A recent ethical phishing experiment shows a surprising 100% success rate on bypassing anti-spam filters. The experiment highlights how simple, small-scale spear-phishing campaigns easily bypass corporate security filters and that users continue to take the bait.

This scenario was an invitation from Linkedin, posing as an invitation from Bill Gates to join his network. Linkedin was selected due to availability, and the fact that it is a social network recognized by most executives. This selection of Linkedin was also based on the fact that linked-in email should be already identified by most existing email system(s), and this may have helped delivery through into the mailbox.

Read the rest of this entry »

The Wired blog ‘Epicenter’ reports on a study commissioned by the IT staffing company Robert Half, which found that 54% of US companies have banned the use of social networking sites such as Twitter, Facebook, MySpace and LinkedIn sites at work. Apparently, the primary concern is loss of worker productivity, but fears over unknown legal and brand exposure may also play a role in this.

“Using social networking sites may divert employees’ attention away from more pressing priorities, so it’s understandable that some companies limit access,” said Dave Willmer, executive director of Robert Half Technology, in a statement.

Another study conducted by Nucleus Research also indicated that employees who use social networking sites at work do so up to 2 hours a day. 87% of employees admitted they weren’t using the sites for business, but for personal purposes instead.

Does your company have a social networking use policy in place? Perhaps a good time to check before HR comes knocking.

Update: I just found this short presentation on slideshare…

Neowin reports that passwords of 20,000 hotmail, live and msn accounts have been compromised. It is unclear whether the passwords were obtained through a hack or phishing scheme. A list containing the account credentials was posted by an anonymous user on a public forum at pastebin.com.

It appears that currently only accounts starting with the letters A-B are affected, but other lists could exist.

I suggest that you change your password on your msn, hotmail or live account just to be safe.

Even if you have not fallen victim to a phishing scam yourself, it is good to know that the FBI is taken the threat seriously. Last Wednesday, the Federal Bureau of Investigation pulled in the net on the largest cyber fraud phishing case to date, aptly named “Operation Phish Phry“.  The FBI case started back in 2007 and resulted in a multinational sting with almost 100 people being charged.

“The FBI said it uncovered a sophisticated phishing operation that was designed to swipe personal information and then use the data to defraud banks. On Wednesday, authorities arrested 33 of the 53 defendants named in an indictment. Egyptian authorities charged another 47 alleged cybercrooks.”

Each of the defendants indicted in the US, is charged with conspiracy to commit bank and wire fraud, with a statutory maximum penalty of 20 years in federal prison. Hopefully this case will result in convictions with stiff sentences, sending a strong signal to other aspiring cyber crooks.

Only a few months following the reply-to-all tidal wave bringing down the email infrastructure at the Department of Homeland Security, the US State Department experienced a massive self-inflicted assault on their mail servers last week as well.

Read the rest of this entry »

Most of us know about phishing by now. Those annoying emails coming from a bank you don’t even do business with, telling you in poor grammar and spelling to update your account settings by visiting a website with a strange looking URL. The more clever ones, such as the genuine-looking messages posing as eBay or PayPal customer support, have lured many people into exposing their account credentials and still pose a significant threat to the uninformed.

Read the rest of this entry »