Endpoint

2/10/2016
05:25 PM
Sara Peters
Sara Peters
Slideshows
Connect Directly
Twitter
RSS
E-Mail
100%
0%

The Phishie Awards: (Dis)Honoring The Best Of The Worst Phishing Attacks

From the costly to the clever to the just plain creepy, here are the recent phishing campaigns that have earned our reluctant recognition.
Previous
1 of 11
Next

You invest in the slickest, smartest, security gear. The latest in threat intelligence, behavior analysis, and every other cutting-edge tech that widened your eyes on the trade show floor. It's excellent, exciting, expensive...and useless against a top-notch social engineer.

Okay, that might be a bit of an overstatement, but there are plenty of examples when social engineering bested the best security technology -- to sack Troy with a wooden horse or to steal diamonds with a charming smile.

These days, the social engineer's favorite tool isn't the smile; it's the humble phishing message.

It's a very adaptable piece of kit. It can deliver any manner of malicious payloads, as attachments, embedded objects, or links. It can be customized to lure in any kind of game -- from John Q. Public to John Q. White House Ambassador. It can be used as part of attacks to steal data, steal money, or steal secrets.

Adaptable and successful. Take a peak behind some of the biggest breaches and costliest attacks and you may see a phishing message at the root of it. 

So, with some help from experts at KnowBe4 and PhishLabs, we've decided to recognize some of the most intriguing examples of phishing in recent history. The clever, the costly, the just plain creepy.

Read on to see which attack campaigns and categories earn the dubious honor of winning one of the coveted Phishie Awards.

 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Previous
1 of 11
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
sixscrews
50%
50%
sixscrews,
User Rank: Apprentice
2/17/2016 | 6:58:17 PM
Re: Greatest source of risk
Unfortunately, that has been true for more years that I can count (40+).

From fake 'demo' disks for 5 1/4" drives to downloads off websites, it's the employee that is the primary entry point for attacks.

How do you educate your employees?  How do you justify this kind of training to management?  Well, good luck.

Most managers are unaware of the vlunerability of thier groups/division/organization's staff to these attacks.  And you will be marked down as a Chicken Little if you push the problem in an open forum.

The best way is to include training and warnings for new hires - it's an 'inoculation' process.  

This leaves the 'old guard' to educate - and they are often the most vlunerable.  The person who deals with appointments for salespeople, the person who answers the phone (and, by the way, gets all the undeliverable emails....).

Filtering/deleting all the undeliverable emails is a good first line of defense - or you can divert these messages to someone who has more familarity with attacks.  But this drains your resources - better to just trash the undeliverables.

But many institutions have staff who have been there since before cell phones were invented - how do you deal with them?  I have tried many times and found the 'gaming' strategy works best - build up a collecton of attacks and make it into a game - tell them it's something to play with.  When they fall for an attack don't scold, explain.  Remember the old country doctor whose 'bedside manner' could settle most problems?  Take that approach - you are often the new person on the staff teaching the person with the longest tenure - be humble and explain, explain, explain.  If they don't understand it's not their fault - it's yours.  Try another approach - you CAN make it work.

And - best of luck.

wb
sixscrews
50%
50%
sixscrews,
User Rank: Apprentice
2/17/2016 | 6:40:45 PM
Re: Difficult to Differentiate
Only if they are seafood (you).

 

wb
AlanL907
50%
50%
AlanL907,
User Rank: Apprentice
2/16/2016 | 1:55:54 PM
Re: Difficult to Differentiate
I though all offers of free dinners from vendors were phishing.

It's 99.99% assured.
rjones2818
50%
50%
rjones2818,
User Rank: Strategist
2/11/2016 | 1:43:51 PM
Speaking of particularly
- "Unfortunately, a particularly message doesn't need to be the worst, sneakiest, or most clever in order to be successful," says Angela Knox, senior director of engineering and threat research at Cloudmark.-

A jarringly unfortunate use of the term particularly.

Sorry...it was jarring.
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
2/11/2016 | 11:24:55 AM
Difficult to Differentiate
For me, phishing has made it nearly impossible to discern what offers are legimitate and which ones are not. My only saving grace is that I verify the sender before hand but even that has the potential to be spoofed.

I've probably turned down a bunch of genuine free dinners just because I thought they were phishing. :)
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
2/11/2016 | 11:20:58 AM
Greatest source of risk
It all comes down to employees and end users being the greatest source of risk. No matter what walls you've set up, if someone opens the gate then it was all for naught.
6 Ways Greed Has a Negative Effect on Cybersecurity
Joshua Goldfarb, Co-founder & Chief Product Officer, IDRRA ,  6/11/2018
Weaponizing IPv6 to Bypass IPv4 Security
John Anderson, Principal Security Consultant, Trustwave Spiderlabs,  6/12/2018
'Shift Left' & the Connected Car
Rohit Sethi, COO of Security Compass,  6/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12026
PUBLISHED: 2018-06-17
During the spawning of a malicious Passenger-managed application, SpawningKit in Phusion Passenger 5.3.x before 5.3.2 allows such applications to replace key files or directories in the spawning communication directory with symlinks. This then could result in arbitrary reads and writes, which in tur...
CVE-2018-12027
PUBLISHED: 2018-06-17
An Insecure Permissions vulnerability in SpawningKit in Phusion Passenger 5.3.x before 5.3.2 causes information disclosure in the following situation: given a Passenger-spawned application process that reports that it listens on a certain Unix domain socket, if any of the parent directories of said ...
CVE-2018-12028
PUBLISHED: 2018-06-17
An Incorrect Access Control vulnerability in SpawningKit in Phusion Passenger 5.3.x before 5.3.2 allows a Passenger-managed malicious application, upon spawning a child process, to report an arbitrary different PID back to Passenger's process manager. If the malicious application then generates an e...
CVE-2018-12029
PUBLISHED: 2018-06-17
A race condition in the nginx module in Phusion Passenger 3.x through 5.x before 5.3.2 allows local escalation of privileges when a non-standard passenger_instance_registry_dir with insufficiently strict permissions is configured. Replacing a file with a symlink after the file was created, but befor...
CVE-2018-12071
PUBLISHED: 2018-06-17
A Session Fixation issue exists in CodeIgniter before 3.1.9 because session.use_strict_mode in the Session Library was mishandled.