back to article Verizon to world: STOP opening dodgy phishing emails, FOOLS

Phishing and web app security problems remain the most common way for hackers to gain access to sensitive information, according to US telco giant Verizon. Two out of three breaches were the result of weak or swiped passwords, making a case for strong two-factor authentication, the latest edition of Verizon’s annual Data …

  1. Florida1920

    BS

    Back when I thought there was a chance of relief, I relentlessly notified Verizon and other ISPs of obvious bot-infected systems on their networks. A particular Verizon IP address was a persistent repeat offender. Forwarded logs, texts etc. Never got a reply and the same IPs just kept churning out the spam. Maybe they were charging the fools for the bandwidth so it wasn't in their financial interests to do anything. After all these years, when I see something like this "public-service" message I figure they're only trying to mitigate their public perception as rapaciously greedy corporations.

    1. Mark 85

      Re: BS

      Ah... yeah. It's sure-fire crap from the PR department. It's never about the perp or the carrier who could stop the perp. It's all about the stupid schmuck who opens the emails, visits the dodgy websites... uh-huh... right. It's just not Verizon either. It seems to be all of them. It could be stopped if only the carriers would participate in stopping all this crap. Yeah.. that would cost some money to follow up and possibly banish a paying customer.

    2. swschrad

      you know, these guys could deep-inspect links

      and if their inspection bot crashes into dust, block those sites.

      when ISP-whatever is blocking themselves, then they might decide to check out their hosted customers.

    3. Robert Helpmann??
      Childcatcher

      Re: BS

      It would be nice, too, if their mobile division would update Android on the phones they sell. They certainly talk the talk, but seem to stumble when trying to walk the walk.

  2. Ole Juul

    an inexact science indeed

    The analysis is based around actual breach claims to insurance firms,

    And how many of these claims include the cost of a hitherto non-existent roof in their cost estimate when claiming water damage?

  3. petef
    Coat

    Shouldn't that be PHOOLS?

  4. Pascal Monett Silver badge

    One thing is very interesting

    "Around one in four (23 per cent) of recipients opened phishing messages, while more than one in 10 (11 per cent) of recipients clicked on attachments. Half (50 per cent) of successful phishing attacks involved emails that were opened in the first hour after their receipt."

    With all this email activity in the corporate sector, you'd think Microsoft would include a security feature in Outlook/Exchange. Maybe something like Open Untrusted Email which would sandbox the thing internally until the user decides to trust it. Or maybe establish a list of trusted contacts and any email from anyone else would be automatically treated by Outlook as potentially having a virus, instead of just going and executing every single bit of code that anyone sends anybody else.

    And please, please, could we have an automatic detection of when the sender and the Reply To names/domains are different and instantly class that as Criminally Suspect ? With a popup when clicking on such a message that reads something like "The address of the sender and that of the reply to are not the same. This is generally a sign that the message is spam or may originate from a criminal source. Are you sure you want to open this mail ?"

    Microsoft ? Is that too much to ask ?

    1. Nick Ryan Silver badge

      Re: One thing is very interesting

      It would have been nice if Exchange also supported SPF but no... AFAIK it took until MS Exchange 2013 because MS were too busy trying to foist their own "solution" onto the Internet instead of supporting standards.

    2. veti Silver badge

      Re: One thing is very interesting

      There are plenty of valid reasons why the "reply-to" address may be different from the "from" address. And anyway, if you insist on making an issue of it, both of those headers are trivially easy to set to whatever you want.

      What we really want to police is (a) executable attachments (obviously), and (b) links. There's been some progress on both these fronts. For instance, Outlook will no longer open a link embedded in an email just because you preview, or even open, the email - you have to either tell it to download external content, or click on the link manually. That's a step in the right direction.

      Executable attachments are harder, but Windows 8 is making progress even on that front - Windows Defender and SmartScreen are pretty good, as far as they go.

      But honestly, there's only so far you can go with technology. Microsoft is in a bind because it's committed - still - to the idea that you can do anything with a PC. (Unlike, say, an iPad, whose main selling point is that you can't do that, and therefore there's so much less to worry about.) That means that, sooner or later, the user must be able to bypass your security. And as we all know, if they can do it, they will.

  5. x 7

    RAM "scrappers"?

    Should that not be "scrapers"?

    1. John Brown (no body) Silver badge
      Thumb Up

      Yes thanks, I'd also like to know if that's a consistent typo, a local accent thing causing a mis-spelling or is it really a process which scraps your RAM or a usage of "scrapper" I've just not hard of before today.

    2. DNTP

      Scrappers

      RAM scrappers are the office workers who get a new computer, then salvage all the RAM out of the old one before sending it on to recycling. This is done without pointless trivialities such as static protection or not damaging the DIMM by yanking it too hard in the wrong direction, so it is a highly efficient process. The scrapped RAM is then recycled, frequently offered in a mating ritual designed to "impress" female co-workers with "technical" prowess by "making their hard disk faster" but is actually a memory install done in the same manner as the salvage but also performed without regard for speed or system spec.

      Then you, at the support desk or in proper IT, get the call a day later about "it won't boot, it just sits there beeping".

      1. Fatman

        Re: Scrappers

        My WROK PALCE had one such scrapper who was a low level IT flunky.

        He thought that the machines being re-cycled were going to be sold.

        He did not know that they were leased, and re-cycling them meant returning them to the leasing company; who was none too happy to get 50 of them back minus the RAM.

        Cue one nastygram from a shyster. Fortunately for him, he had not 'disposed' of those chips; and we were able to return them.

  6. Graham Marsden
    Boffin

    Dear El Reg...

