ERE Information Security Auditors
Home | Site Map | Contact Us | Blog
This text is replaced by the Flash movie.
 Executive Strategies for Managing Risk
Audit Tactics for Managing Risk

Posts Tagged ‘Phishing’

What’s your Pain Threshold for Mobile Phone Identity Theft?

Tuesday, November 30th, 2010

The FBI’s Internet Crime Complaint Center (IC3)recently published a warning about Smishing and Vishing. These mobile phone threats are variations of phishing, but smishing uses SMS texts to initiate the scam, while vishing uses automated phone calls.

These threats are new variations on an old and costly mythology of identity theft. The problem here is that mobile users who are novice with regard to computer security threats are simply unaware they are in jeopardy when they respond to text and audio phishing on their mobiles.

Similarly, sophisticated corporate IT users who should know better, are similarly compromised via their mobile phones.

Just to backup a step, SMS stands for short message service. SMS is also often referred to as texting, sending text messages or text messaging. The service allows for short text messages to be sent from one cell phone to another cell phone or from the Web to another cell phone. Just because the SMS service runs on a phone does not make it impervious to computer phishing.
The particularly nasty form of SMS spam called smishing, is the act of phishing by SMS for private information, often to be used for identity theft. These smishing attempts take the form of text messages and voice massages, which come to your phone saying things like “We’re confirming you’ve parcel delivery” Your account status as been changed or ABC credit card is confirming your purchase.”
The user is given a phone number to call or a website to log onto to provide account credentials to remedy the issue. Or the victim is directed to a spoofed web site. A spoofed web site is a fake site that misleads the victim into providing personal information, which is in turn routed to the scammer’s computer.
If a victim attempts to telephone back to the inbound number of a phishing call they will most probably encounter no voice mail or a constantly busy signal. This is due to attackers calling from throw-away, untraceable phones, rendering these calls virtually untraceable.

The FBI report said a recent smishing scam was used to steal money from customers of a credit union. After receiving a text about an account problem, victims called the number provided and gave out their personal information. Within 10 minutes money was withdrawn from their bank accounts. The same technique also recently used to attack banking customers who were told via text that they needed to reactivate their ATM cards at a bogus web site.

What to do. What not to do.

Once again, here are old and trusted simple steps to avoid being a victim of identity theft and fraud:
• Do not respond to respond to text messages or automated voice messages from unknown or blocked numbers.
• Do not respond to unsolicited (spam) email.
• Do not click on links contained within an unsolicited email.
• Be cautious of email claiming to contain pictures in attached files, as the files may contain   viruses. Only open attachments from known senders. Avoid filling out forms contained in email messages that ask for personal information.
• Do compare the link in the email with the link to which you are directed. Look and see for yourself if it is the legitimate URL address. Better still, just log directly onto the official web site for the business identified in the email. If the email appears to be from your bank, credit card issuer, or other company you deal with frequently, your statements or official correspondence from the business will provide the proper contact information.
• Do contact the actual business that supposedly sent the email to verify if the email is genuine.
• Do verify any requests for personal information from any business or financial institution by contacting them using the main contact information.

Have a secure week. Ron Lepofsky CISSP, CISM www.ere-security.ca

Tags: , , , ,
Posted in Security Postings | 1 Comment »

YOUNG PEOPLE SUSCEPTIBLE TO PHISHING

Wednesday, May 19th, 2010


A recent study at Carnegie Mellon University found the 18 – 25 year old population is most susceptible to spear phishing attacks and fraud.  This sounds counterintuitive as this group is assumed to be particularly computer literate.  Even more on point, the test group were university students and staff members.  For more information please see the article in the RSS feed at www.ere-security.ca entitled “Younger Users Reveal Risky Details”, May 4, 2010.

So what can we learn from this study?

Everybody needs to be trained about phishing by “experience”.  The article discusses a tool to simulate attacks and the target web site explains how the simulated attack could have resulted in fraud and how to guard against phishing.

I believe this sort of solution could be effective if sponsored and paid for by an institution that has a vested interest in the cyber security of its user base.  Corporations, educational institutions including grade schools, and government agencies could all benefit from this type of cyber education by experience, particularly if the web site kept statistics about those entrapped and determined the level of success of the service over time.

However, spear phishing can still be effective in situations involving coincidence of timing, where the victim is expecting a transaction to occur and coincidentally receives a fraudulent email about that subject.  For instance, someone expecting a delivery, email receipt, confirmation of a transaction, may have an irresistable urge to open a phishing email that seems relevant to their transaction.

In these situations it is important to:

  1. Ensure an anti-virus and anti-malware program first screens these announcement emails.
  2. The user verify that any attached URL is bone fide, by first searching for the legitimate URL and then comparing with the URL in the announcement email.
  3. Never include any additional personal information requested by an announcement email.
  4. Do not open unexpected or unknown attachments in email.

Have a secure week.

Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSPERE Information Security and Privacy Compliance Auditors. www.ere-security.ca

Tags: , , ,
Posted in Internet Security | 1 Comment »
Home | Point in Time Audit | Doc Audit/Authorship | 7x24 Monitoring | Knowledge Transfer | ERE Differentiators | About Us | Site map | Contact Us | Blog
Copyrights © 2007-2008. All rights reserved.  Non-security resources 1|2|3|4|5|6|7|8|9

   AddThis Social Bookmark Button