Surely everyone changed their LinkedIn credentials in 2012, when the LinkedIn hack was made public right?
Furthermore, most users would have doubled down on their credential security - changing their passwords to something complex and perhaps using a secure service like LastPass to manage those credentials securely, right?
LinkedIn confirmed last week that more than 100 million members' email and password combinations stemming from a 2012 data breach have been posted online.
So when LinkedIn confirmed last week that more than 100 million members' email and password combinations stemming from a 2012 data breach have been posted online, the natural question is 'why bother'?
As I pointed out to CNET this week, it's no longer the credentials themselves which have value (although there might be a few laggards who still haven't changed their passwords). It's the fact that cybercriminals now hone in on a target by building very accurate pictures of companies and employees ripe for targeting. Also, as I discussed with Computing in March, LinkedIn is now the principle super market for enterprise hacking intelligence - a front door for hackers.
Once the overall picture of an organization is complete, the email account of the target be it personal or professional becomes the Holy Grail for the attackers. Suddenly the penny drops…Peace, who according to a story from Vice's Motherboard is trying to sell the credentials for about $2,200 in bitcoin is actually selling the email addresses.
And I'm sure he or she will sell the information in no time at all - because who thought it was important to change their password and email address in 2012? Not many.
Aside from the immediate damage of social engineering-based attacks, the damage will really be felt by organizations who've been hacked over the last few years and are high-value targets in general. What this action has done is highlight the long-tail value of hacking - inspiring cybercriminals to re-harvest old hack data and inspire more audacious attacks in future as the financial incentive has been boosted further still.
It’s no secret that social engineering attacks, like phishing, spear-phishing and domain spoofing have grown from being a nuisance to a colossal problem. But, perhaps the most colossal problem of the moment is Business Email Compromise, otherwise called CEO fraud or whaling.
Whaling attacks can cost companies millions in financial losses. In fact, according to the U.S. Federal Bureau of Investigation, whaling attacks led to more than $2.3 billion in losses over the last three years. Cybercriminals are able to pull off these deceptive scams by posing as a CEO, or other executive, sending an email asking the unsuspecting target to initiate a wire transfer or send payroll and other sensitive data.
It’s time to protect your organization from whaling attacks. This means you must get to know the ‘5 Phases of a Whaling Assault’ so you can both educate your employees and increase your technology defenses. They are:
- In the Crosshairs: In the first stage of an assault, fraudsters use social media networks to gather intel on their target.
- The Domain Game: Next, armed with just enough detail, they register a domain similar to the actual domain for the target company.
- Gone Phishing: An employee receives the phishing email, but doesn’t notice the subtle warning signs that it’s fraudulent.
- Victim’s Assistance: The target follows the call-to-action in what appears to be an authentic email from someone familiar.
- On the Money: But, it’s not authentic. The attacker now moves the funds from the fraudulent bank account or has sensitive employee information like W-2 forms and social security numbers that are used in a larger scam.
Are you ready to take action against whaling? Download: “Whaling: Anatomy of an Attack” to learn more, including why whaling works, examples of recent high-profile attacks, and ways to defend against whaling fraudsters.
Stop me if you’ve heard this one: my first week at Mimecast went so well that my manager sent me to Indianapolis for the state’s presidential primary.
Full disclosure: Indiana’s presidential primary happened to coincide with the 2016 Midsize Enterprise Summit (MES) East. MES East is The Channel Company’s largest-ever independent gathering of midmarket CIOs and senior executives, and a great opportunity to catch up on new market developments, services, and products.
We’re big fans of MES events (we’ll be at MES West in Austin this September), both as a vehicle to learn what IT executives are focusing on, and to share our updates with them. So while there was plenty of side chatter about the race for the White House, at no point did it distract from the urgent business matters at hand.
This year’s theme, “The Big Shift,” was well suited to the discussions Julian Martin, Mimecast’s VP of Product Marketing, led in our Boardroom Sessions. Why? Because companies are now faced with an unprecedented mix of reward and risk as they migrate to the cloud. And, we seem to have reached a critical inflection point in that migration.
The vast majority of execs we met are committed to their cloud transformations. We heard the same goals over and over again: to streamline operations, shift from capex to opex, and improve scale and agility. But, they tell us, it’s no cakewalk. Our Boardroom and expo booth guests shared plenty of war stories, many related to email.
Email is usually the first platform organizations move into the cloud. It’s the business application that IT departments are most comfortable relegating to a third party to maintain. Yet it’s also the ultimate Killer App, a vital conduit – and repository – for business-critical and strategic information. Whether cloud-based or on premises, email data is crucial for closing sales, negotiating, and brainstorming.
It’s no wonder that email has also emerged as the single biggest threat vector for attacks on corporate information.
This was the central message of Julian’s Boardroom Sessions: it’s just as important to deploy a layered security solution for cloud-based email as it is when your email servers are in your data center. Cybercriminals have demonstrated boundless creativity in their efforts to exploit technology and human nature to breach corporate firewalls, access sensitive data, and steal billions of dollars. Even as email attacks appear with alarming frequency in news headlines, these exploits continue to grow bolder and more numerous over time.
The good news is that our guests were completely on board with Julian’s message. Several IT execs recounted their own personal experiences of phishing, whaling, and impersonation attacks. If you were among them, we thank you for validating our observations. And, special thanks to Mimecast’s customers who were willing to share your ideas, your views on how our services have helped secure your operations, and what you’d like to see on our roadmap over the coming months.
Finally, a huge note of thanks for nominating Mimecast in the Vendor Best in Show and Best Solution categories! We were blown away by your recognition, and grateful for all of the feedback you provided. We’re excited that Donald Trump and Bernie Sanders weren’t the only winning candidates in Indiana last week.
We hope you can join us this coming Fall in Austin for MES West. Until then, if you want to stay abreast of email security happenings, please visit our Security Center and sign up to receive our Security Advisories.
Mimecast’s U.S. Partner Program has been recognized by CRN in a few different areas for outstanding performance and growth. First, it has given Mimecast a 5-Star rating in its 2016 Partner Program Guide. The guide is the definitive listing of technology vendors servicing solution providers or providing products through the IT channel – and 5-Star ratings recognize an elite subset of companies that offer solution providers the best partnering elements in their channel programs.
To determine the 2016 5-Star ratings, The Channel Company’s research team assessed each vendor’s application based on investments in program offerings, partner profitability, partner training, education and support, marketing programs and resources, sales support and communication.
CRN has also recognized a couple of stand-out individuals on the Channel team. For the third time in four years, our Director of Channel for North America, Sean Broderick, has been named a Channel Chief for his achievements in developing a robust partner program and his focus on nurturing partner relationships. Over the last five years, Sean has helped increase the size of Mimecast’s U.S. partner base by 500 percent and fostered a dedication to the channel that has attracted and grown large partners like Windstream, SHI and Softchoice.
In addition, MSP Sales Manager, Eileen MacIsaac, has been named a 2016 CRN Woman of the Channel. Eileen helped grow the MSP Channel Business 132 percent year-over-year and recruit 43 percent more MSP partners in FY16 than FY15.
We all look forward to another successful year as the U.S. Channel team continues to innovate in finding ways to help our current partner base – as well as new ones to come.