 2013 at PhishMe’s booth at the Black Hat Expo and simultaneously via PhishMe’s Twitter and LinkedIn accounts. The contest winner must reply to our Twitter or LinkedIn accounts to be eligible to claim the prize, a Google Nexus tablet.

The Phish Chain: Phishing Attack from Start to Finish

A few years ago, Computer Security Intelligence expert, Mike Cloppert discussed the Cyber Kill Chain, the process through which a cybercriminal uses malware to attack the victim. In a recent webinar titled “How to Use Email-based Threat Intelligence To Catch a Phish,” Securosis’ Mike Rothman applied Cloppert’s methodology to how cyberattacks work in the instance of a phishing attack.

The kill chain begins with weaponization and ends with monetization, the point at which credentials are stolen. In this post, we’ll dig into the Phish Food Chain, as explained by Mike Rothman and discuss how cybercriminals utilize this process to attack your brand. Let’s take a closer look at how Rothman took Cloppert’s work with the kill chain and applied it to phishing.

Leverage

Step 1: Reconnaissance

Reconnaissance is all about leverage. Phishers are seeking large consumer brands, that have a broad base of customers that they can target. Think about it, why go after 100 people when you can go after 100 million people? These are the kind of attacks where you see the big brands targeted – the companies who have the broadest array of customers.

Phishing Kits

Step 2: Weaponization

Weaponization occurs in the form of phishing kits. Phishing kits are pre-packaged attack materials targeted at a specific brand, containing all of the files, malware and materials that a phisher would need to launch an attack against a specific brand. As soon as the phisher uses these materials to launch a phishing website, they are officially “in business” (and on their way to putting you out of business).

Spam Filter Evasion

Step 3: Delivery

Delivery aims to evade spam filters. This is the point at which phishing email is delivered to its target.

Advanced Malware Attacks

Step 4: Exploitation / Step 5: C2 (Command & Control)

Exploitation and command and control has everything to do with advanced malware attacks so that they’re using fairly advanced malware to gain presence on those devices to take advantage of vulnerabilities.

Monetize

Step 6: Exfiltration

This is where the monetization takes place. Phishers acquire credentials that allow them to access the resources that they are seeking in the phishing attack.

What is MTTK and Why is it Important to Cybersecurity?

There has been much talk recently about MTTK, but what is MTTK and why is it so important? This post explores the term and explains why MTTK is such an important concept in cybersecurity terms.

When your organization is attacked, how long does it take you to know that the attack is taking place? Of course, we’d all like to be able to answer “right away.” However, for many companies that isn’t the case. Examples of phishing attacks lodged against major brands who don’t discover that they are being phished until months later have become commonplace.

When a phishing attack happens, time is not on your side. The faster that you react to mitigate the attack and take down the phisher, the less damage that you incur as a result of the attack. Of course, you can’t react if you do not realize that the attack is happening. Therefore, it is critical in this era of cyber security, that we take every measure identify attacks when (or before) they happen.

What is MTTK?

Mean time to know (MTTK) is the average time that it takes for a company to discover that security has been compromised. According to a recent article published by Dark Reading, the term became popular after this year’s RSA conference, although the concept has been around for a while. The point is that that we need to know what’s happening in our environment and the sooner that we do know, the better we are able to prevent damage and lasting impact to our company. We can quantify this by measuring the average time between the initiation of an attack and the breach being discovered by the security team. The lower your MTTK, the more effective you are at identifying when your internal environment has been compromised.

Why is it important to lower your MTTK?

  • The longer it takes for you to realize that an attack is happening, the more successful the phishing attack. In the case of a phishing attack, there isn’t much time to react. Most of the damage is done within the first two hours of a phishing attack.
  • The more successful the phishing attack, the more damage to your brand. This can be the most costly consequence of a successful phishing attack. Losing customers’ trust can stop them from purchasing from doing business with your company for years, if they come back at all.
  • A high MTTK suggests that you don’t have a handle on what’s happening within your internal security environment.

PhishMe surpasses 200 customers and 4 million users trained

CHANTILLY, Va., May 28, 2013 — PhishMe, the leading enterprise provider of immersive phishing awareness training, has now trained over 4 million unique users at 200 different organizations. PhishMe’s customer base includes a number of the Fortune 500, and leaders in the financial, energy, insurance, healthcare, and government sectors. This milestone demonstrates how enterprises globally are working to counter the most common attack methodology used to compromise networks through managing employee behavior.

Build Phishing Countermeasures to Protect Your Brand

Corporations fight phishing each and every day. Large and recognizable financial institutions, retail companies, internet service providers/telecommunication companies are among those most heavily targeted victims of phishing.

