Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

2/10/2016
05:25 PM
Sara Peters
Sara Peters
Slideshows
Connect Directly
Twitter
RSS
E-Mail
100%
0%

The Phishie Awards: (Dis)Honoring The Best Of The Worst Phishing Attacks

From the costly to the clever to the just plain creepy, here are the recent phishing campaigns that have earned our reluctant recognition.
Previous
1 of 11
Next

You invest in the slickest, smartest, security gear. The latest in threat intelligence, behavior analysis, and every other cutting-edge tech that widened your eyes on the trade show floor. It's excellent, exciting, expensive...and useless against a top-notch social engineer.

Okay, that might be a bit of an overstatement, but there are plenty of examples when social engineering bested the best security technology -- to sack Troy with a wooden horse or to steal diamonds with a charming smile.

These days, the social engineer's favorite tool isn't the smile; it's the humble phishing message.

It's a very adaptable piece of kit. It can deliver any manner of malicious payloads, as attachments, embedded objects, or links. It can be customized to lure in any kind of game -- from John Q. Public to John Q. White House Ambassador. It can be used as part of attacks to steal data, steal money, or steal secrets.

Adaptable and successful. Take a peak behind some of the biggest breaches and costliest attacks and you may see a phishing message at the root of it. 

So, with some help from experts at KnowBe4 and PhishLabs, we've decided to recognize some of the most intriguing examples of phishing in recent history. The clever, the costly, the just plain creepy.

Read on to see which attack campaigns and categories earn the dubious honor of winning one of the coveted Phishie Awards.

 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio
 

Recommended Reading:

Previous
1 of 11
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
sixscrews
50%
50%
sixscrews,
User Rank: Apprentice
2/17/2016 | 6:58:17 PM
Re: Greatest source of risk
Unfortunately, that has been true for more years that I can count (40+).

From fake 'demo' disks for 5 1/4" drives to downloads off websites, it's the employee that is the primary entry point for attacks.

How do you educate your employees?  How do you justify this kind of training to management?  Well, good luck.

Most managers are unaware of the vlunerability of thier groups/division/organization's staff to these attacks.  And you will be marked down as a Chicken Little if you push the problem in an open forum.

The best way is to include training and warnings for new hires - it's an 'inoculation' process.  

This leaves the 'old guard' to educate - and they are often the most vlunerable.  The person who deals with appointments for salespeople, the person who answers the phone (and, by the way, gets all the undeliverable emails....).

Filtering/deleting all the undeliverable emails is a good first line of defense - or you can divert these messages to someone who has more familarity with attacks.  But this drains your resources - better to just trash the undeliverables.

But many institutions have staff who have been there since before cell phones were invented - how do you deal with them?  I have tried many times and found the 'gaming' strategy works best - build up a collecton of attacks and make it into a game - tell them it's something to play with.  When they fall for an attack don't scold, explain.  Remember the old country doctor whose 'bedside manner' could settle most problems?  Take that approach - you are often the new person on the staff teaching the person with the longest tenure - be humble and explain, explain, explain.  If they don't understand it's not their fault - it's yours.  Try another approach - you CAN make it work.

And - best of luck.

wb
sixscrews
50%
50%
sixscrews,
User Rank: Apprentice
2/17/2016 | 6:40:45 PM
Re: Difficult to Differentiate
Only if they are seafood (you).

 

wb
AlanL907
50%
50%
AlanL907,
User Rank: Apprentice
2/16/2016 | 1:55:54 PM
Re: Difficult to Differentiate
I though all offers of free dinners from vendors were phishing.

It's 99.99% assured.
rjones2818
50%
50%
rjones2818,
User Rank: Strategist
2/11/2016 | 1:43:51 PM
Speaking of particularly
- "Unfortunately, a particularly message doesn't need to be the worst, sneakiest, or most clever in order to be successful," says Angela Knox, senior director of engineering and threat research at Cloudmark.-

A jarringly unfortunate use of the term particularly.

Sorry...it was jarring.
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
2/11/2016 | 11:24:55 AM
Difficult to Differentiate
For me, phishing has made it nearly impossible to discern what offers are legimitate and which ones are not. My only saving grace is that I verify the sender before hand but even that has the potential to be spoofed.

I've probably turned down a bunch of genuine free dinners just because I thought they were phishing. :)
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
2/11/2016 | 11:20:58 AM
Greatest source of risk
It all comes down to employees and end users being the greatest source of risk. No matter what walls you've set up, if someone opens the gate then it was all for naught.
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23396
PUBLISHED: 2021-06-17
All versions of package lutils are vulnerable to Prototype Pollution via the main (merge) function.
CVE-2021-32681
PUBLISHED: 2021-06-17
Wagtail is an open source content management system built on Django. A cross-site scripting vulnerability exists in versions 2.13-2.13.1, versions 2.12-2.12.4, and versions prior to 2.11.8. When the `{% include_block %}` template tag is used to output the value of a plain-text StreamField block (`Ch...
CVE-2013-20002
PUBLISHED: 2021-06-17
Elemin allows remote attackers to upload and execute arbitrary PHP code via the Themify framework (before 1.2.2) wp-content/themes/elemin/themify/themify-ajax.php file.
CVE-2020-19202
PUBLISHED: 2021-06-17
An authenticated Stored XSS (Cross-site Scripting) exists in the "captive.cgi" Captive Portal via the "Title of Login Page" text box or "TITLE" parameter in IPFire 2.21 (x86_64) - Core Update 130. It allows an authenticated WebGUI user with privileges for the affected p...
CVE-2020-35373
PUBLISHED: 2021-06-17
In Fiyo CMS 2.0.6.1, the 'tag' parameter results in an unauthenticated XSS attack.