Police: Hotel death post-mortem is inconclusive » Following the death of a man at the Dorchester Hotel in central London, a post-mortem examination he... Billion Electric improves the efficiency of cros... » Billion Electric Corp. has launched the world's first 3G/4G LTE router designed to maximize producti... Social registration tool increases networking valu... » The Emergency Services Show is using the GleanIn social registration tool to harness the power of so... A10 Networks promotes world wide technology (WW... » SAN JOSE, Calif.: A10 Networks has announced that World Wide Technology (WWT), a market-leading syst... Linux and BSD web servers at risk of sophisticat... » ESET has published its in-depth technical research paper, entitled ‘Unboxing Linux/Mumblehard - Mutt... The O2 arena awards five-year event control contra... » Integrated Security Consultants (ISC) Ltd, has been awarded a five-year contract to supply CCTV and ... Tripwire Now discovers more than 100,000 condition... » LONDON, UK:  Tripwire, Inc., has announced that Tripwire® IP360 TM now discovers more than 100,000 c... Octavian launch new training giveaway on World Hea... » Octavian Security has unveiled a competition to coincide with the launch of the newly accredited Oct... Nigeriaghanistan: A nation's backward march to neo... » 23"Take away from Me the noise of your songs; I will not even listen to the sound of your harps. 24"... Lord's to host inter services T20 Cricket Competit... » Vigilance can report that the Combined Services Cricket Association can confirm that the Inter Servi...

CLICK HERE TO

Advertise with Vigilance

Got News?

Got news for Vigilance?

Have you got news/articles for us? We welcome news stories and articles from security experts, intelligence analysts, industry players, security correspondents in the main stream media and our numerous readers across the globe.

READ MORE

Subscribe to Vigilance Weekly

Information Security Header

Just about everyone with an interest in IT security knows that phishing is the practice of impersonating an official website in order to trick a user out of personal information, usually its username and password.

 

But we’ve found ourselves wondering – when do people learn about phishing?

The question was triggered by a recent spam run that turned up in the Barracuda Labs honeypots. While specifically targeting Trinity College in Connecticut, this spam is representative of email account phishing in general.

Like many organisations, Trinity College requires its computer users to change their account passwords periodically – every 120 days in this case. Email reminders are sent out and are expected. Indeed, ignoring one of these reminders can result in deactivation of your account.

We don’t have one of these reminder emails but we certainly hope that they don’t contain a clickable hyperlink. Barracuda Labs always recommends that you do not follow links in emails, regardless of how convincing they may appear. Instead, and as the college recommends, you should browse to the website of the institution and update your password there.

Ignoring our advice and clicking on the emailed link sends the browser to the phishing site, cleverly crafted to look like the college’s real login page.

A cursory examination of both the phishing site and email shows that the login page is not actually hosted on a domain owned by the college. Instead it is served by a possibly compromised website in Russia. Careful email users delete this sort of spam.

But what about 18-year old freshers who might never have been told what phishing is and how it works? For many young people, university is their first time living away from home, and although many have good, even exceptional computer skills, not all do. It’s a good bet that many college freshers know more about safe sex than safe email.

At Trinity College, a username and password gives students and faculty access to all of the computing resources that the college offers. Once such credentials are harvested by a phisher the entire network is at risk. The same is true for almost any enterprise network. Safe email has never been more important.

Account security, especially for inexperienced users, has to be something more than “choose a hard to guess password and keep it safe” buried in some employee handbook. Phishing techniques and how to spot them need to be communicated right away, ideally on the same page that includes a username and initial password. You may not run a college full of recent highschool graduates, but new users in any organisation need that sort of security training supplied prominently and pro-actively.

When do people learn about phishing? That’s hard to say, but when people should learn about phishing is every time they receive an email account.