Archive for September, 2013


PHISHING BIG GAME

 By Limor S. Kessem, Cybercrime and Online Fraud Communications Specialist, RSA

Anyone aware or involved in information security this day and age, would be quick to agree that the threats linked with using the Internet have drastically changed since the early to mid 90’s when the use of this media explosively impacted culture and commerce. Early threats had little way of spreading, the magnitude of users was tiny compared with today’s Internet traffic and the biggest worry was viruses wreaking havoc on peoples’ personal computers.

Online threats have come a long way and can now be held accountable for a growing list of misdeeds and crime. From the pettier financially-driven theft – which actually yields the least of collateral damage – to theft of priceless intellectual property, facilitating business espionage, involvement in disrupting critical infrastructures and penetration of secure systems that can translate into cyber-war; the demons of the digital world impact our finances, our identities and the world as we know it today.
Although more diverse and more advanced than ever, it appears that almost all threats still have that one, rather benign looking gateway… Surprisingly, that gateway is… Phishing! How do most threats connect with Phishing? And why is this older and well-known threat still so prevalent today?

PHISH THE HUMANS – THE ART OF DECEPTION AND PERSUASION
Looking at the short historical timeline of online threats, Phishing can be considered an ‘old threat’. The term Phishing has been discussed as early as 1996; a quick calculation shows that Phishing is 16 years old now, and yet, the world has not been able to rid itself from this phenomenon. Phishing is still one of the top threats on the Internet today; its direct and indirect costs tax the global economy with billions of dollars in fraud damages every year.

RSA reports released early this year show that worldwide losses from Phishing attacks alone amounted to over $520 million during H1 2011; a 43% increase in attack numbers translated into $755 million through H2 2011. The total number of monetary losses was Rs 5760 crore (or $1.28 billion USD globally) with India ranking in the top 5 most targeted countries for phishing attacks, having been robbed of a $38 million USD portion of that pie.

What makes Phishing such a successful threat? In one word: Evolution. They say “The Strongest Survive” and in that sense it appears that Phishing has what it takes—a good DNA and the ability to evolve over time.

At the core of this threat lays a powerful magnet – human emotion. Although Phishing is a 21st century crime, manipulation, deceit and persuasion are not. What makes Phishing successful is the use of social engineering which drives most schemes used by cybercriminals today to manipulate online users into disclosing crucial information. The concept of social engineering  is deeply rooted in many fundamental social psychology principles and thus its perpetual success.

There are several aspects of psychology we can draw-on in understanding how social engineering works, specifically the psychology of persuasion. In social psychology, there are two alternative routes of persuasion that can be employed when attempting to elicit a response from another:

Again, neither is new, that peripheral route to persuasion has been, (and still is), vastly used in confidence scams and in telemarketing fraud.
Because persuasion is such a pervasive component of our lives, it is easy to overlook the external influences affecting us.  When it comes to Phishing, cybercriminals rely on those peripheral routes to persuasion in order to be successful in getting a victim to respond via an emotional reaction to anxiety or excitement.

Every Phishing attack, of all types (Broad spectrum spam, Spear Phishing/ Whaling) begins with a ploy and built-in emotional triggers. Regardless of the method of delivery of the Phishing URL or the e-mail containing the message, the intended user has to be convinced that he needs to go to that page for a reason valid enough to then impart with access credentials and personally identifying information – the sort of data the user already knows is a secret that should only be shared with the trusted source who issued it.

The better ploys add these common human motivators and emotions to the mix:

In terms of numbers and effectiveness of attack ploys, it appears that the most successful campaigns rely on trust. This explains a current and prominent trend of Phishing via social networks or purporting to be a known source, which infallibly yields more victims. Creating that rush of strong emotion within a potential victim repeatedly enables cybercriminals to elicit an immediate response as the victim’s ability to think logically will likely be hindered.

Attack metrics show that the effect of trust-abuse is further enhanced when people receive social engineering messages on their mobile phones, making them respond even faster and be the first to reach newly launched Phishing pages.

Why the mobile phone? Because once again, the user trusts that only those who know him/her have his/her number; moreover, the mobile phone is much more a personal device than say a PC, that others also use at home or at the office.

A recent article about social engineering via social networks, challenging readers with “Can I Get You in 5 Tries?”, showed how banking on trust can be so effective that it ends up convincing the savviest. It appears that none is exempt from the most human downfall – emotionally driven action.

PHISHING AS THE KEY TO PANDORA’S BOX
Phishing is the key to many other web-borne ailments. Although social engineering has always been a major tool in the arsenal of online fraud operators and scammers, it took organizations quite some time to finally realize that Phishing was a serious problem for everyone. Even if the first to feel the crunch was the financial industry, we know today that no entity is safe from the harm and indirect damages a successful Phish can inflict.

