As you are aware, phishing is certainly not a new cyber threat, yet it continues to be one of the most pervasive and costly to businesses and consumers. With nearly endless examples, we have decided to develop a new series that not only highlights some of these attacks, but also sharing helpful tips along the way for spotting them.
On Friday, March 23, nine Iranian threat actors were indicted for stealing massive quantities of data from universities, businesses, and governments all over the world.
If you’ve been following our blog (or the news), you already know the actors are associated with an organization called the Mabna Institute, and are responsible for stealing more than 31 terabytes of data over the past four and a half years. To put that number in context, you’d need to cut down more than 1.5 million trees to make enough paper to print out all of the stolen data.
Last week, news broke that an Iranian hacker network, Mabna Institute, had been systematically stealing data from universities across the US and abroad.
It’s unclear precisely how much data has been compromised, but it has been estimated to have cost US universities around $3.4 billion dollars to collect and maintain.
While the administration has announced sanctions and criminal indictments against the group, it’s highly unlikely any of the actors involved will receive punishment.
So if you happen to work for a university, or be responsible in some capacity for the data security of a university, you’d be forgiven for wondering “…What now?”
A newly observed variant of BankBot has been discovered masquerading as Adobe Flash Player, Avito, and an HD Video Player. This variant, now detected by PhishLabs as BankBot Anubis, was first identified on March 5, 2018.
Making the move from the typical security awareness training approach to a powerful anti-phishing program isn’t an easy sell.
Executive boards are used to basic training programs with boring annual sessions, and (let’s be honest) minimal results… with correspondingly tiny budget approvals. So when they finally do agree to a more in-depth program, there’s a tendency to expect results overnight.
The trouble is, training users to spot and report phishing emails isn’t an overnight fix. And trying to realize dramatic results in a short timescale is a surefire way to hamstring your program.
During our webinar focused on the Qadars Banking Trojan there was a great deal of analysis provided on just how evasive the threat is. This begs the question, how does your team handle malware analysis?
It’s that time of year again.
A day of romance, crowded restaurants, overblown gestures of love, and…
Well. You get the idea.
For those of us in the security world there’s another, less enjoyable component to Valentine’s Day. Yes, even less enjoyable than trying to share a romantic meal while sitting less than a foot away from four other couples.
Yes, I’m talking about holiday themed phishing scams. We’ve written about this precise topic many times before (including last Valentine’s Day) but so far we’ve never tackled the specific scams that surround this romance-centric annual event.
So before you send those dutch-courage fueled love notes, just take a moment to consider…
In most organizations, a user who can identify and delete phishing emails is considered a huge asset.
And, let’s be honest, they’re certainly a big step in the right direction. Users who can't spot a simple phishing email can easily jeopardize the security of an entire organization, even with a comprehensive set of technical security controls in place.
But in our eyes, there’s still a long way for these users to go. Deleted phish are better than clicked phish, but they shouldn’t be the end goal.
You receive an email, you are unfamiliar with the sender’s name or email address, and they are offering you a new service or deal on something. Is it malicious? Not necessarily. Perhaps you forgot about signing up for a newsletter a while back.
If you’ve been following our blog for a while, you’ll already be aware of our stance on anti-phishing training.
Experience has taught us that the only way to reliably improve a user’s ability to spot and report phishing emails is to test them in the real world. To put it another way, they need to see realistic phishing emails in their inbox on a regular basis… and you need to put them there.
It’s tempting (oh so tempting…) to treat this as a gotcha exercise.