Shortened URL, Think before you click
I am finally taking the CISSP on November 5th, I say finally as my last two attempts were abandoned do to any number of reasons. I am committed and have registered this time. This post is not about my preparation, but one resource I was provided after I asked a question on twitter. I was looking for good resources for preparing for the exam.
The response in question I received was not from someone I know or follow on twitter and it contained a shortened url. That should have been the first warning sign.
Something I always stress in end user education is “Think before you click.” Of course everyone is susceptible to social engineering and a lack in better judgment, so I clicked on the link. After clicking I was redirected to an offer to win an IPad 2 and I consider myself lucky for it was just click jacking and not male-ware.
Twitter and other social media should be treated just like email and if you don’t know who is sending you the link just delete it. I have tried SafeEgo by bitdefender to do some background checking on this user but there was little activity. SafeEgo seems to work OK on twitter but I have had good success with it on Facebook. I have too many friends that think they can see who is flowing them on Facebook. Taking a closer looking at the account that sent the message it seems like a spam account so I have blocked them and reported the spam.
Google has also picked up on the spam and is blocking the shortened url.
The question I keep coming back to is what if there was male-ware behind the page, with the ability to created shortened urls so quickly what can we do about it? End-user education is the best answer, understanding who is sending us the information and thinking before we click. Are there other options to stop this spam or the use of this in an attack? I could easily see this being used to spread Zeus to companies or a zero day attack like the one used in the RSA breach. Commercial account takeover is large problem in the financial services industry today and the majority is perpetrated through Zeus.
Until a technical solution is available to combat this, we must rely on end user thinking before the click and that includes me.
Until a technical solution is available to combat this, we must rely on end user thinking before the click and that includes me.
No comments:
Post a Comment