“People really had their pitchforks out for Twitter yesterday, and I thought it was a little undeserved,” Aaron Higbee, CTO of PhishMe, said. “This wasn’t Twitter’s problem. This was AP employees getting phished.”
When a hacked Twitter account spreads false news of an explosion at the White House and causes hysteria that spurs a 140 point drop in the stock market, it should encourage calls for Twitter to bolster its security measures, so it’s no surprise that many are clamoring for Twitter to offer 2-factor authentication. One problem with this – news outlets are reporting that hackers gained access to the AP’s account through a phishing attack. While 2-factor authentication makes it more difficult to phish an account, it will not prevent this type of attack from being successful (nor will a more complex or longer password for that matter).
A report from ProofPoint released at the RSA conference discussed what is supposedly a new phishing technique dubbed “longline” phishing. The report touts “longlining” as the newest way criminals are sending phishing emails in efforts to bypass technical controls. Mass customization of emails allows criminals to fly under the radar of most email filters and successfully deliver spear-phishing emails to a larger number of email users at a single organization. This tactic combines the best of both worlds from the criminal’s standpoint, but it doesn’t really change the game in terms of defending against phishing attacks, as your users still provide the most effective line of defense against the phishing threat.
Whether “longline” phishing is actually a new type of attack or not, Security Officers should focus on the fact that adversaries will continue to modify their attack strategies to circumvent or evade technical controls in an attempt to directly exploit humans. This is why it’s increasingly critical for organizations to invest in proven and effective behavioral change programs that educate users about the attacks that target them.