Posts tagged Social Engineering

3 min Penetration Testing

7 Funny and Punny Halloween Costume Ideas for Tech and Cybersecurity Pros

Stuck on what to be this year? Here are some of our favorite Halloween costume ideas for tech and cybersecurity professionals.

4 min Penetration Testing

Putting Pen (Tests) to Paper: Lessons and Learnings from Rapid7’s Annual Mega-Hackathon

Rapid7's Mega-Hackathon offers a unique chance to go beyond the data and get a feel for what pen testers are like in their natural habitat.

5 min Breach Preparedness

Phishing Attacks Duping Your Users? Here’s a Better Anti-Phishing Strategy.

You’ve hired the best of the best and put up the right defenses, but one thing keeps slipping in the door: phishing emails. Part of doing business today, unfortunately, is dealing with phishing attacks [https://www.rapid7.com/fundamentals/phishing-attacks/]. Few organizations are immune to phishing anymore; it’s on every security team’s mind and has become the number one threat to organizations [https://www.sans.org/reading-room/whitepapers/analyst/2017-threat-landscape-survey-users-front-line-3

1 min Whiteboard Wednesday

Whiteboard Wednesday: How to Implement A Phishing Awareness Training Plan in 5 Steps

There’s no silver bullet to combating protecting your organization from phishing attacks [https://www.rapid7.com/solutions/phishing-protection/] today. The only comprehensive approach leverages a combination of methods, many of which we’ve covered in parts 1 [https://www.rapid7.com/resources/wbw-anti-phishing/] and 2 [https://www.rapid7.com/resources/wbw-phishing-protection/] of our three-part phishing Whiteboard Wednesday series. Phishing is a human problem, and part of the solution is to prop

3 min InsightPhishing

Rapid7 InsightPhishing (Beta): Unified phishing simulation, investigation, and analysis

Starting March 1, 2019, Rapid7 will no longer offer or support InsightPhishing, and the beta program will end. Click here [https://kb.help.rapid7.com/docs/insightphishing-end-of-program-announcement] for more information. Phishing attacks remain one of the top challenges for SecOps teams. Yes, we all nod when we see the stats that get thrown around, like the ones below. But we also know this because we’ve heard it directly from our customers. Rapid7 has a long tradition of creating products an

2 min Metasploit

Federal Friday - 6.13.14 - New Group, Same Story

Happy Friday, Federal friends! It's another lovely Fall day here in Beantown but I hope each of you are enjoying your early Summer weather. Some exciting news as Rapid7 was named one of the Top Places to Work by the Boston Business Journal (#11 Mid-size company)! I'm going to keep it short and sweet today considering this is a topic I've covered before. Given the news stemming from a new CrowdStrike [http://www.crowdstrike.com/sites/all/themes/crowdstrike2/css/imgs/platform/CrowdStrike_Global_T

2 min Metasploit

Top 4 Takeaways from the "Live Bait: How to Prevent, Detect, and Respond to Phishing Emails" Webcast

In this week's webcast,Lital Asher - Dotan [https://community.rapid7.com/people/lasherdotan] and ckirsch [https://community.rapid7.com/people/ckirsch] tackled the hot topic, “Live Bait: How to Prevent, Detect, and Respond to Phishing Emails [https://information.rapid7.com/prevent-detect-and-respond-to-phishing-emails.html?CS=blog] ”. Phishing has risen from #9 to #3 in the Verizon Data Breach Investigations Report on the most common attack vectors. Phishing attacks are often successful because i

1 min Metasploit

Federal Friday - 5.30.14 - Social Engineering from the Middle East

Happy Friday, Federal friends. You can tell it's almost Summah up here because it's been 50 and raining this week. So an interesting piece of news from an article on DarkReading [http://www.darkreading.com/attacks-breaches/iranian-cyberspies-pose-as-journalists-online-to-ensnare-their-targets/d/d-id/1269270] this week regarding an ongoing campaign targeting government officials and contractors of both the US and Israel. This is a mash-up of social engineering techniques from phishing to social

2 min Metasploit

Top 3 Takeaways from "7 Ways to Make Your Penetration Tests More Productive" Webcast

Earlier this week we heard from ckirsch [https://community.rapid7.com/people/ckirsch], Senior Product Marketing Manager for Metasploit at Rapid7, on the pressure penetration testers are facing. (Hint: it's a lot!). With the increase in high profile breaches and their costs, more and more emphasis is being put on the pen tester and security in general. Read on if you'd like to get the top takeaways from this week's webcast so that you aren't left in the dark about, "7 Ways to Make Your Penetratio

1 min Hacking

Rapid7: Coming to a city near you

We're taking this show on the road. Literally. This week our multi-city Rapid7 roadshow event, “Security at the Crossroads,” kicked off in New York and Minneapolis. Industry experts and fellow practitioners – including speakers from Forrester, Cardinal Innovations Healthcare Solutions, Vertex Pharmaceuticals, Porter Airlines, and TriNet – gathered to share security stories, strategies, and best practices. There isn't enough room to share all the takeaways from these two events, but here are

4 min Social Engineering

Social Engineering: Would You Fall For This Phone Call?

