The cable TV channel H2 is running a mini-series on the human mind - Your Bleeped Up Brain. The series is truly fascinating. While we think our heads contain a highly precise computer, it turns out that the ball of matter inside our heads is good at navigating life, but not very good at discerning fine details out of a complex environment. For those us of in the cybersecurity world, the last episode - Deception - is particularly interesting. In Deception, the show presents several examples of how the brain takes incomplete or inaccurate information and completes the story to [...]
Eric Fiterman of Rogue Networks/Methodvue demonstrates how to construct a malicious email that effectively impersonates President Obama. Using malware delivered in an attachment, Fiterman takes control of the recipient’s computer. Watch as he steals passwords, searches for files and even takes a picture of his victim using the computer’s camera. What permits Fiterman to infiltrate this computer? The recipient can't distinguish a real email from the President from a fake email from the President. People need to know if an email is really from the President. They need to know if an email is really from a co-worker. SP Guard from Iconix [...]
The United States Patent and Trademark Office has issued Iconix's tenth patent titled "Authenticating and Confidence Marking E-Mail Messages." The abstract for U.S. Patent 10,110,530, dated October 23, 2018, states: "Methods and systems for authenticating and confidence marking e-mail messages are described. One embodiment describes a method of authenticating an e-mail message. This method involves extracting a plurality of e-mail headers associated with the e-mail message, and identifying a sending edge mail transfer agent (MTA). The method then calls for determining if the sending edge MTA is authorized to send the e-mail message."
In a new findings from the University of Maryland, Baltimore County (UMBC), researchers came to a startling conclusion: Contrary to our expectations, we observed greater user susceptibility with greater phishing knowledge and awareness. We have no convincing explanation for this finding, and we do not know if it is reproducible. Nevertheless, we consider two speculations. First, it is possible that the act of falling for the phishing scheme might have increased the user’s awareness about phishing. In hindsight, it might have been wiser to have asked in the post-event survey what was the level of phishing awareness the user had [...]
On October 30, 2018, the U.S. Justice Department announced the indictment of Chinese intelligence officers and their hackers for allegedly stealing U.S. aviation and technical data. For over five years the Chinese are alleged to have stolen important aviation technology by using unauthorized access to computer systems. How did they do it? An important tool of choice was spearphishing. In order to enhance the deceptive power of their evil emails, they used Doppelganger Domain Names. According to the indictment: Doppelganger Domain Names, the creation and use of domain names that closely resemble legitimate domain names to trick unwitting' recipients of [...]
What can a threat actor do with a compromised email account? They can steal a lot of money! Yahoo!News provides the details of a clever email scam involving real estate. The threat actors used their access to a compromised real estate settlement company email account to send fraudulent payment instructions to the buyers. Instead of wiring the money to the account of the settlement company, the recipients of the fraudulent email sent the money to the criminals. This is just one class of Business Email Compromise, a crime in which compromised email is used to steal money. The latest FBI Internet [...]
In a recent article entitled Phishing Is the Internet’s Most Successful Con, the Atlantic observes: Phishing doesn’t attack computers. It attacks the people using computers. The Sting - The Art of the Con Cormac Herley, a principal researcher at Microsoft Research, observes in the article: Many security-professional and media recommendations exhort eternal vigilance, paying attention to every detail. This is terrible advice. I’m a professional with years of experience in this space and I don’t bother to inspect my emails or carefully read all my URLs: I have things to do. As a strategy for the constant level of [...]
Prof. Arun Vishwanath, Iconix's Science Advisor, was recently published by CNN. In his article, Spear phishing has become even more dangerous, Prof. Vishwanath discusses how threat actors take advantage of several weaknesses of procedures on the Internet, and the vulnerabilities are growing worse. He highlights how tricking users is an important element of these evil plots.
Read about How Cyber Awareness Training Helps Threat Actors in an article we contributed to the Small Wars Journal. The authors discuss how threat actors combine their knowledge of cyber awareness training with the abuse of technology to create effective cyber attacks.
The United States Patent and Trademark Office has issued Iconix's ninth patent titled "Rapid Identification of Message Authentication." The abstract for U.S. Patent 10,063,545, dated August 28, 2018, states: "Techniques are presented for uniquely identifying authentication associated with messages. A message is inspected for sender or domain identifying information associated with a sender of the message or a sender's domain. The identifying information is authenticated, and if authentication, then distinctive metadata is associated with the message. The distinctive metadata is presented or played in connection with the message for purposes of readily identifying the authentication.” Prof. Arun Vishwanath, Iconix’s Science [...]
Recent press reports tell us that Google has solved the phishing problem. These stories trace their source back to a posting on KrebsonSecurity dated July 23, 2018, entitled Google: Security Keys Neutralized Employee Phishing. Krebs summarizes the solution: The basic idea behind two-factor authentication is that even if thieves manage to phish or steal your password, they still cannot log in to your account unless they also hack or possess that second factor. This is clearly an important protection against a particular subset of the phishing problem -- use of stolen credentials. But it hardly neutralizes phishing. The day after describing [...]
On July 13, 2018, the Special Counsel indicted 12 Russian GRU agents for interfering in the 2016 U.S. presidential election. The indictment provides a detailed description of how spearphishing works. For example, paragraph 21 of the indictment states, ANTONOV, BADIN, YERMAKOV, LUKASHEV, and their co-conspirators targeted victims using a technique known as spearphishing to steal victims’ passwords or otherwise gain access to their computers. Beginning by at least March 2016, the Conspirators targeted over 300 individuals affiliated with the Clinton Campaign, DCCC, and DNC. Spearphishing attacks systems by attacking the users. SP Guard provides users with defenses against these attacks.