GrandX Store
Store verified by amazon
GrandX Store verified by amazon world's leading e-commerce platform
|
GrandX also provide pc games
Browse GrandX's collection of PC games. Find the best , shooters, Sims games , open world & more games . GrandX games........ |
Join Upstox with us for exclusive rewards , share and discount voucher of amazon and flipkart
Trade faster & smarterUpstox is one of India’s fastest-growing
brokers. A fast, reliable and easy-to-use trading platform with paperless account opening |
join fampay with us and
|
blogs
How to Protect Data From Natural Disasters
With hurricane season in full bloom and the additional prospect of natural disasters, the importance for companies to have disaster data plans in place is paramount.
Companies that fail to make recovery plans for their electronic gear and essential data are inviting serious financial injury when an emergency strikes.
TechNewsWorld discussed disaster preparedness with a panel of IT experts. Check out their recommendations -- and make sure that you have not forgotten that one key thing that many companies forget to protect but regret afterward.
IDC FindingsA 2018 IDC report entitled "The State of IT Resilience" warns businesses not to fall into the trap that snarls many companies each year when emergencies happen. These firms view disaster recovery (DR) preparedness as an insurance policy and an added expense that is likely to have little payback.
This approach to disaster recovery is inadequate for today's digital businesses. If DR tools and initiatives are viewed as a cost center objective and not as a business driver, an organization's cloud and digital transformation (DX) initiatives will be exposed to a higher rate of failure, the report warns.
Other research estimates that as many as half of all organizations could not survive a disaster event. That research also found that many businesses do not properly protect their data, test their disaster recovery environment, or have automated DR processes in place.
"After an already stressful 2020 due to the COVID-19 pandemic, forecasters are expecting an above-average number of hurricanes this season. Regrettably, many businesses may be unprepared to weather those storms and could experience permanent data loss if they aren't ready from an IT perspective," Caroline Seymour, vice president of product marketing at Zerto, told TechNewsWorld.
To avoid becoming another victim, she recommends maintaining critical business operations, preserving valuable data, and ensuring IT resilience by having a formal DR plan in place that can be enacted rapidly.
In addition to having cloud-based disaster recovery technology implemented and tested, IT teams need to practice their DR plans to understand what works well and where there are opportunities for improvement, Seymour cautioned.
The Cost of Not PreparingIT resilience -- essential to disaster recovery -- is a measure of an organization's ability to protect data during planned disruptive events, effectively react to unplanned events, and accelerate data-oriented business initiatives. It includes traditional disaster recovery and backup tools, and also incorporates advanced analytics and security capabilities needed for the success of any digital business in the 21st century.
IDC's research found that many organizations are seeing new forms of disruptions, such as ransomware, cause considerable downtime.
Here are some key findings from IDC's disaster recovery research:
Much Can Go WrongThe research found that many companies struggle with the cost, complexity, and orchestration of their data protection and disaster recovery solutions. Almost half of the respondents (45 percent) reported challenges with restore or backup reliability.
The complexity of the backup and recovery process was also a leading challenge for 43 percent of the companies. These factors have a high probability of delaying or disrupting IT transformation (DX) initiatives.
That complexity process is pushing some 90 percent of the participating companies to pursue a convergence of backup and DR tools as they eliminate redundant tools. This indicates that users increasingly see backup and DR functions not as siloed products by as complementary assets of a single solution.
Researchers believe the best practice for corporate data recovery is to define what IT resilience means for their organization and develop a plan for implementation. That definition should begin with the core elements of data protection, backup, and disaster recovery.
It should also account for emerging security threats and address the requirements of all business applications. That includes on-premises or public cloud-based. It should not include a one-size-fits-all IT resilience solution.
"As of July 2020, the US has experienced 10 weather- and climate-related disaster events, losing more than $1 billion each time. This does not even count the storms that took out parts of the Northeast last week (Hurricane Asaias)," Jennifer Curry, vice president of Global Cloud Services at INAP, told TechNewsWorld.
Recipe for RecoverySuccessful disaster preparedness entails prioritization and communication. Curry outlined three ways companies can protect their data and information before disaster strikes:
Step One: Identify Risks
For many organizations, losing data and information is the biggest threat. Start by identifying where their data is stored, if there are copies, and if so, where are the copies stored (onsite or in a separate location).