Cyber criminals don't always need a keyboard to hack into your bank account or company network. In fact, a lot of attacks start with a simple phone call. Typically, the attackers are either trying to get information out of you or to make you do something. This is a technique they call social engineering. I've read a lot about social engineering over the years, since it's a personal area of interest. It can be used by a bunch off different occupations, such as FBI interrogators, con artists, sal

2 min Events

Social-Engineer CTF Report Released

For the last five years, the team at Social-Engineer have been bringing one of the most exciting events to DEF CON - the Social Engineering Capture the Flag.  The contest was designed to help bring awareness to the world about how dangerous social engineering can be.  In our 5th year, the competition was fierce and the report is the best we have ever released. This year a pool of 10 men and 10 women, from diverse backgrounds and experience levels, tested their social engineering abilities again

1 min Social Engineering

The Threat Within: RiskRater User Risk Report

Last week, we released the third of three reports from our RiskRater [https://riskrater.rapid7.com/] research. The first two reports focused on mobile devices [http://www.rapid7.com/docs/mobile_aug_2013.pdf] and endpoint devices [http://www.rapid7.com/docs/RiskRaterEndpointReport.pdf]. The latest report is centered around the risks posed by the one thing that no organization can operate without: Users. With the amount of protections in place at the perimeter, attackers have shifted much of the

2 min Social Engineering

Social Media: Vector for the New Economic Attack?

The big news in security this week has been the hijacking of the Associated Press' Twitter account [http://www.nbcnews.com/technology/technolog/ap-twitter-account-hacked-posts-false-white-house-scare-6C9560165] . The attackers leveraged the "bad news" atmosphere created by the events in Boston last week to gain some measure of credibility for a tweet about bombs exploding at the White House. This is not a particularly new approach: in 2007, the Storm Worm [http://en.wikipedia.org/wiki/Storm_Worm

4 min Metasploit

New Metasploit 4.5: Manage Your Organization's Phishing Exposure

You can now get a better handle on your organization's exposure to phishing attacks [http://www.rapid7.com/solutions/need/manage-phishing-exposure.jsp]: Metasploit Pro now gives you quick insight on risks and advice on how to reduce them. With today's new release version 4.5, Metasploit Pro's social engineering features are no longer just for penetration testers but add a lot of value for more generalist security professionals. A handful of our customers already tested these new capabilities i

1 min Metasploit

Webcast: Decrease Your Risk of a Data Breach - Effective Security Programs with Metasploit

Thanks for the many CISOs and security engineers who attended our recent webcast, in which I presented some practical advice on how to leverage Metasploit to conduct regular security reviews that address current attack vectors. While Metasploit is often used for penetration testing projects, this presentation focuses on leveraging Metasploit for ongoing security assessments that can be achieved with a small security team to reduce the risk of a data breach. This webcast is now available for on-

2 min Metasploit

Man on the SecurityStreet - Day 2 Continued.

It's your favorite reporter in the field, Patrick Hellen, reporting back with some more updates from our speaking tracks at the UNITED Summit. Dave Kennedy, the founder of TrustedSec, gave an entertaining presentation called Going on the Offensive - Proactive Measures in Security your Company. Just like HD's earlier presentation, we had our staff artist plot out the entire speech, which you can see attached below. When I say entertaining, the previous talk track was a debate session that Dave

1 min Exploits

Man on the SecurityStreet - UNITED Day 1.

