Education vs. Technology
April 14, 2011 by Cofense in Internet Security AwarenessTrusteer recently released a study containing the results of a spear phishing test against 100 LinkedIn users. Their findings had a 68% failure rate. While a 68% failure rate seems high, it is not an unusual number for a group that has received no prior education or training in how to spot phishing – or at least training that is meant to be effective. We know this based on having sent well over a million spear phishing emails to employees of corporations across multiple industry verticals. Trusteer, a company that specializes in the creation of information security software products, stated...
Rebirth
April 12, 2011 by Cofense in Internet Security AwarenessThis is the official rebirth of our blog. For a while now, this blog lay dormant, while the team at PhishMe was anything but. Sales and Marketing has been trying to keep up with the interest while Dev, Operations, and support have consistently delivered the most cutting edge phishing awareness services on the market. It’s a pity the blog hasn’t kept up because we have a lot of interesting thoughts and statistics to share, better late than never. Stay tuned for the latest on phishing news, our lessons learnt from successfully training people to thwart targeted phishing, and anything else we feel like rambling...
RSA Conference: Circus of Vendors
April 16, 2008 by Rohyt Belani in PhishingIn past years I never attended the RSA conference; it always came across as too much of a vendor show to me. This year I didn’t think I would go, until rsnake convinced me otherwise. So I bought myself an Expo Only pass. I had a lot of fun, meeting old time buddies from Foundstone and Mandiant, a bunch of clients, and partners. But I had the most fun just watching the show on the Expo floor. Must have been 300 booths and a gazillion sales people swarming them with those annoying mics trying to outspeak each other like barkers outside...
SCADA hacking? What if they used cofense.wpengine.com?
April 10, 2008 by Cofense in Internet Security AwarenessAt this year’s RSA conference Ira Winkler went on to tell the audience about hacking into an energy company (via an authorized penetration test) using a targeted phishing email. Details are in this networkwold article: http://www.networkworld.com/news/2008/040908-rsa-hack-power-grid.html “The penetration team started by tapping into distribution lists for SCADA user groups, where they harvested the e-mail addresses of people who worked for the target power company. They sent the workers an e-mail about a plan to cut their benefits and included a link to a Web site where they could find out more.” Are we surprised they were successful? Absolutely not. We’ve...
Whitepaper: The State of Information Security 2008
February 8, 2008 by Aaron Higbee in Internet Security AwarenessI just got back from The Credit Union Information Security Professionals Association 3rd annual National event in Austin Texas where Rohyt and I were talking to the folks about www.PhishMe.com. I have never attended a CUISPA event before and welcomed the opportunity. It was refreshing to see this industry work together. Credit unions don’t have the budgets larger institutions do and many of their technologists wear multiple hats. Security is a group effort. (as it should be) Two major takeaways I had from the conference: 1.) Credit Union security professionals have a can-do attitude and value networking with their peers...
Phishing with Encoded IP Addresses
January 5, 2008 by Cofense in PhishingI was adding a little special sauce to Phishme.com this past week and thought this might be fun to share. We have a few different ways a user can craft their phishing links. If he/she chooses the IP address option, then there is also the choice of encoding options. This lets you mask the IP address in an attempt to trick the user into thinking part of the sub directory is perhaps the host name. Or as in the case with my mom… she thinks it is just the phone number so the computer knows where to call. And it’s...
If I was a hacker…err cracker…
December 31, 2007 by Cofense in Internet Security AwarenessI would be very busy the week of Christmas, while IT security staff is probably operating at 20% normal strength. Not only is it the weakness in numbers, but also the holiday mood. How many of you are actually working full days? IDS logs – thats probably the last thing on your mind now that you have Guitar Hero III in the breakroom. I would get busy if I heard that a company was being acquired. From my experience, most companies put a freeze on all discretionary spending from the time a deal is announced untill it closes. Unfortunately, security...
Baiting the Hook, Sneak Peek at PhishMe.com
October 10, 2007 by Cofense in PhishingIf you’ve been noticing a little silence on the blog recently, it’s been because a lot of the ranting has been going into developing what we think is a great anti-phishing user awareness tool. Take a peek at our main site at www.PhishMe.com Conducting ethical phishing attacks has never been easier. User awareness will be improved, enforced, and for the first time for many users, easy to measure and trend over time. You can sign up for the mailing list right now that will let you know when the full blown service is launched. We will be offering free trial...
Time to Phish your Customers?
September 19, 2007 by Cofense in PhishingBuilding employee awareness to social engineering attacks, like Phishing, is clawing its way up the CISO’s priority ladder; and rightly so. But, what good are aware employees if your customers can be directly targeted by such attacks? A month ago, monster.com had to deal with a phishing attack that targeted their clients and did so with some success. Security experts commented in this USAtoday article urging job seekers to expose minimal data and blaming monster.com for not enforcing strong passwords. I don’t want to undermine the soundness of those suggestions. However, I don’t believe they will solve the issue at...
Phishing for User Awareness
September 10, 2007 by Cofense in Internet Security AwarenessPhishingA recent survey of over 279 IT Executives indicated that the greatest security challenge they faced was building an effective security awareness program and encouraging their employees to embrace it. Employees, albeit unaware, oblivious or unconcerned, continue to fall prey to conniving social engineers compromising sensitive data protected by millions of dollars worth of technology. The return on investment on building user awareness is apparent and no longer a hard sell for IT security staff. The real problem lies in building an effective program that actually changes the mindset of the employees. In a society where 90% of recovering coronary...