    ... It is possible to set .gif images to loop a set number of times eg 5 or 10 rather than just "loop forever".

    Thank you.

    1. Anonymous Coward
      Anonymous Coward

      Re: Dear El Reg...

      You can always use AB+ to kill it.

      1. This post has been deleted by its author

        1. Nick Ryan Silver badge

          Re: Dear El Reg...

          Or El Reg could quit this bullshit idea of foisting unrelated and largely ignores large images at the top of every article and the main page.

          I'm sure I'm not the only one that every time the El Reg home page opens up I now automatically scroll down and ignore the retardely large image at the top so I can read the headlines below. I even paid attention recently and found that there were other article links "top stories" on the right hand side of these pointless images that I also skipped because of this. Talk about making a feature pointless.

        2. swschrad

          effiin eff Flash

          they're still 2 years or more behind patching known hacks. since we're talking about hacks. my company has now banned flash, and I have turned it off at home now as well. not missing anything except Killfrog.com

      2. Graham Marsden

        @Ivan 4 - Re: Dear El Reg...

        > You can always use AB+ to kill it.

        Yes, I know, I did that for the incredibly stupid and annoying "dancing Jesus" one they came up with a while back, but the point is I shouldn't *need* to if El Reg bothered with making their site user friendly.

        And that includes getting rid of the ridiculously massive image at the top of each page which often has virtually no relevance to the story it's referring to...

      3. mad physicist Fiona

        Re: Dear El Reg...

        You can always use AB+ to kill it.

        Kill them all: it is easy enough since El Reg only uses GIFs for the annoying animations - everything else is either PNG (most UI components) or JPEG (photos). Add a custom ABP pattern:

        ||regmedia.co.uk/*.gif^*

        You'll never notice it except when it finds something you didn't want in the first place.

  7. theOtherJT Silver badge

    No defense against willful ignorance.

    We get about a user a month ends up having their account closed because it suddenly starts sending a few thousand emails a second. Every time they show up in the office with this "What's going on here?" face on and say something like "But you told me you needed my password so you could validate my mailbox!"

    We make everyone read the "how to spot a phishing email" thing when they sign up for an account.

    We send out stock reminders 3 times a year.

    We send out specific reminders every time someone falls for a phish.

    The trouble is that the vast majority of our users don't _care_ about computers, don't _care_ about email and don't _care_ about security - at least until the day they end up getting their account locked and a stern talking to by one of the IT security team.

    If people are going to type their passwords into random websites because an email in broken English from a random Albanian email address told them to, there's not a great deal we can do to stop them.

    could we have an automatic detection of when the sender and the Reply To names/domains are different and instantly class that as Criminally Suspect ? With a popup when clicking on such a message that reads something like "The address of the sender and that of the reply to are not the same. This is generally a sign that the message is spam or may originate from a criminal source. Are you sure you want to open this mail ?"

    Only problem is that that happens all the time.

    The last thing we need is something popping up and spooking the users when they get an email from it-announce@[nameofbusiness].uk with a reply to of it-support@[nameofbusiness].uk

    It's a feature that would just immediately get turned off by 99% of sysadmins in response to user complaints.

    1. John Brown (no body) Silver badge

      Re: No defense against willful ignorance.

      "The last thing we need is something popping up and spooking the users when they get an email from it-announce@[nameofbusiness].uk with a reply to of it-support@[nameofbusiness].uk"

      Up-voted for that. There are plenty of reasons why a From: and Reply-to: might be different, just as there are reasons why a phone CLI might not be the number of the phone making the call. That the process can be used by black-hats is a sad side effect which can be difficult to mitigate, especially for front-line users who may be dealing with emails from all over the world on a daily basis. Education is the best solution but some people (many people, if the stats in the article are even close to accurate) have to be persuaded that they need educating.

      1. Nick Ryan Silver badge

        Re: No defense against willful ignorance.

        If the damn Sender and Reply-To domain names don't match then it's usually a sign that something screwy is happening. This wouldn't fix every instance of phishing / spam but would resolve a lot of them and "good" bulk email senders like to ensure that an SPF record is created pointing to their systems if the client wants to keep the sender name consistent with their in-house emails.

  8. Anonymous Coward
    Anonymous Coward

    The email servers can stop these messages at source since they have a lot more information at their disposal.

    Blaming the email recipient is much like blaming a person who opens a letter bomb.

  9. Anonymous Coward
    Anonymous Coward

    Avoiding scam emails is easy

    If you're like me, and have no friends, just delete every email that comes in.

    [joke alert]

  10. This post has been deleted by its author

  11. Dammit

    DMARC is an open standard that Microsoft is on the verge of implementing (fully) in EOP and M365, it ensures that the 5322.From (what is visible to the user) has been used legitimately- so if they receive an email from HSBC.co.uk, and HSBC are using DMARC correctly*, AND the client which the user opens the email with validates DMARC correctly (such as Gmail, Yahoo!, AOL, Live/Hotmail and, soon, M365/EOP) then it was indeed sent by either HSBC or one of their trusted third parties.

    The reply-to can be different (often a bounce processing address/etc), the key thing is that the domain in the visible from is the actual domain that authorised the email to be sent, not spoofed by Phil the Phisher.

    *This assumes that HSBC has implemented DMARC fully have have got to p=reject

  12. Potemkine Silver badge

    Corporate hackers often targeted lawyers, marketing staff and human resources within corporate environments in phishing runs because these departments regularly deal with a lot of email, according to Verizon.

    I may have another explanation to explain why these departments are targeted, more related to their specific approach to IT in general and to IT security in particular...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like