Hello from San Francisco, home of the 2012 UNITED Summit. It's been an incredibly full day. I'm writing this quick update from an excellent presentation that nex [https://community.rapid7.com/people/nex] of Cuckoo Sandbox fame is giving about threat modelling. According to Claudio's research, only 103 of the almost 50,000 odd vulnerabilities in NVD's vulnerability database are actually being exploited in crimeware kits like BlackHole. Claudio identified MS Office as the most exploited piece of

3 min Metasploit

SOC Monkey - Week in Review - 8.20.12

Monkeynauts, Welcome back to your weekly round up of the best bits from my App [http://itunes.apple.com/us/app/soc-monkey/id500480953?mt=8] that you should be downloading from the Apple App Store [http://itunes.apple.com/us/app/soc-monkey/id500480953?mt=8]. This week, let's dive right into the most clicked story from last week with an update on how Mat Honan is dealing with life post hack: How I Got My Digital Life Back Again After An Epic Hacking. [http://www.wired.com/gadgetlab/2012/08/mat-h

4 min Networking

SOC Monkey - Week in Review - 8.13.12

Welcome back Monkeynauts, It's Monday, so that means I'm going to tell you to download my App [http://itunes.apple.com/us/app/soc-monkey/id500480953?mt=8], from the Apple App Store [http://itunes.apple.com/us/app/soc-monkey/id500480953?mt=8], before launching into the top stories the Pips found interesting last week. Let's take a look, shall we? Let's start this week with something that might hit close to home for several of you, including your favorite Monkey twitter aggregate: Blizzard's B

4 min Networking

SOC Monkey - Week in Review - 8.6.12

Monkeynauts, It's good to have you back. If this is your first time here, feel free to check out where I'm getting all my stories by downloading my App [http://itunes.apple.com/us/app/soc-monkey/id500480953?mt=8] from the Apple App Store [http://itunes.apple.com/us/app/soc-monkey/id500480953?mt=8]. Let's take a quick trip back to some of the big news from earlier this summer, and discuss LinkedIn again: LinkedIn: Breach Cost Up to $1M, Says $2-3 Million in Security Upgrades Coming. [http://w

3 min Compliance

SOC Monkey Week In Review - 7.23.12

Hello my Monkeyreaders - and welcome back to another edition of the ongoing misadventures of the InfoSec world, as told though my Free App [http://itunes.apple.com/us/app/soc-monkey/id500480953?mt=8], available as always in the Apple App Store [http://itunes.apple.com/us/app/soc-monkey/id500480953?mt=8]. I figured I'd start off the week with a story that reminds me of all the Breach stories from my last Review: Eight Million Email Addresses And Passwords Spilled From Gaming Site Gamigo Months A

2 min Penetration Testing

SOC Monkey Week in Review - 6.1.12

Dearest Monkeynauts, As always, I'm back on Friday to give you the biggest news items the Pips have sent out this week via my free app [http://itunes.apple.com/us/app/soc-monkey/id500480953?mt=8], available in the Apple App store [http://itunes.apple.com/us/app/soc-monkey/id500480953?mt=8]. Download now! I'm sure none of you are surprised to see that our biggest topic is currently Flame [http://www.wired.com/threatlevel/2012/05/flame/]. My feeds started to explode earlier this week when Wire

2 min Compliance

SOC Monkey - Week in Review 5.25.12

It's SOC Monkey, coming to you on May 25th, otherwise known as Geek Pride Day [http://en.wikipedia.org/wiki/Geek_Pride_Day]. Unrelated, sure, but not something my Monkeynauts should be unaware of.  Also, they should be aware of my IPhone App [http://itunes.apple.com/us/app/soc-monkey/id500480953?mt=8], still free to download from the Apple App Store [http://itunes.apple.com/us/app/soc-monkey/id500480953?mt=8]. First, let's start with a big company from the beginning of the Internet: Yahoo Axis

3 min Networking

SOC Monkey Week In Review 5.11.12

Monkeynauts! I have returned, and I bring free gifts from the Apple App Store [http://itunes.apple.com/us/app/soc-monkey/id500480953?mt=8] - my SOC Monkey App [http://itunes.apple.com/us/app/soc-monkey/id500480953?mt=8] that you should be downloading as I type. First up, I've got a great story from the always wonderful Wired [http://www.wired.com/], about just how ubiquitous being attacked really is these days: Everyone Has Been Hacked. Now What? [http://www.wired.com/threatlevel/2012/05/every

2 min Patch Tuesday

Microsoft Security Bulletin Summary for February 2012

In the Microsoft Security Bulletin Summary for February 2012, Microsoft released nine bulletins to address 20 vulnerabilities. Instead of love on Valentine's day, organizations may have fear pumping through their hearts when you couple the recent news of several high profile breaches with Patch Tuesday. There are four bulletins rated “critical” and they will likely affect all organizations. The critical bulletins are MS12-008, MS12-010, MS12-013, and MS12-016 which are all related to browsers a

