Wednesday, February 6, 2008

Phising attacks and user awareness

Like many organizations, we get our fair share of spam and phishing emails. Last week, the Internet Storm Center reported on a phishing attack that seemed to concentrate (mostly) on institutes for higher education in the United States. The same topic was discussed on mailing lists, such as the EDUCAUSE security mailing list and the SANS University Security Operations Group (UNISOG) list.

The fact that .edu's were targeted was confirmed by many schools throughout the USA that had received the phishing emails.

Although raising and maintaining information security awareness is a continuous process, we felt it appropriate to send out a message to our entire community as a warning. We have not had that much targeted phishing mail yet, and our users are not so used to them.
Fortunately, it seems like we have been able to dodge the bullet so far.
Yesterday, we started to see another wave of phishing coming our way. This time it was an email notifying the recipient that he (or she) had received an e-card from "A Friend". When the user clicks on the link provided in the message, a download of an executable file will start, and when the user executes it, the file will (presumably) install some sort of malware on their computers.
We have chosen not to send out another alert. When too many notices are sent out, being labeled as a "cry wolf"-group is not far away, and our constituency will start disregarding what we have to say. However, we did post a notice to our web pages. Users who take the effort to look at our pages will see a warning about this particular message, which can be summarized as: if someone sends you a message without revealing their (claimed) identity, the sender is probably up to no good. Don't fall for scams like this.
However, with Valentine's Day coming up, many more (anonymous) e-cards might be sent out by "Secret Valentines". It will be interesting to see if our user-base is intelligent enough to NOT mindlessly run programs that they download from the Internet.
Despite the fact that I work in Information Security, I am a positive person, and I will give just about anyone the benefit of the doubt. Therefore, I am looking forward to next week.

No comments:

Post a Comment

Please share your view and opinions on what I wrote. In order to maintain quality, all comments will be moderated for merit. Contributions that call me out on statements that appear unfounded, wrong, or simply with which you disagree are highly appreciated and are even encouraged. Spam and 'me too' answers will be ignored.