IT Security Expert Stu Sjouwerman Explains How Cybercriminals Use Spear-Phishing to Create Phony Articles and Lure Victims to Malicious Websites
CLEARWATER, Fla., September 12, 2011 – Cybercriminals have added a new weapon to their arsenal: spear-phishing using Google Alerts. Internet Security Awareness Training (ISAT) firm KnowBe4 is warning small and medium enterprises (SMEs) to proceed with caution before clicking any links in alert results, as cyber thieves are now creating bogus articles to lure their victims to infected websites.
Many companies use Google Alerts to track online mentions of their company name, executive names and product names. The user specifies a topic, and Google will send an email or update an online feed with the latest news stories pertaining to that subject. The results are gathered from all over the Web; and while most come from legitimate sources, cybercriminals have realized that they can use this valuable tool for their own illicit purposes.
According to KnowBe4 founder and CEO Stu Sjouwerman (pronounced “shower-man”), cybercriminals begin by creating a website that is designed to deliver a “drive-by” malware download when a user arrives at the site. Next, they publish a phony article featuring the name of the company, product or person they are targeting. This is considered “spear-phishing” because the attack is aimed at a specific organization or individual, and the perpetrator often uses prior knowledge of the target to make the message more believable. When recipients see this planted story in a Google Alert and click to read the article in its entirety, they arrive at the infected website – which then delivers its malicious payload and immediately compromises the user’s PC. Once the cybercriminals have gained control of a single computer, they can leverage that access to penetrate the entire network.
“I’ve been using Google Alerts for years to track stories about my business, so once again I’m amazed at how creative and enterprising the bad guys are proving to be,” said Sjouwerman. “This spear-phishing tactic is an advanced persistent threat that can sneak in under the radar, hidden among other valid news stories. Most people are so familiar and comfortable with Google Alerts that they don’t think twice before clicking a link to view an article – and that’s what cybercriminals are banking on.”
Sjouwerman notes that this type of attack can be especially hard to prevent because it’s so targeted: “Basic anti-virus software is no match for these emerging threats, which play to the human element and use social engineering to convince people to click. All layers of your IT security defense must be deployed and effective for this latest spear-phishing tactic to be caught. Make sure you address each level of security, including your policies, procedures and end-user awareness, as well as your perimeter, internal network, host, application and data security measures.”
KnowBe4 provides more detail on these security levels in its “Defense-in-Depth” overview at http://www.knowbe4.com/resources/defense-in-depth. Through its Internet security training programs, the company helps SMEs address the first-level defense of end-user awareness by educating employees on how to recognize and avoid common cybercrime tactics. KnowBe4 offers a free phishing security test to help business owners and managers find out what percentage of their staff is Phish-prone™, or susceptible to phishing attacks.
“After completing our phishing security test, some of our clients found that nearly half of their employees were Phish-prone – which gives you an idea of the severity of this issue,” remarked Sjouwerman. “However, the good news is that implementation of Internet Security Awareness Training can immediately reduce that Phish-prone percentage by 75% or more. After four weeks of subsequent testing and retraining, all of our clients achieved a Phish-prone percentage that was at or close to zero.”
In the short-term, Sjouwerman advises Google Alerts users to preview the URL before clicking any link. “By hovering a mouse over the link, readers can see the URL it is directing to. If it’s an unknown website, do not click! It’s best to only view stories posted on familiar news and syndication websites. While it’s not always safe to travel the Web, security awareness training can help users stay abreast of cybercriminals’ latest tricks and techniques.”
For additional tips on thwarting cybercriminals, SMEs can refer to KnowBe4’s free cybercrime education resources or read Sjouwerman’s latest book, Cyberheist: The Biggest Financial Threat Facing American Businesses Since the Meltdown of 2008. Cyberheist provides insights into the business of cybercrime, presents a variety of case studies and offers valuable cybercrime prevention advice.
To access KnowBe4’s free phishing security test and other cybercrime prevention tools, visit http://www.knowbe4.com. For details on Cyberheist, or to order the paperback or e-book edition, visit http://www.cyberheist.com.
About Stu Sjouwerman and KnowBe4
Stu Sjouwerman is the founder and CEO of KnowBe4, LLC, which provides web-based Internet Security Awareness Training (ISAT) to small and medium enterprises. A data security expert with more than 30 years in the IT industry, Sjouwerman was the co-founder of Sunbelt Software, an award-winning anti-malware software company that he and his partner sold to GFI Software in 2010. Realizing that the human element of security was being seriously neglected, Sjouwerman decided to help entrepreneurs tackle cybercrime tactics through advanced Internet security awareness training. He is the author of four books, including Cyberheist: The Biggest Financial Threat Facing American Businesses Since the Meltdown of 2008.