Phishing, and more precisely Spear Phishing, as it turns, is the entry point of the worst of threats into an organization’s system. Invariably having to rely on the human factor in order to compromise the security of systems and networks, here too, attackers planning malware infections or even APT schemes use the same methods to get their foot in the door. That ‘door’ attackers are looking for may just be easier to find than ever before. With a Consumerization trend rapidly and quite insidiously  invading everything we do, the ease of Phishing the human is set to increase. Research firm KPMG’s e-Crime Report 2011 cautioned that the “the future of targeted malware delivery is inextricably linked to social networking”.

When it comes to targeted attacks, the problem is magnified since the recipients of Spear Phishing are not your average webmail recipient, but rather individuals working in corporate environments with access to the organization’s resources. Here the threat crosses delivery vectors and simultaneously reaches targets on their mobile devices as well as their corporate email address; criminals know this and rely on it paving the way in.

How likely is it then, for someone inadvertently reading email on a work-issued Blackberry phone to recognize a message in which every step was calculated and made to lead into perfect infiltration? How likely is it that if the message contained an interesting file, the user would open it at that very moment? How much later will the phone be synched with that user’s corporate PC?

Make no mistake – Spear Phishing malware campaigns are premeditated, planned and well organized; attackers use toolkits and advanced sending techniques to ensure the right amount of exposure to the intended recipients.

The correspondence used is not only well articulated, but also makes use of modern filtering evasion techniques to bypass security mechanisms and land in the recipients’ inbox, and not their “Junk” email folders, further augmenting the chances that message will be opened, and its content unleashed on the target system.

If we take for example financial fraud scenarios, where Phishers have become extremely business-oriented, actively looking at methods and measures to ensure maximum profitability of each campaign and carry the same attitude over to the realms of malware in the enterprise, data breaches and infiltrating organizations – here criminals are all that more focused, driven by precise goals and higher stakes/ bottom line profitability motivators.

It is only logical that those who prepare the bait that will open the door take its crucial role very seriously, and thus plan more carefully, rendering the foe harder to detect or dismiss.

Cybercrime is a big threat to India’s large online population, which loses billions to online fraud every year. At the end of the day we see that Phishing is only picking up more speed; attacks are qualitatively better than ever and numbers are increasing every year. At this level sophistication and criminal intent, there is a need to stop these threats. Organizations need to gear up to prevent risks and learn how to mitigate them once the attacker is already in the system.

ABOUT RSA
RSA, The Security Division of EMC, is the premier provider of security, risk and compliance management solutions for business acceleration. RSA helps the world’s leading organizations succeed by solving their most complex and sensitive security challenges. These challenges include managing organizational risk, safeguarding mobile access and collaboration, proving compliance, and securing virtual and cloud environments.
Combining business-critical controls in identity assurance, encryption &
key management, SIEM, Data Loss Prevention and Fraud Protection with industry leading eGRC capabilities and robust consulting services, RSA brings visibility and trust to millions of user identities, the transactions that they perform and the data that is generated. For more information, please visit www.RSA.com and www.EMC.com.


EC- Council empowers Students through a Seminar on Cyber Security

Over 300 students come together for a seminar  on cybersecurity specifically in Penetration Testing and Computer Forensics

Mumbai, August 28th 2013: EC-Council, the world’s leading provider of certifications and training in the information security domain, in association with Zen Technologies, organized an educational seminar on August 28th 2013 at St. Xaviers College, Mumbai and Ramnarian Ruia College, Mumbai.

The seminar was organized to educate the students on the scope of career opportunities and future prospects in the Cyber Security domain- an extremely critical sector currently that is only set to grow in the coming years. The Seminar was conducted by Mr. Haja Mohideen, VP- Technology and Co- Founder, EC-Council.

Regarding this initiative Mr. Akash Agarwal, Country Manager, EC-Council India said “The field of cyber security is growing by leaps and bounds but there is a lack of skilled professionals to meet the growing need. By training and educating the future cyber security professionals while adhering to global requirements and standards, we wish to create an army of cyber warriors to tackle the challenges of tomorrow. India is the software capital of the world and definitely has a vast talent pool which can be trained and educated on the nuances of the fast growing need of the highly skilled cyber security experts.”

According to a recent survey conducted by the International Data Corp, there is a requirement of close to 5 lakh cybersecurity professionals in India. This number is only set to grow and the best step to tackle this issue is to train the professionals of tomorrow and ensure they are qualified to tap the opportunities and tackle the challenges that will be awaiting them.  Jobs in the market range from Penetration Testers, Network Security Specialists, Website Administrators, to Security Analysts.

