Phishing, Spear Phishing & Whaling: Attacks That Are on the Rise

With security breaches occurring constantly, some of the ones to look out for are the email attacks coming into your mailbox. Currently attacks such as phishing, spear phishing, and whaling are on the rise. In order to bring light to these attacks, it is key to understand what they are, and how to prevent them.

Phishing:In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public.” –

Spear Phishing: A much more targeted attack on a target. Usually the targets are linked to vital information, such as checkbooks, SSN’s, and credit card numbers.

Whaling: These are possibly the worst. Executives and “big fish” in the company are targeted for their passwords and vital information.

According to a recent article on, “Criminal Hackers Clean Out Bank Accounts Using Spear Phishing”, attacks like these are increasing by at least 50%. Phishing attacks are powerful and can damage bank accounts and identities in days. The article discusses a case where $440,000 was taken over the course of five days without the account owners even knowing.

These attacks are usually in the form of emails, which can even look like company documents. Once the user clicks on any link which appears to be from the “important” source, a virus is usually downloaded and allows the attacker to see all of your user data. There are even instances when these viruses will attach to the user’s web browser, and allow the attacker to see all sites visited, including personal sites, such as online banking.

So with this information it is key to also offer some solutions to these attacks:

  • Have anti-virus protection installed in your computer

  • Look into getting a Credit Freeze

  • Check your bank statements often and keep track of financials           

Finally, the obvious solution is to not open emails that you don’t trust, no matter what. Recently at PistolStar we addressed this exact issue with the U.S. navy. The government, as an industry, relies on their information being secure. Recent regulations have now required that all government emails contain a digital signature, to verify the sender.  Basically if it is not signed, it is not trusted. We created an Email-Signature Plug-In that signs all outgoing unsigned emails, to make sure the receivers know who the email is from, and that they are a trusted sender.

With the implementiation of such plug-ins, regulations, and solutions the number of attacks will hopefully decrease. The key is to make sure that you and your company are secure and protected, and remember….

If it’s not signed, it is not trusted!

Bookmarklet-based Password Managers Exposed

Due to the number of websites a user accesses per day, and that most require authentication, it is no wonder why everyone is looking for tool to remember their passwords. Websites are using techniques such as mixing capital letters, symbols, and spaces to increase the strength of the password, and the difficulty of hacking and obtaining it.

One way that users are keeping track of these multiple credentials is with password management tools. These usually remember the password for the user, so forgetting it is not an option. Unfortunately it has been found that these tools can also decrease security and allow for a window of opportunity for hackers to come in.

In the article by Rachel Kremen, “Plugging a Password Leak: How a Simple Fix made Password Managers More Secure” the issues with password managers that use bookmarklets, to automate the login in process for the user’s websites, was exposed.  The researchers investigated six popular bookmarlet-based password managers, Verisign, MyVidoop, Clipperz, PassPack, and MashedLife. The findings were alarming.

The way that these managers work is by storing the user’s passwords to their favorite sites, on a central server. When the user visits the site again, the bookmarklet is used to see which site the user is on, and provide the credentials.

Researchers found this to be a red flag. The main question that was brought up, is how does the manager know for sure that the website it thinks the user is on, actually is? After running tests, they discovered that with a few pieces of code, the manager could be fooled and produce the credentials for the user’s website, even when not visiting the site itself.

Hackers could easily obtain the credentials for bank websites, credit cards, and other personal information. The password manager would provide the credentials, without recognizing that it is actually a hacker’s website it is providing to.

Luckily the solution was easy. With implementation and SSL, using the referrer header would make the forgery of the website difficult. The password manager services researched did take the researchers up on the suggestion, made the changes, and/or informed their users.

Imagine the losses that could occur. With everyone placing their trust in websites, it is vital to protect the information to access them. Although remembering these passwords can be challenging, so is tracking a cyber criminal who has taken your identity. With these tools it is important to understand what knowledge you are providing to them, and how it will be used. Putting your passwords in all one basket is not necessarily the best plan for secure authentication.

What's New with Password Protection?

In a recent article a common issue was being discussed, password security. It is apparent that people have a hard time remembering, and creating strong secure passwords. It also seems impossible to have users remember passwords successfully for all of the applications they use, including the websites they visit as well. In response to this constant struggle between user and password, people, like PistolStar, have come up with solutions.

One of them is creating a strong challenge question and response method for users to self-service their own passwords. This allows them to create questions specific to them, which will later be used to confirm their identitiy. This has been a successful and strong method for quite some time, but now people are wondering what else is possible.

On The Blog of Content Protection, authored by Eric Diehl, the posting “Retrieveing Passwords Through Social Interaction” brought to light a strange way to go about recovering your password. Microsoft began to think of recovering passwords, as “not what you know, but who you know”. This created the idea of using trustees to recover your password.

The user would define a list of trustees, and who would then receive recovery codes. Once the user forgot their password they would contact their trustee for the recovery code. This was an interesting concept which created a security wall made of human interaction.

With this solution does come many issues, such as forgetting who your trustees are, and the time it takes to retrieve the codes from the trustees. You can read more in Microsoft’s report:

It’s Not What You Know, But Who You Know: A Social Approach to Last-Resort Authentication

The idea of social marketing is being chased after by marketers everywhere, but what about social password recovery? Developers are you ready to jump out of your seats….or stay seated? You decide.


Press Release: PortalGuard

PortalGuard is now officially announced! July 14, 2009 we sent out the PortalGuard Press Release announcement, and just look at all of the places it turned up:

WebSphere Journal:

WebSphere Power: 

WebSphere World (a WebSphere user community)


(Release also ran on Outlook Power)

Web Security Journal: 



(Release also ran on TMC Net Healthcare Technology)


Business Week- Business Exchange:


IT Business Net: 

AOL Money & Finance:

MC Press Online: 


(need to scroll down)

WeDoWebSphere Twitter page: (Tweet was on 7/23)

Layoffs: Studies Say There Are Threats to Data

Recently in Insurance Buyers’ News, a direct mail newsletter, came to our office and included a serious article that businesses should be considering today. Unfortunately with layoffs still occurring, the numbers of disgruntled employees is rising, which poses a threat to a company’s data.

“Layoffs Increase Data Breach Risks”, discusses a recent example with a systems administrator. He demanded money and references, or else he would attack the servers. Although he was caught and prosecuted, the damage that could have been done would have been a serious cost to the company.

Studies are beginning to show that employees are not planning on taking just their pens when they leave, but also vital information. The question of course becomes, how are you going to protect your data? It is important to be prepared, especially if there is a possibility of layoffs in the near future.

We recommend a few key tactics to protecting your company from the potential threat:

Many laid off employees have been found to still be able to access their old accounts, even after the layoff occurred. Treating employees with respect is a way to make these hard times smoother, but protecting your data, and current employees is key.