3 min Metasploit

How to Fly Under the Radar of AV and IPS with Metasploit's Stealth Features

When conducting a penetration testing assignment, one objective may be to get into the network without tripping any of the alarms, such as IDS/IPS or anti-virus. Enterprises typically add this to the requirements to test if their defenses are good enough to detect an advanced attacker. Here's how you can make sure you can sneak in and out without "getting caught". Scan speed First of all, bear in mind that you'll want to slow down your initial network scan so you don't raise suspicion by crea

1 min Metasploit

Bait the hook: How to write good phishing emails for social engineering

What are the baits that make people click on a link or attachment in a social engineering email? I've looked at some common examples and tried to categorize them. Maybe this list will trigger some ideas next time you're writing social engineering emails. Habits: Think of this as exploiting the brain's auto-pilot - standard email triggers standard response of opening attachment or clicking on link: * LinkedIn connection requests * GoToMeeting invitations * Daily reports from a CRM/ERP sys

1 min Penetration Testing

Using the <base> tag to clone a web page for social engineering attacks

Social engineering campaigns can be a lot more effective if you can impersonate a well-known website that users trust. However, when you simply clone a website by cutting-and-pasting the page source and putting it on your own server, your links will stop working. Copying all links and images from the other site can be cumbersome, but there's an alternative: the HTML <base> tag. It specifies a default address/target for all links on a page; it is inserted into the head element. Let's say you've

2 min Networking

Is Cyber Espionage Cheating?

There is a great quote attributed many times to baseball legend Mark Grace: "If you aren't cheating, then you aren't trying hard enough." This resonates well with me in the current global market where everyone is playing by new rules. It seems like even though many Americans value concepts such as intellectual property, trade secrets, and competitive advantages, they don't consider the value other countries place on them too, and they don't take the necessary steps to protect their valuable

2 min Microsoft

Microsoft Patch Tuesday - November 2011

November's Microsoft Patch Tuesday contains four bulletins: one “critical”, two “importants”, and one “moderate”. The majority of these bulletins relate to Microsoft's later versions of the OS, implying that the flaws they address were possibly introduced with Windows Vista. Generally more vulnerabilities are found in earlier versions of the OS, so this month is unusual. The critical bulletin – MS11-083 – is a TCP/IP based, specifically UDP, vulnerability which affects Vista, Windows 7, Server

2 min Microsoft

Zero-Day Attacks: Don't Believe the Hype

Microsoft Security Intelligence Report Volume 11 [http://www.microsoft.com/security/sir/default.aspx] for the first half of 2011 offers solid evidence to support what security researchers have been shouting feverishly for the last year. This is just more data to confirm that zero-day attacks – while they can certainly cause damage – aren't needed for over 99% of actual attacks. The numbers also show that the top two attacks are user related. The top attack vector was attacks requiring user in

2 min Networking

A Security Lesson from Benjamin Franklin

"Believe none of what you hear and half of what you see." is my favorite Benjamin Franklin quote. Being an information security practitioner for over half of my 36 years has taught me that this saying is true time and time again. I dropped my wife and daughter off at a store this past weekend, while I stayed in the car trying to keep up with the football scores on a Sunday afternoon. I watched as a man walked out of the store and was interrupted by a male driver in a frantic state who was stopp

2 min Networking

Chinese agencies double cyber attacks on Germany

"Prost Neujahr!" That's what we say for "Happy New Year" in Germany, where I just spent a few days with my family to relax and get away from work. A futile attempt, since the Bundesamt für Verfassungsschutz (Federal Office for the Protection of the Constitution, or BfV for short) decided to publish new statistics about cyber attacks. (And, yes, Germans love long words.) According to the BfV's department for counter-espionage [http://www.verfassungsschutz.de/de/arbeitsfelder/af_spionageabwehr_

1 min Metasploit

Rapid7 scam busters: Using social engineering to train your users about phishing attacks

With the holidays approaching, many people are looking for gift ideas and deals. Holiday season is also hunting season for malicious hackers who send out gift idea and deal phishing emails. How do you protect your employees from divulging their personal and even corporate passwords to an attacker? It's hard to combat phishing with technology. Training employees to spot phishing scams is the most effective, but training is time intensive and may impact productivity. What if you could find a w

2 min Exploits

Sesame open: Auditing password security with Metasploit 3.5.1

Secret passwords don't only get you into Aladdin's cave or the tree house, but also into corporate networks and bank accounts. Yet, they are one of the weakest ways to protect access. Sure, there are better ways to secure access, such as smart cards or one-time password tokens, but these are still far from being deployed everywhere although the technology has matured considerably over the past years. Passwords are still the easiest way into a network. The new Metasploit version 3.5.1 adds a l