Top Phishing Concerns of DNS Providers

Twitter and the New York Times were hacked this week, which means that they have officially joined the ranks of other major news organizations, including the Financial Times and Washington Post who have been targeted by hackers over the past few months.

So, how’d it happen?

Three things: hacker groups, DNS providers and spear phishing.

The Syrian Electronic Army (SEA) appears to be taking credit for this attack, as their logo was prominently displayed at NYTimes.com when the site was compromised. The SEA, a hacker group, protesting Syrian President Bashar Al-Assad, launched the attack in order to generate high profile awareness of their political agenda.

Why DNS Providers Are Targeted by Cybercriminals

The nature of this attack is consistent with several other cyberattacks that have recently taken place, in that the DNS Provider was targeted in order to carry out the attack. Melbourne IT, the New York Times’ registrar, was the victim of a spear phishing attack that successfully provided members of the SEA with access to the Times’ DNS Manager. DNS providers are among the most targeted businesses by cybercriminals, ranking alongside large financial institutions and major retailers as lucrative targets. There are two primary reasons for this:

  1. By gaining access to a customer account, DNS records can be changed to whatever the cybercriminal wants them to be.
  2. Gaining access to the DNS Provider’s employee accounts gives the cybercriminal access to several different domains, creating an opportunity to launch a large-scale attack.

Top Phishing Concerns of DNS Providers

  • Spear Phishing is increasing in frequency. A spear phishing attack happens when cybercriminals launch a targeted attack against specific individuals who they feel can give them access to the information, credentials or infrastructure that they need to carry out their attack. In the instance of the New York Times attack this week, a spear phishing attack was launched against employees of a reseller of Melbourne IT.
  • Hacktivism is becoming part of the “new normal” when it comes to the cybersecurity landscape. In attacks such as this, the goal is not to obtain customer credentials and access account information to procure funds. Instead, the goal is exposure. As Sun Tzu states, know your enemy.
  • Brand Loyalty/Customer Relationships suffer even if just one attack is successful. If a DNS provider fails to protect customer accounts from being accessed by cybercriminals, customer loyalty will be damaged and brand integrity will suffer long-term consequences.

What DNS Providers Can Do

The most important thing that DNS providers can do is focus on email.

When it comes to launching these attacks, cybercriminals almost always launch a phishing attack via email. That’s why email-based threat intelligence is so important. If you are using security intelligence appropriately, you can identify the source of a threat and even stop an attack before it happens.

Additionally, it’s important to take a look at which players in your organization have access to information that could be appealing to cybercriminals. There is another word for these employees: targets. Adjust the security level for these folks to provide additional protection against these kinds of attacks.

Share your thoughts. How can DNS providers protect themselves against phishing?

To make training stick, immerse employees

When aspiring pilots go through flight school, they learn both in a conventional ground setting and using a flight simulator. On the simulator, new pilots are immersed in the experience of flying, and receive real-time feedback about their decision making. Not surprisingly, the simulator is seen as a more effective training tool than conventional classroom training.

One of the greatest challenges facing security awareness initiatives is providing employees with an experience they will actually remember and retain. Training users to avoid risky security behavior is not nearly as complicated as teaching someone to fly a plane, but just like with pilots, immersive training that simulates the kind of attack methods employees face is a more effective way to conduct security awareness.

Syrian Electronic Army continues to carry out successful data-entry phishing attacks

When the Syrian Electronic Army nailed a number of prominent media outlets earlier this year, we were pleased to see a number of open and honest responses from those that were breached, notably from The Onion and The Financial Times.

Last week, the SEA was at it again, successfully hacking content recommendation service Outbrain, an attack which provided a foothold to compromise media behemoths The Washington Post, Time, and CNN. The SEA attacked Outbrain with largely the same tactics it has used so successfully in the past few months, by eliciting log-in credentials through a phishing email, the same tactics PhishMe simulates in our data entry scenarios.

To improve security awareness, think marketing

Security awareness is a term that often makes IT security pros cringe. It brings to mind images of mind-numbing training or of ineffectual posters and stress balls urging employees to change their passwords frequently.

Based on years of experience working with enterprises and other large organizations, we are launching a new blog series, “7 Principles Critical to Security Awareness Programs”, that will offer some insight in concepts we have incorporated in our solution to demonstrably improve security awareness for our customers.

The first topic we will address is marketing.

Changing behavior is one of the greatest challenges security officers face when implementing security awareness programs. Convincing people to change is hard in any arena, but when it comes to security – an area which most users neither know nor care much about – it’s especially difficult. We can learn a lot about changing behavior from a source security pros are often wary of: marketers.

Double Barrel Throwdown Results

The winner of our inaugural Double Barrel Throwdown is @_tdudley. Her scenario leveraged curiosity, posing as a recruiter the email entices the recipient to click a link to find out about a lucrative job opportunity. This original idea was persuasive (who isn’t curious about an exciting job opportunity?) and realistic (recruiters send out emails like this all the time to corporate email addresses). Overall, the decision was not easy, but her entry stood above the rest when judged against our criteria: originality, persuasiveness, and realism.

PhishMe Unveils Phish Reporter at Black Hat USA 2013

CHANTILLY, Va., July 31, 2013 — PhishMe, the leading provider of security behavior management services that improve employees’ resilience towards spear phishing, malware, and drive-by attacks, today announced the availability of its patent-pending Phish Reporter™, the first technology available to enterprises that aggregates and normalizes user-provided reports of suspicious emails. Phish Reporter is an Outlook Add-in that installs a button on the user’s toolbar, allowing them to report suspected phishing emails with the push of a button, and improve organizational detection and response time to threats.