by Iain Wilson
This week I attended another talk on Cyber Security organised by Scottish Informatics and Computer Science Alliance (SICSA).
This one was on the dark practice of 'phishing' and was presented excellently by Shaun Jones of NCC Group. Shaun's group provide security compliance testing consultancy to companies who want to test how secure their IT infrastructure might be.
Wikipedia define Phishing as
"the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication"
This normally takes the form of an email that appears to be from a company you know well, like your bank, Paypal, Amazon, Microsoft etc. The email usually asks you to go a web address where you are requested to enter your username and password to confirm your identity or to make some 'necessary' change to your account. Here's a good example.
The webpage is bogus of course, and as soon as you enter your information it is whizzed off to shady characters in the internet ether who use it for whatever nefarious deeds they get up to.
Shaun gave us some examples where his group had undertaken a phishing program to test the effectiveness of their client's security. Even companies with good security in place were susceptible, because it just takes one person to give up their credentials and the phisher is 'in'.
You can protect yourselves in the obvious ways like security training, website whitelists, closing uneeded ports etc but the phishing emails are often very professional, as are the web pages they direct you to.
So if you suspect an email is directing you somewhere for phishing reasons, what can you do?
The answer is to take your phish to the PhishTank. Phishtank is an online service where you can check if a web address is a known phishing site.
You simply paste in the address, and click on Is it a phish?
If that address has been reported as a phishing site, PhishTank will tell you straightaway. You can also register and report sites that you come across.
And finally, if you know of something better than the PhishTank, let minnow!