While the aftermath of a phishing attack is costly and yields long-term consequences, it’s quite difficult to keep up with cybercriminals. It’s shockingly easy for cybercriminals to create a phishing site targeted at your brand, so easy that the cybercriminal simply needs to unpack and upload a pre-built “phishing kit” in order to create a new phishing website. Just one phishing kit can produce hundreds of phishing URLs.

With just a few clicks of the mouse, the cybercriminal attacks your brand, sending you scrambling to “take down the site.” One-by-one you take down each individual website, costing your brand time, money and reputation. As you take down, he creates. It’s a never-ending battle. In our data, we’ve found that it is often the case that the same attacker is using this method to attack several institutions or companies within the same industry over a period of several months or years.

While the term “big data” is both ambiguous and overused, it defines the new frontier in the fight against phishing. Data sourced from hundreds of phishing sites targeting hundreds of brands is analyzed to identify trends, which allow us to build more effective strategies to fight cybercrime and prevent future phishing attacks.

Below we’ll discuss how to use phishing intelligence to build more effective countermeasures to protect your brand from attackers:

  1. Isolate a single attacker. Instead of taking down each phishing site one-by-one, what if you could go directly to the source and stop the criminal in his tracks? Analyzing phishing data allows us to gain clues as to how the criminal operates. For example, in a recent analysis of phishing attacks targeting large financial institutions, we found one particular criminal who had created 604 phishing sites with a single phishing kit, 390 of which were hosted on a single IP address. We call this a “clue.” Using this data, we’re able to identify several details about the criminal, often including email addresses and social media profiles. If you could identify an attacker that’s behind multiple attacks against your brand, how would that change the way that you approach phishing in your organization?
  2. Identify the monetization path. Another important component of building effective countermeasures against cyber attackers is to take a close look at the monetization path. It’s critical to understand the motives behind the attack (is the attacker money-motivated in the first place?) and how he has constructed his scheme to put your money in his pocket. Understanding the process is a key step in building future strategies and barriers to stop cybercriminals in their tracks.
  3. Build barriers. Using intelligence and patterns that you’ve identified, build barriers to protect your brand against future cyber attacks in order to identify threats early and stop criminals from leaving a stealing from your customers.

Have you used phishing intelligence to build effective countermeasures against cybercriminals? Share your insight in the comments below.

DMARC Failed to Protect Against Walmart Spam

Think that DMARC is all that you need to prevent your company from email spam? Think again.

Last week, there was a spam campaign that imitated a Walmart.com receipt. An email was sent to Walmart customers falsely confirming the purchase of a large flat screen TV costing approximately $1,000. The cinematic home experience was to be enjoyed by someone else, since the receipt showed the item was being shipped to an address that would be unfamiliar to the customer.

Upon receiving this email, the natural reaction would be to click on the link in email to find out more about the fraudulent transaction. However, doing so would require a visit to a malicious webpage that would download malware. That malware would then share credit card information and banking credentials with the scammers.

We’ve been hearing about DMARC as the solution to exactly this kind of email scam. In this particular spam campaign, the emails didn’t actually come from Walmart’s domain name.

Walmart.com (spelled with one “l”) is the real domain name. The company also owns Wal-mart.com. For either one of those domains, there would be a DMARC record published. If an email had been sent by the real Walmart, there would be a signature in the email that can be checked against Walmart’s registered domains. The email would be cryptographically confirmed as having been sent by Walmart. That’s the whole point of a DMARC record.

DMARC shows the true provenance of an email. If an email is not cryptographically signed, it should be rejected because that shows that it was not sent from an official source – in this case, Walmart. In this case, the domain name used to send the email wasn’t Walmart – it just appeared that way. If you were not careful, it would have been easy to be fooled. The email just came from a domain that looked very similar to that used by Walmart.

In fact, there are over 140 variations of misspellings of the Walmart domain name that are in use, such as “Wallmart.org” and “wallmart.net.” As a customer receiving the email, you might not even have noticed that Walmart was spelled incorrectly. Since none of those domain names are valid and do not belong to Walmart, Walmart did not have a DMARC record published for any of those domains. From the victim’s perspective, he sees “Walmart” spelled correctly in the “From Name,” but the email address (the domain portion of the email address) was not a DMARC protected domain. This, combined with high-resolution graphics and a professional look and feel makes for a convincing email, effectively mimicking an actual online purchase confirmation from Walmart. However, the emails were not being rejected because they didn’t fail the DMARC test. The DMARC test was never actually performed.

We believe that DMARC is a good thing. We’re happy that people are using DMARC. We believe that there will be some spam campaigns that will be blocked because of a failure to comply with DMARC, but in this case, DMARC wouldn’t have helped them at all. That’s why it’s important to use DMARC as one tool in the fight against phishing, as opposed to a single method to stop phishing. It is far from an all-encompassing solution.
Similar instances of phishing attacks are lodged against major brands each day. What are some of the other lessons we can learn? Please feel free to share your comments below.