Wednesday, March 26, 2014

Phone Fraud Flavor of the Month: 2014's IRS Scam

pretexting, social engineering, fraud, scamI spent a little time this morning reading about that new IRS scam that’s running rampant during the 2014 tax season. You know the one—you can read all about it here, It’s the one where social engineers claiming to be IRS officials bully people into offering sensitive information through threatening phone calls.

Actually, that doesn’t sound so new, does it?

That’s because it’s not. It’s the same pretexting technique that scammers have been using for years. Even though each year (or each tax season or election or Olympic Games or world relief effort) brings a new wrinkle to the scam, there is nothing new here, folks. It’s just another example of how thieves try to steal sensitive information from regular people. Every. Single. Day.

The possibility of daily threats demands constant vigilance—and you are raising your awareness just by reading this. But maybe it’s time for a little refresher on the best ways to handle any social engineer who comes calling.

Thursday, March 20, 2014

Are Deceptive Pen Testing Methods Always the Wrong Way to Go?

phishing, pen testing, data securityIt’s been interesting to watch all the articles and stories fly about the Army phishing attack carried out by an internal commander, and which was finally shut down last week.

Words like “panic,” disaster,” and “terrible’ and “irresponsible” are being thrown around like confetti.

Do I agree with the commanding officer’s decision to take matters into his own hands? No. He was one man acting on his own intuition, rather than one part of a concerted effort with proper executive notification. In an organization as large as the US military, no test should be completed without a lot of feedback and forethought.

It was also unfair to include the Thrift Savings Plan in an attack they knew nothing about—and then leave them to clean up the messy backlash.

But let’s get to the brass tacks here: we can’t necessarily call the commander’s actions “irresponsible” just because some folks got panicked or felt like guinea pigs.

Tuesday, March 11, 2014

It Could Happen to You: The Value of Small Biz to Attackers

social engineering, DDoS, identity theft, phishingRead this little article yesterday and thought it might make a nice follow-up to last week’s interview with Naoki Hiroshima. Quick update on that story: @N has been restored to its rightful owner.

Unfortunately, though, that was not an isolated incident. In fact, according to this recent article on The Verge, small and mid-range companies should be especially alert to these kinds of attacks.

”Stories like Meetup's are less surprising to companies in the business of DDoS mitigation — like Cloudflare, which is currently helping the site recover. CEO Matthew Prince says they're most commonly launched against gambling sites or midrange e-commerce sites, as in this example from 2012. They're businesses with enough success to suffer from a few days of downtime, but often not enough foresight to invest in DDoS protection.”