Socially Engineered Phishing & Data Leakage Affect Enterprise Users
According to Eugene H. Spafford, Executive Director of CERIAS (Center for Education and Research in Information Assurance and Security), Purdue University, no class of computer users, from home users to company or government users, is protected from cyber crime, as reported by The PAPER on August 27, 2008.
Spafford said that attackers have evolved their social engineering practices, commonly known as phishing, to send spear phishing e-mails that appear to arrive from trusted senders within the employee's organization. The attackers send these e-mails with an objective to steal confidential data/intellectual property from the organization.
Also, as per the CERIAS study, it has been found that the leakage of data, another serious problem connected with phishing, occurs when employees transmit important data via e-mail.
Reports further suggested that users who are not supposed to do that or who aren't aware that the data is confidential might forward important documents, passwords, or account information outside the company network to entities, which should not be getting them, according to Spafford, results in a much wider phishing attack.
Apart from this, Security Analysts at CERIAS stated that employees who plan to work outside office might send e-mails from the company network to unsecured BlackBerrys or e-mail accounts on the Web like Gmail, where they could be compromised.
Furthermore, Web-based mail for corporate is a weak area in the e-mail security that can encourage phishing scams. According to the analysts, SMEs (Small and Medium Enterprises) providing remote access to Web-based e-mail for users mostly require just usernames and passwords to make the access. Thus, the users can easily access such accounts using laptops, home computers or public PCs at hotels/cyber cafes, but in the process, expose their account details including usernames and passwords to strangers, who could be phishers/e-mail scammers.
However, the security experts said that self-audit could be an effective way for SMEs to find out their weaknesses or vulnerabilities that might subject them to phishing/hacking by malware authors/distributors. Besides, audit policies should cover rules to ensnare any e-mail vulnerability, if the rules and their enforcement means do not exist, then the enterprise is vulnerable.
Related article: SoCal Computer Hack Traces to Watsonville
» SPAMfighter News - 05-09-2008