Sunday, March 26, 2017

Online version of my 2016 SANS Security Awareness Summit Presentation

Seeing is Believing: Making the Cyber Hype Real with Hacking Demos

Our users hear all the time about computer hacks, financial compromises, and stolen information. But have you ever wondered about different ways to arouse end users to take these subjects more seriously? In this presentation you will learn how we use real- world hacking demonstrations to help us cultivate a more engaged and equipped end user community. You will be shown a video of one of these hacking demonstrations, and learn how we arm the users with ideas, tools and techniques in order to protect themselves against what they have witnessed. You will also learn some tools and techniques for creating these demonstrations, and discover resources for learning hacker tools and techniques for security awareness. Once done you will be able to leverage the ideas presented to create your own real-world demonstrations for your user community.

https://www.youtube.com/watch?v=FuezEZtevwg

Saturday, January 21, 2017

W-2 and Tax Fraud Scams Are Back...

A heads-up that it’s that season again, and the bad guys like to take advantage of it.  Last year 41 major organizations were compromised by phishing attacks targeting employee tax records.

These attacks are essentially a more focused variant of phishing called “Spear Phishing”, and the goal is tax information that can be used to obtain fraudulent returns.


These types of attacks go after the trust relationships that exist within an organization.  Some of them spoof the email address of the CEO or another person with authority.  This tricks people into sharing personal data.  For example, at Snapchat, a phishing email spoofed to look as if it came from the company CEO compromised payroll information (W-2) for both current and former employees.

Here's some example content from these e-mails:(1)
  • “Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all of our company staff for a quick review.”
  • “Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).”
  • “I want you to send me copies of W-2 employees wage and tax statements for last year. I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.”

We never want to disrupt trust between co-workers. But we can question requests for sensitive data no matter the source, and alert key members of our organizations if something feels suspicious.

Stay vigilant!


(1) Example content from https://www.irs.gov/uac/newsroom/irs-alerts-payroll-and-hr-professionals-to-phishing-scheme-involving-w2s