Wow, I've been away from the blog for one week and look at all the fun I missed. Phishing is all over the news right now. In case you have not heard, RSA blogged how their organization was compromised, spear phishing. As most of you know, these are phishing emails crafted for a specific organization and often, specific individuals within that organization. As we learned in the Mandiant 2010 report from last year, most targeted attacks leverage spear phishing. What made the RSA attack somewhat unusual is the spear phishing attacks did not target senior management but staff. In addition, the staff member that fell victim had to manually remove the email from their junk box, then clicked on the infected attachment. Also in the news is the email marketing company Epsilon was compromised. Major corporations outsource their customer communications to Epsilon, companies such as JP Morgan Chase, Marriott and Capital One. The risk here is cyber criminals now know specifically who is a customer of which organization and what their contact information is. This makes it much simpler for them to socially engineer people as they know exactly what organizations to pretend to be, and for which victims.
The human is the weakest link. While technology plays an important part, at some point the security community is going to have to understand we also have to address the Human OS. Here is a great post on Brian Krebs on how to protect the Human OS for phishing/spearphishing.