"Quick sounding board for steps taken,
-Created an alert on the companies web site regarding the phishing attempt.
-Made a post on social media (Facebook, twitter) that the Credit Union
would never ask for Username/Password etc and should also contact us
directly if you have an concerns.
- The site "harvesting" the credentials appears to have been hacked,
emailed the owners of the site (using the email in the "contact us"
section) to let them know.
- Used the abuse email address in the domain registry to also report that
the site has been hacked.
(Does gmail have a place I can submit for email abuse? its about 48 hours+
after the attack so most likely a moot point but could help someone else if
they want to use the same account)"
All wise and proportional steps. Then, a real treat, Lance Spitzner steps in:
"First don't feel bad, you are facing a common problem shared by
most organizations. However to answer your question we have to first ask
you a question. Are you training your employees to report phishing
attacks, and if so how are you training them and how often? If you are not
teaching them the indicators of a phishing attack AND how you want them to
report it, then you can't expect them to be effective sensors."
This is an extremely important point. Until one of these phishing emails gets reported, the security folks can't get involved to take the actions the credit union took. Lance continues:
We see organizations that regularly phish their employees can get the number that
fall victim to less than 10% (sometimes less than 5%) and quite often those
that are falling victim are the new hires. Same thing with reporting. The
more you train people on reporting AND the easier you make reporting, the
greater your reporting %. Warning though, you have to be prepared for
success. We have seen organizations turn on their "Human Sensors" only to
have their SOC overwhelmed with reports. That is why we see some
organizations tell their employees if they see an obvious phish, just
delete it. Its the trickier attacks they want reported. It all depends on
what you want reported and the resources you can dedicate to it.
Director, SANS Securing The Human
I am going to have to ponder this for a while. I can see how to train employees to either report everything they think is suspicious. I can see telling them if you think it is a phish, delete it and move on. But it is not immediately obvious to me how to tell them how to report the trickier attacks. I can do it, (and do), you can do it, but we are security people, we think about this stuff all the time. There are some security company phishing quizzes, opendns, and mcaffe for example. Perhaps they could be incorporated into an organization's security awareness program. Now in the specific case of the credit union:
Some good news, looks like Firefox was blocking the site when the attack
took place, and Chrome started blocking it within 24 hours (and i think
that's awesome, thanks to anyone who works on those applications).
It probably makes sense for organizations to be sure their browsers are taking advantage of the protections available.
The capability is built into most browsers, for example on an El Capitan Mac:
In Safari, Preferences, Security, Warn when visiting fraudulent sites.
In Firefox, Preferences, Security, Block reported attack sites
In Chrome, Preferences, Advanced Settings, Privacy, Protect you and your device from dangerous sites
Phishing will always be with us. We have technology solutions, we have security awareness solutions, we need both and we need to adjust and remind from time to time to lower, not eliminate, the risk.