Menlo Security Blog | phishing prevention

From a bad actor perspective, phishing is the cheapest and easiest way to infiltrate organizations and personal information
to make a profit. By nature, humans are curious and are oft en overconfident when it comes to security. Phishing is an even greater threat for mobile users, too. Without key visual cues, like the ability to hover over a link to determine its destination, it is much easier for a user to make the simple mistake of clicking a bad link and falling victim to a phishing attempt. The popularity of social media has also made it much easier for hackers to find valid email addresses and research users’
life activities to create sophisticated, tailored phishing attacks. From a security perspective, there are typically three approaches to solving the phishing problem – email security gateways, web proxies and security training awareness – but each has its own limitations.

The financial services industry is consistently among the most highly targeted industries for cyberattacks. Financial services institutions (FSIs) are a popular and frequent focus of attackers because, to quote famed bank robber Willie Sutton, when asked why he robbed banks: “That’s where the money’s at.”

Over 350,000 of the world’s top 1 million web sites may be running vulnerable software -- which the recent WannaCry cyber attack has shown can spell considerable risk of hacker exploitation. According to the Menlo Security State of The Web report, software on some web sites dates back to over a decade ago, as far back as the year 2000. The cyber security research reveals that nearly half (46%) of the Internet’s top 1 million web sites, as ranked by Alexa, are risky, and that 1 in 5 domains run vulnerable software.

A picture of a London newsstand on Saturday, May 13, 2017, the day after the WannaCry ransomware cyberattack struck. (Picture by Jason Steer, Menlo Security, Inc.)

The day started out as normally as any Friday in May around the world could.

By now, after years of ransomware in the news, one would think that the problem would begin to ebb, given nearly every security vendors’ claims to prevent it. Obviously this has not proven true, particularly in healthcare.

In the past, an attacker looking to steal credentials would craft a convincing email and landing page that did not trigger any red flags to the user. Attackers could be certain that at least 11% of people, even those who’d had phishing awareness training, would click malicious email links. Looking to up this percentage, attackers have evolved phishing exploits to use novel techniques, and OAuth is an important part of this evolution. This new approach is making it more challenging than ever for users to know when it is safe to click.

Another week, another web security story where organisations need to consider how to defend against another phishing attack.

There were many hot topics and cybersecurity themes at this year’s RSA Conference in San Francisco, from ransomware, to Sec Ops, to post breach mitigation.

This is intended to be a little tongue in cheek for readers, however it’s been written to provoke discussion on how organizations continue to do the same things they have done for the last 15 years without thinking.

blog

How to Mitigate Phishing Threats inYour Organization

Why Financial Institutions Are Phishing’s “Big Catch”

Is Your Web Viewing Dangerous? Over 350k Web Sites Run Vulnerable Software

It Ain’t Over Til It’s Over

WCry Ransomware: The End of the World as We Know It?

Ransomware in Healthcare…Still?

Increasingly Clever Phishing Attacks like OAuth Are The New Normal

Detecting the Undetectable - The Punycode Homograph Attack

RSA 2017 is a Wrap – Were Credential Theft and Phishing on Your Radar?

10 Reasons Why You Shouldn’t Consider Isolation!

Connect with us

Lists by Topic

Posts by Topic

Recent Posts

Isolation works