Georgia Weidman - The Basics Of Security Awareness Aren’t Sinking In

What are your top 3 tips to help others avoid phishing scams?

I used to think that social engineering attacks were a myth. Then a client asked me to a phishing scenario. I cloned the client’s site, added a “Company Portal Login” to the page, and made a fake <client name>[email protected] address. This was not your most sophisticated attack, but surprisingly it worked pretty well. As I’ve done more and more social engineering, it’s become more and more clear to me that the basics of security awareness aren’t sinking in. Even though my phishing campaigns are generally not that sophisticated, I’ve still never gotten a 0% success rate in harvesting credentials from my clients. But even for the more security aware client’s there are sophisticated phishing schemes going around guaranteed to fool just about anyone, plane ticket receipts, Amazon order shipments, etc. that look just like the real thing to the untrained eye. If you didn’t order it and aren’t expecting it then you can be 99.9% sure it is a phishing attack. You can always contest any charges to your credit card if and when they show up. Ignore it. If you aren’t the type of person who can ignore it, go to the company’s website not by clicking a link but by typing in the web address you know and trust for that company.

But just for the sake of argument, let’s pretend we live in fantasy land where no employee will ever click on a link in a funny looking email, enter their credentials into a close but still misspelled URL that looks a lot like the real company site, etc. You are good to go as far as phishing is concerned, right? What if instead the link is in a text message? It’s text; how can text hurt you? Opening a link in your mobile browser can cause just as much harm as in your traditional computer’s browser. Mobile browsers are subject to the same sorts of bugs, and it’s possible to spoof a mobile website as well. If you get a text message that says you have won a $500 gift card to <store> and log in here to claim your prize with a link, chances are it’s not a good idea to log in with your legitimate <store> credentials, no matter how badly you need new phones for research. (Not that I’m speaking from experience here or anything). Always remember if it sounds too good to be true then it probably is.

Another interesting scenario involves being enticed to download apps to your mobile device. I once received a text message from a number like 1234 and it said as a “premium handset subscriber” I could download a security app, along with a link that sent me to a third party app store. While my cell carrier confirmed that this message was legitimate, it is symptomatic of a larger problem. Cell carriers are training users to accept messages like this and download the apps to their devices without considering the security implications. Once on my device, the app may have access to any sensitive data stored on the device directly depending on the permission model of the device, or it might run malicious code to get additional privileges. Start bringing QR codes and near field communication (NFC) into the mix, and the water gets even murkier. Just because there is a QR code on a store window, doesn’t mean the store put it there or that it goes to the store’s website. A while back a high traffic Twitter user changed his profile picture on the site to a QR code that when scanned attempted to attack mobile browsers and gain control of the device.

In closing, continue to be vigilant about traditional email based phishing schemes. They can look a lot like legitimate messages. In addition, be aware of newer forms of phishing such as through text messages on your mobile devices. Finally, be careful about the apps you download and the websites and documents you open in mobile browsers and other client side applications just as you would on your traditional computer. Review the permissions requested by that app, and rethink whether you really need that app.