Endpoint

2/10/2016
05:25 PM
Sara Peters
Sara Peters
Slideshows
Connect Directly
Twitter
RSS
E-Mail
100%
0%

The Phishie Awards: (Dis)Honoring The Best Of The Worst Phishing Attacks

From the costly to the clever to the just plain creepy, here are the recent phishing campaigns that have earned our reluctant recognition.
Previous
1 of 11
Next

You invest in the slickest, smartest, security gear. The latest in threat intelligence, behavior analysis, and every other cutting-edge tech that widened your eyes on the trade show floor. It's excellent, exciting, expensive...and useless against a top-notch social engineer.

Okay, that might be a bit of an overstatement, but there are plenty of examples when social engineering bested the best security technology -- to sack Troy with a wooden horse or to steal diamonds with a charming smile.

These days, the social engineer's favorite tool isn't the smile; it's the humble phishing message.

It's a very adaptable piece of kit. It can deliver any manner of malicious payloads, as attachments, embedded objects, or links. It can be customized to lure in any kind of game -- from John Q. Public to John Q. White House Ambassador. It can be used as part of attacks to steal data, steal money, or steal secrets.

Adaptable and successful. Take a peak behind some of the biggest breaches and costliest attacks and you may see a phishing message at the root of it. 

So, with some help from experts at KnowBe4 and PhishLabs, we've decided to recognize some of the most intriguing examples of phishing in recent history. The clever, the costly, the just plain creepy.

Read on to see which attack campaigns and categories earn the dubious honor of winning one of the coveted Phishie Awards.

 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Previous
1 of 11
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
sixscrews
50%
50%
sixscrews,
User Rank: Apprentice
2/17/2016 | 6:58:17 PM
Re: Greatest source of risk
Unfortunately, that has been true for more years that I can count (40+).

From fake 'demo' disks for 5 1/4" drives to downloads off websites, it's the employee that is the primary entry point for attacks.

How do you educate your employees?  How do you justify this kind of training to management?  Well, good luck.

Most managers are unaware of the vlunerability of thier groups/division/organization's staff to these attacks.  And you will be marked down as a Chicken Little if you push the problem in an open forum.

The best way is to include training and warnings for new hires - it's an 'inoculation' process.  

This leaves the 'old guard' to educate - and they are often the most vlunerable.  The person who deals with appointments for salespeople, the person who answers the phone (and, by the way, gets all the undeliverable emails....).

Filtering/deleting all the undeliverable emails is a good first line of defense - or you can divert these messages to someone who has more familarity with attacks.  But this drains your resources - better to just trash the undeliverables.

But many institutions have staff who have been there since before cell phones were invented - how do you deal with them?  I have tried many times and found the 'gaming' strategy works best - build up a collecton of attacks and make it into a game - tell them it's something to play with.  When they fall for an attack don't scold, explain.  Remember the old country doctor whose 'bedside manner' could settle most problems?  Take that approach - you are often the new person on the staff teaching the person with the longest tenure - be humble and explain, explain, explain.  If they don't understand it's not their fault - it's yours.  Try another approach - you CAN make it work.

And - best of luck.

wb
sixscrews
50%
50%
sixscrews,
User Rank: Apprentice
2/17/2016 | 6:40:45 PM
Re: Difficult to Differentiate
Only if they are seafood (you).

 

wb
AlanL907
50%
50%
AlanL907,
User Rank: Apprentice
2/16/2016 | 1:55:54 PM
Re: Difficult to Differentiate
I though all offers of free dinners from vendors were phishing.

It's 99.99% assured.
rjones2818
50%
50%
rjones2818,
User Rank: Strategist
2/11/2016 | 1:43:51 PM
Speaking of particularly
- "Unfortunately, a particularly message doesn't need to be the worst, sneakiest, or most clever in order to be successful," says Angela Knox, senior director of engineering and threat research at Cloudmark.-

A jarringly unfortunate use of the term particularly.

Sorry...it was jarring.
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
2/11/2016 | 11:24:55 AM
Difficult to Differentiate
For me, phishing has made it nearly impossible to discern what offers are legimitate and which ones are not. My only saving grace is that I verify the sender before hand but even that has the potential to be spoofed.

I've probably turned down a bunch of genuine free dinners just because I thought they were phishing. :)
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
2/11/2016 | 11:20:58 AM
Greatest source of risk
It all comes down to employees and end users being the greatest source of risk. No matter what walls you've set up, if someone opens the gate then it was all for naught.
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
2019 Attacker Playbook
Ericka Chickowski, Contributing Writer, Dark Reading,  12/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
[Sponsored Content] The State of Encryption and How to Improve It
[Sponsored Content] The State of Encryption and How to Improve It
Encryption and access controls are considered to be the ultimate safeguards to ensure the security and confidentiality of data, which is why they're mandated in so many compliance and regulatory standards. While the cybersecurity market boasts a wide variety of encryption technologies, many data breaches reveal that sensitive and personal data has often been left unencrypted and, therefore, vulnerable.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19790
PUBLISHED: 2018-12-18
An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the `_failure_path` input field of login forms, an attacker can work around the redirection target restricti...
CVE-2018-19829
PUBLISHED: 2018-12-18
Artica Integria IMS 5.0.83 has CSRF in godmode/usuarios/lista_usuarios, resulting in the ability to delete an arbitrary user when the ID number is known.
CVE-2018-16884
PUBLISHED: 2018-12-18
A flaw was found in the Linux kernel in the NFS41+ subsystem. NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel id and cause a use-after-free. Thus a malicious container user can cause a host kernel memory corruption and a system ...
CVE-2018-17777
PUBLISHED: 2018-12-18
An issue was discovered on D-Link DVA-5592 A1_WI_20180823 devices. If the PIN of the page "/ui/cbpc/login" is the default Parental Control PIN (0000), it is possible to bypass the login form by editing the path of the cookie "sid" generated by the page. The attacker will have acc...
CVE-2018-18921
PUBLISHED: 2018-12-18
PHP Server Monitor before 3.3.2 has CSRF, as demonstrated by a Delete action.