According to Mr. Abhay Thakkar, CEO, Zen Technologies, “Not only does IT Security offer great career opportunities, but is also necessary for everyone to learn because of the constant threats emerging on the internet every day.”

To provide cyber security training and to fill the gap, EC-Council had recently initiated Code-Uncode, a nationwide competition for students, professionals, colleges and corporates. The competition aims to bring together existing and aspiring security enthusiasts from all fields of the infosec world from the Corporate and government bodies to academic institutions. The preliminary round was completed successfully a few weeks back.

EC-Council backed with their vast experience in global competitions and conferences like Hacker Halted, TakeDownCon and Global Cyberlympics, is bringing the global movement and trend to India through Code Uncode.

About EC-Council 
EC-Council (International Council of E-Commerce Consultants) is one of the world’s largest certification bodies for Information Security professionals. EC-Council is a member-based organization that certifies individuals in various information security and e-business skills. It has been certified by American National Standards Institute to meet its ANSI 17024 standard. It is the owner and creator of the world famous Certified Ethical Hacker (CEH), Computer Hacking Forensics Investigator (CHFI) and EC-Council Certified Security Analyst (ECSA)/License Penetration Tester (LPT) programs, and as well as many others programs. These programs are offered in over 92 countries and over have trained over 120,000 & certified more than 60,000 security professionals through a training network of over 500 training partners globally.

Individuals who have achieved EC-Council certifications include those from some of the finest organizations around the world such as the US Army, the FBI, Microsoft, IBM and the United Nations.

About Zen Technologies
Zen Technologies was established in 2009. The Company has been involved in the field of training students and professionals in the field of IT Security and niche courses in Algorithm Trading.


EC-Council Building the Cyber Army; Organizes Seminar on Ethical Hacking at Thapar University

Over 200 students from Thapar University attend a two day seminar on ‘Ethical Hacking and its Essentials’

Mumbai, August 29th 2013: EC-Council, the world’s leading provider of certifications and training in the information security domain organized a two day educational seminar on Aug 30th and 31st at Thapar University to educate and engage with students on Ethical Hacking and its essentials in the cyber security domain, a sector that is set to grow exponentially and offer lucrative job opportunities.

The GOI recently released the ‘National Cyber Security Policy 2013’, highlighting the fact that the security of cyber space is not an optional issue but an imperative need. The policy has laid emphasis on creating a workforce of 5,00,000 professionals skilled in cyber security in the next five years through capacity building, skill development and training.

Mr. Akash Agarwal, Country Manager, EC-Council India said, “By training and educating the future cyber security professionals while adhering to global requirements and standards, we wish to create an army of cyber warriors to tackle the challenges of tomorrow. India is the software capital of the world and definitely has a vast talent pool which can be trained and educated on the nuances of the fast growing need for the highly skilled cyber security experts.”
EC-Council recently organized another seminar in Mumbai on “How to Build a successful career in Cybersecurity using Penetration Testing and Computer Forensics” which was attended by over 300 students from St. Xaviers College and Ramnarain Ruia College. These series of Seminars will help not only educate the youth on the importance of cybersecurity but also provide them with solutions and opportunities to better their existing skills.
It is essential to train the professionals of tomorrow and ensure that they are qualified to tap the opportunities and tackle the challenges that will be awaiting them.  Job opportunities in the market range from Penetration Testers and Network Security Specialists to Website Administrators and Security Analysts.

To provide cyber security training and to fill the gap for professionals working in this field, EC-Council has initiated Code-Uncode, a nationwide competition for students, professionals, colleges and corporates. The competition aims to bring together existing and aspiring security enthusiasts across all fields of the infosec world from the Corporate and government bodies to academic institutions. The preliminary round was completed successfully a few weeks back.

EC-Council, backed with their vast experience in global competitions and conferences like Hacker Halted, TakeDownCon and Global Cyberlympics, is bringing the global trend to India through Code Uncode.

About EC-Council  
EC-Council (International Council of E-Commerce Consultants) is one of the world’s largest certification bodies for Information Security professionals. EC-Council is a member-based organization that certifies individuals in information security and e-business skills. It has been certified by the American National Standards Institute for meeting its ANSI 17024 standard. It is the owner and creator of the world famous Certified Ethical Hacker (CEH), Computer Hacking Forensics Investigator (CHFI) and EC-Council Certified Security Analyst (ECSA)/License Penetration Tester (LPT) programs along with a multitude of other programs. These programs are offered in over 92 countries and have trained over 120,000 & certified more than 60,000 security professionals through a global training network of over 500 training partners.
Individuals who have achieved EC-Council certifications include those from some of the finest organizations around the world such as the US Army, the FBI, Microsoft, IBM and the United Nations.