Phishing with a Social Engineering Hook

Here is the method: the phisher sends an email to the bank Security Officer, reporting a malicious web site that the bank may need to shut down. The enthusiastic Security Officer digs in to see what he'll be able to accomplish today but the site is a bust.

A month later the Security Officer discovers the email had malware and it infected his computer when he he opened it to go to the web site.

Not only do financial institutions need to keep software up to date to protect against virus, Trojans and malware, but users must be educated to avoid the pitfalls of social engineering. All users need training and reminding. Experts are seeing more targeted attacks in place of the mass phishing expeditions that were seen in the past. In this real life example, we see how one PC could be compromised and you would have to ask, what other systems, and what data could be exposed as a result of this first open door?

Could Instant Messaging Be a Vulnerability?

There is a new Instant Messaging worm which targets users on MySpace. There may not be a many bankers using this at work, but some may and there is still a lesson to be learned here.

In this case the AOL IM user gets the worm. Then the phishing expedition begins as they are notified someone on their Contact list has pictures for them to view. They are given a false URL which then captures their MySpace logon information.

The message here is that you could be using IM for work purposes, but have you got adequate security and procedures in place to thwart such an action that could compromise your own network integrity? Could such an attack be used to gain access to a network logon, password or be used for social engineering and the gain of other confidential corporate information?

Information Security, Technology and Training need to work together to keep your staff on point as to data security and things out of the ordinary.