32 comments

[ 2.9 ms ] story [ 74.3 ms ] thread
I have knowledge of some pretty sophisticated phishing tests run at a large organization.

The click rate for links in those emails is shockingly high.

If you have a sophisticated attacker using spear fishing using company information then it's even more effective.

"Hey, [coworker X] told me I should send you our latest policy document for [project Y], here's the link"

A tactic made possible in other worlds, Powered by Facebook (tm)
At my last position, everyone got an email in mid-December saying that the company would be giving each employee a holiday gift... just click the link to select one from the options. It seemed very out of character for the company, so I ignored it.

Many people were upset to find out that the free gift was, surprise, extra security refresher training.

How to make your employees hate your security team and undermine all their efforts out of spite: 101...
Seems like the employees are undermining all of the security team’s efforts by suppressing critical thinking at the prospects of getting a trinket.
> If you have a sophisticated attacker using spear fishing using company information then it's even more effective.

I work for a large company with a common email address format, and I'm constantly getting personalised emails, complete with my name and vaguely related to my work, advertising training and seminars (although I'm yet to be targeted by a spear phishing attack).

I assume they just trawled LinkedIn to find people working at the company and their role. Our email addresses follow a standard format, so it's trivial to guess what my email address is.

We also get monthly simulated phishing emails from our security team.

I've just gotten into the habit of not reading emails. Everything important comes through Slack, my email inbox is mostly automated emails from a dozen different services and company announcements that I don't bother reading.

Not to throw shade on Sequoia, but the statement "We recently experienced a cybersecurity incident" reminds me of Euphemisms by George Carlin (https://youtu.be/vuEQixrBKCc)
That routine is gold on so many levels.
it's not a data breach, it's a free surprise off-site backup service.
And encrypted!
Using the latest industry standard cipher suites, and large key sizes!
Well done! SOBS is a surprisingly apt acronym.
I just watched the whole thing again... it was a refresher course at Carlin University.
Prophet GC. I remember watching him live on my grandparent's pirated HBO box. Yeap. Sanitize, soften, and obscure language until people stop paying attention: whether it's war veterans or MIC appropriation bills.

His most important lesson was: don't vote or you enable the fraud and corruption pretending to give you a choice.

What does ‘monitoring the dark web’ mean?
Keyword search on 4chan.
beyond the third page of google results
ask your sons friend who is always screwing around with the computers
I believe even dark web monitoring software don't look in there
Probably just a quick look at The Pirate Bay.
A quick search for a local coke dealer.
I would assume it means they monitored the top-few dark-web marketplaces and forums where hackers are known to sell their goods.
filed under "no shit".
Does anyone know a good source of educational material on this topic that I can pass around to non-technical coworkers?
Not hard to design your own.

1. Educate them not to open links until they are sure - in emails originated from outside or obscure looking domains 2. Spot for spelling mistakes to find out if it’s a phishing email

(comment deleted)
There has been another hacking event targetting sequoia which has been deliberately kept secret. This data breach happened at a leading Indian law firm which is ironically abbreviated NDA (Nishith Desai Associates) and which Sequoia has used for structuring its funds, esp the Indian ones. This data breach was facilated by disgruntled employees of NDA and the leaked data has also made it to the law enforcement agencies. The leaked documents contain information about the super secret shell entities of Sequoia and other VC funds in tax haven jurisdictions such as Cayman Islands and Mauritius.