Bait Your Users with the Simple Phishing Toolkit

By Joe Brockmeier

 By now, most folks have heard of phishing scams, and know to be on the lookout for fake PayPal and bank sign-ons. But what happens when your co-workers get a link to a site that looks just like the corporate intranet? Using the Simple Phishing Toolkit (SPT) you can find out.
The concept behind SPT is pretty simple: Most companies spend a fair amount of money on trying to secure their environment. How much do they spend on educating users? Very little, and in many cases nothing at all. As the saying goes, an ounce of prevention is much better than a pound of cure.

Working with SPT

Basically, SPT is a PHP/MySQL package that is designed to create and run phishing campaigns. It should install on any current LAMP or WAMP stack in just a few minutes. If you've installed Drupal or WordPress or any other PHP/MySQL package, it shouldn't take more than a coffee break to set up. (Creating the database and MySQL user is the longest part of the process.)
From there, you can create campaigns to try to "hook" users and see if they're gullible enough to hand out credentials to a phishing site. You supply templates to SPT for the target site, and the list of users and the body of the email. It will send out the phishing emails and collect data when users respond.
Note that there are two ways to provide a template to SPT – provide a template that you've created, or scrape another site. In my tests of SPT, the scraping didn't work. You can find a Microsoft Outlook Web template on the SPT site, though. This might get you started right away if your organization uses Outlook.

You can also provide an "education package" so that users get schooled as soon as they fall for the phishing link. This can be triggered as soon as users click on the link, or after they provide data.

Could be Used for Good or Evil

The project is open source, available under the GPLv3. It's also extensible, so if it doesn't do everything you want there is the option of writing modules for it. The project is still relatively young, I tested the 0.4 release. Now might be a good time for IT departments to talk to their users about phishing, then plan a SPT campaign for later in the year.

It's worth noting that SPT could be used to run actual phishing campaigns, but those are going on already anyway. Yes, SPT promises to be a really easy way to set up a phishing attack, but that's all the more reason to start educating users.
Does SPT look like something you'd use in your business? Are you doing anything to educate users about phishing already? Would love to hear more ideas in the comments about educating users rather than just spending money on security measures.

Source Article: http://goo.gl/YxAvn

Beware of fake Megaupload “comeback” phishing scams

By: Will Shanklin



Megaupload is supposedly back, albeit without any functionality. An IP address which is dressed to look like Megaupload is being promoted, but evidence points to this as being 100% bogus. If this is legitimate, then Megaupload is one resilient company. The only problem is that this is almost certainly a phishing scam, which you’ll want to avoid like the plague.
Yesterday Megaupload’s domain and assets were seized by the Feds, with the company’s executives being placed under arrest.
As of now, nothing on this site claiming to be the “new Megaupload” works. Every link greets you with the same message, telling you that “this is the new Megaupload site.” The message (probably from a phisher) promises that the company is working to get back up again.
The site’s appearance looks legitimate enough. The familiar Megaupload logo, customary orange and white colors, fonts, and tabs are all there. These could all be easily faked, though — phishers do this with other sites every day. There is also a glaring typo (“beware to the pishing sites”).
Perhaps the biggest evidence against this site is that its IP address was recently directing to another company — which was already flagged as a phishing scammer. We’ll update if we get more information, but we’d advise you to stay far away from this. As long as Megaupload’s employees are in prison with their equipment under Federal control, we don’t expect to see any comebacks.
Source Article: http://goo.gl/2cQTz

Ensuring Online Banking Security

Phishing Attacks Target Chase and Barclays Accounts
By Tracy Kitten, January 15, 2012.


Accountholders at Chase in the United States and Barclays in Britain have been the targets of a rash of targeted phishing schemes.

Researchers at security firm GFI Software last month discovered customers at Chase had been targeted by phishing e-mails that provided links to spoofed Web pages that requested users submit sensitive online banking details.

The firm also discovered phishing hits aimed at Barclays, though the nature of the attacks differed a bit. In Barclays' case, GFI reported that fraudulent warning e-mails about account suspensions had been sent to Barclays' users. The e-mails, feigning to be security alerts from the bank, claimed that attempts to access online accounts had exceeded limits set by the bank, suggesting hackers had been attempting to break in. Attachments contained in the e-mails asked recipients to provide confidential data to reactivate their online accounts.

The attacks against Chase and Barclays were not rare. Targeted schemes, better known as spear phishing, are common. Similar attacks have been waged against NACHA - The Electronic Payments Association and the Federal Deposit Insurance Corp., just to name two. [See FBI Warns of New Fraud Scam.]

Banks: Cyberfraudsters' Aim
Targeted attacks aimed directly at banks and banking accounts are becoming more standard as well. Last month, the Federal Bureau of Investigation and the U.S. Attorney for the District of Connecticut indicted 14 Romanians for their involvement in an identity-theft scheme that relied on phishing attacks to steal online banking credentials from customers at Connecticut-based People's Bank. Customers at Citibank, Capital One, Bank of America, JPMorgan Chase, Comerica Bank, Regions Bank, LaSalle Bank, U.S. Bank, Wells Fargo, eBay and PayPal also were targeted. [See 14 Indicted in Phishing Scheme.]

Recommendations and the Need for Layered Security
Fraudsters have proven they can get around basic authentication techniques, including two-factor authentication. [See Ramnit Worm Threatens Online Accounts.]

The need for enhanced user authentication served as the catalyst for updated online authentication guidance from the Federal Financial Institutions Examination Council, which took effect this month. Federal banking regulators say banks and credit unions need to ensure they layer security measures, meaning user authentication must go beyond mere logins and passwords.

But a greater concern is online user behavior, since most consumers use the same login names and passwords for multiple accounts, including bank accounts. [See The Real Source of Fraud.]

That universal use of logins and passwords allows cybercriminals to piece together information that can later be used to compromise online credentials. "User names for social websites are often searchable using typical search engines and often the corresponding e-mail addresses are in plain view for casual Internet users and thieves alike to see," says John Buzzard, who monitors phishing attacks and skimming trends for FICO's Card Alert Service.

Fortunately, most phishing schemes are relatively easy to thwart, if practical precautions are taken. "It's rather surprising to keep reading stories about phishing vulnerabilities since phishing varietals have been around since at least 2005," Buzzard says.


Banking institutions can mitigate risks associated with phishing schemes by implementing tried and true best practices that limit exposure to a variety of Internet fraud types. Buzzard recommends institutions:

Provide timestamps for online-banking sessions. Accountholders can look at timestamps to see when the last, and potentially, unauthorized log-in occurred.

Deliver daily account alerts. "Consumers love the ability to establish their own rules so that they can be alerted to ATM withdrawals and daily balances," Buzzard says.

Leverage online banking websites for the delivery of important consumer messages. "A simple email alerting the accountholder that a critical communication is waiting for them inside of their online banking account really is an effective means to ensure that the consumer cannot only view but trust the communication's content," he says.

Avoid e-mailing links. Financial institutions want to discourage consumers from clicking links. When e-mailing correspondence, just inform them to visit the official online-banking site. "Your customer knows how to find their online banking website and they already know how to reach you by phone," Buzzard says.

Source Article: Banking Info Security http://goo.gl/PH0vD