How an attacker can target phishing attacks

This is Susan Bradley for CSO Online. Today I’m going to talk about some information and ways that you can understand how attackers come after you. And first I’m going to tell you about open source intelligence framework. This is a Web site that kind of gathers all sorts of information in ways that you can understand how people get information and especially on how they get information about e-mail addresses and user names. And of course one of the key ways that they do it is go through social media. I’m sure everyone listening has an account on LinkedIn. And think about all of the information that you see up there that might be used and might be harvested. And then therefore gives information on how to get information about users and possibly even email addresses in it in an organization. And keep in mind these days with Office 365 email addresses are often the user name into that organization. So there’s tools such as. Linked int. Which is a tool that scrapes the information out of Lincoln. There’s also scrapedin. Obviously that scrapes the information out using their API. And there’s also in spy. Now all three of these obviously go against the terms of service of Linked In. But when do attackers read end of user license agreements and abide by such things. So think of how an attacker can use this information to go after you. First off they can figure out who’s in a high position and possibly target that person. Or they can find out who’s in an underlying position. Let’s go after the secretary of the key muckety muck person. They can also harvest email addresses and as I said often times email addresses or the user name for an organization. So now that they have names and user names what else do they have. Well we can use a tool called Office 365 user enumeration. It scraped sound and validates user names from office three sixty five using active sync. The ability to get this information from active sync sync is not new. It’s been around for quite a while and was quite often used in exchange server. Now they can use it online with Outlook Web application exchange Web services or link servers. Microsoft does not consider this to be a vulnerability. Obviously we need active Sync. And the system how it responds back and says whether or not an account does exist or does not exist. They do not consider to be a vulnerability. This attack also allows the attacker to understand or to know which users are using multi factor and which ones are not. So therefore they can target their phishing attacks against those accounts that do not have multi factor. So they’ll know which ones are the weak links in your organization. You may want to consider evaluating your alerting to see if you can set up alerts such that if a user has failed bargains in a short timeframe that you’re alerted of this that situation. Also be aware if you have a consultant that helps you in your office 365 implementation. Ensure that they are aware of the mandate that starting August 1st that they have to have multiple factor authentication setup. Needless to say Office 365 attacks are in the news. In fact there’s even a presentation coming up at Black Hat talking about a attacks in the cloud such as account compromise, password spraying techniques and other topics we’ll have to keep an eye out for that one. Password spraying techniques are so often used that even the U.S. CERT organization put out a recommendation about how you can take actions and get that against that. You want to make sure that you set up your password policies so that it’s a much stronger password review and make sure that you’re not allowing people to use easy to guess passwords that you’re doing longer than eight characters that you’re ensuring that their past phrases rather than passwords. And just reviewed the cert settings and make sure that you were following as best as you can their recommendations. As the white paper points out multi factor goes a long way to helping you out to keep you safe.
Microsoft has a four page talking about ways to defend from Password spray attacks.

Bottom line take the time to review your organization and make sure you’re not a weak link and that your users aren’t weak links as well. And then take time out to check out the IDG tech talk over on YouTube.