September 14, 2015 By Pamela Cobb 4 min read

Open up any news feed on the security industry and you’ll read stories on attacks that started with the end user of the affected company. Whether it’s phishing schemes, social engineering or drive-by downloads, there’s no shortage of ways for attackers to compromise the least patchable resource in a company: its employees.

When I first read the article on ransomware in the 3Q 2015 edition of the “IBM X-Force Threat Intelligence Quarterly,” I thought of different ways endpoint protection products could guard against ransomware attacks. Then I remembered an incident from a couple years ago when a family member called me in a panic because suddenly an FBI warning popped up on the computer. Anyone who works with computers, especially in the security industry, know how those phone conversations go:

Friend: The FBI says I did something illegal but I didn’t do anything! Can you fix it?

Me: Well, did you?

Friend, aghast: No! Of course not! But now I can’t even find the right cat reaction GIF to post to complain about it.

Me, sighing: OK, what was the last website you visited or thing you downloaded?

Friend: Uh, I can’t remember.

Me: Mmhmm. What was it?

Friend: *Lists some egregious thing I’ve told them never, ever to do for just this reason.*

I don’t want to malign my friends or family, but I am frequently reminded of what it was like to parent toddlers when I’m in the middle of this conversation. Let’s take that approach to user education since users, like toddlers, can be quite willful when it comes to what they want.

Don’t Stick Your Fingers in There

Gone are the days when sites hosting malware were obvious. When so many content application vulnerabilities, drive-by downloads and malicious packages can be delivered without major warning flags to users, vigilance on the sites your users are visiting is imperative. Common sense is often touted as a necessary tool, but we in the security industry have seen varying degrees of success in the application of it. To spell it out a bit more, remind your users to look for these warnings signs:

  • Does the site look weird? Is the color off? Is the logo grainy or distorted? These are signs of a malicious site posing as a legitimate one.
  • Did you click through the link from an email or a social media site? Click-bait headlines are still all the rage, but it’s always better to type in the URL in the browser instead of clicking through the link as presented just to make sure you’re going to a legitimate site.
  • Is a site you’ve visited in the past now asking for personal information it didn’t before? This could mean that you’re visiting a fake version of a legitimate site, particularly if you clicked through a link from email or social media.
  • For secure sites, does it have HTTPS in the address bar? Most browsers will also display a lock icon around the address bar to indicate the site is secure, although users should click the lock icon to make sure the certificate matches what they expect from the site.

Don’t Talk to Strangers

Hopefully your users are not in the habit of opening up emails from unknown recipients and blindly clicking through links. Where it gets tricky is when a known recipient is spoofed in email or social media, lulling users into a sense of safety. Odd behavior from known users can be another warning of stranger danger: Is someone who doesn’t normally request wire transfers in the company now requesting them? Encourage users to validate these appeals in a channel other than the one the request was made in — use texting or instant messaging, a phone call or a visit to the office in person to validate instead of just hitting reply on that email.

Referring back to websites that look weird, there are ways to check their legitimacy that require varying levels of user involvement. For less proactive users, IT admins can leverage tools like built-in browser safety measures. Popular browsers have built-in browsing protection that will notify users of suspicious sites, particularly on items like unsigned or mismatched SSL certificates. Safe browsing software can blacklist entire classifications of sites or give a rating on the site’s safety based on a variety of scoring systems to draw user attention to a potential issue before clicking.

Proactive users can take the reins and do their own research on a threat intelligence platform like IBM X-Force Exchange, where they can check the rating of URLs or Web applications that seem suspicious. X-Force Exchange has a database of over 25 billion URLs and images to search against and conveniently presents scores with color-coded risk ratings. Even young children can learn red means stop and green means go!

Make Routine Your Friend

Parenting strategies can vary here, so I’m going to sidestep the potential mommy-blog landmine and recommend that consistency across workstations and user behavior will be your friend. It’s much easier to achieve consistency across workstations in term of setup and patching with endpoint compliance solutions, but enforcing consistent user behavior is a tougher nut to crack.

One of my teachers was famous for not allowing gum in the classroom unless you brought enough for the entire class. In an age of bring-your-own-device (BYOD) and the disappearing perimeter, now it seems one user can bring gum, another a lollipop and 10 more have a straight-up suitcase full of sugar. Where IT admins can help control the proliferation of these treats is enforcing connection rules to corporate networks. Requiring users to have a base level of enterprise-mandated endpoint protection installed on any device connecting to the corporate network ensures you don’t end up with metaphorical gum in your hair.

Outlet Safety Covers for the Internet

Running an IT organization is a bit like parenting. You can set up guidelines and instructions, but at the end of the day, you have to send your users out into the world and hope they make good choices. Infections like ransomware or the common cold might happen regardless. If you need help boosting your own user education or recovering from an infection, check with a managed security services provider for their expertise, or explore some of IBM’s other work on the issue.

More from Malware

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today