"Having all information stored in one place is extremely risky because one natural disaster can wipe out everything," she said.
Step Two: Think About Off-Site Backups
If an organization does store data separate from its primary location, that is half the battle.
"To further protect their assets, companies should select a backup site that is in a different geographical region to reduce the chances that both locations would be knocked out by one disaster," she reasoned.
Step Three: Consider Disaster Recovery Solutions
Many companies use cloud storage as a backup since it is easily scaled and cost-effective. However, a more robust option is disaster recovery as a service (DRaaS).
"DRaaS is essentially a facility redundancy in company infrastructures. It replicates mission-critical information, applications, and data so companies can maintain business continuity during natural disasters," Curry explained.
"IT teams will be strapped when disaster strikes, and rather than having them tackle multiple requests from stakeholders across the organization, they are more successful if they have a prioritized list of applications," she offered.
INAP tells clients to make sure comprehensive business continuity is developed before a devastating event happens. This also serves as an opportunity to identify the risks and gaps that may be commonly missed.
Balancing the RisksManaging data loss is a case of reducing risks and consequences. The risk cannot and will not ever reach zero, according to David Zimmerman, CEO of LC Technology International.
"Events like fires, floods, tornados, earthquakes, and other disasters can result in business-altering data losses. Floods (especially salt water) severely damage equipment such as servers, SD cards, and laptops. With corrosion from seawater, data recovery might be impossible," he told TechNewsWorld.
However, the right mix of training, corporate protocols, and cloud backups can greatly reduce the downsides of any data losses, making them slight inconveniences instead of business-ending disasters, he added.
Companies can protect their electronics and data during an emergency by incorporating the risks of data loss into a disaster recovery plan that evaluates the physical and virtual locations of their data. Then review how susceptible both would be to loss from fire, floods, or other events, suggested Zimmerman.
Sidestep MishapsMany small business operators with no IT staff tend to think a single backup to an external hard drive or storage uploads to a cloud service is all they need. This is dangerous thinking, according to Zimmerman.
Just because your business does not have a full staff with a fancy data management system does not mean you cannot take smaller, easy steps to protect your data.
"A single backup to a hard drive is the first step a business without the resources of an IT staff can do. However, it must go beyond that.
Without a formal data protection plan, all your hard work and content are at risk every day it is not duplicated. There are easy steps to proactively prevent this from happening," he said.
Small business operators should follow what larger companies that have IT workers do. Implement a policy of redundancy.
This involves making multiple layers of backups, often more than you think is necessary. Create backups with the cloud combined with external hard drive storage. These should be used in tandem, not as replacements for each other, recommended Zimmerman.
"Managing the risk from any natural disaster should start with an inventory of all corporate-owned data. Back everything up to external hard drives -- noting that these are kept off-site -- that's the important part. If a disaster strikes and all the data is held in the office, then the backups are pointless," he offered.
One Thing Not to ForgetMany organizations still do not see the importance of creating a disaster recovery plan prior to a disaster happening, despite the massive risk of losing data that could impact the company's future, Zimmerman shared. The most critical point of data recovery is proactivity.
"You don't want to have to scramble to create a data recovery plan after a disaster strikes. The plan should function as a roadmap that includes all the sources and locations of data and who is responsible for it," he advised.
Evaluating what to do and where to go after data is lost can be crippling to a business model, company reputation, and ability to actually do business. That can hurt any existing relationships with customers and partners.
"Forgetting to protect something is usually not the problem. What companies regret most is not doing periodic restore testing from backup data and testing disaster recovery plans. If companies are unprepared, it prolongs downtime and in some cases leads to data loss," Shawn Lubahn, account product manager at Barracuda Networks, told TechNewsWorld.
Companies that fail to make recovery plans for their electronic gear and essential data are inviting serious financial injury when an emergency strikes.
TechNewsWorld discussed disaster preparedness with a panel of IT experts. Check out their recommendations -- and make sure that you have not forgotten that one key thing that many companies forget to protect but regret afterward.
IDC FindingsA 2018 IDC report entitled "The State of IT Resilience" warns businesses not to fall into the trap that snarls many companies each year when emergencies happen. These firms view disaster recovery (DR) preparedness as an insurance policy and an added expense that is likely to have little payback.
This approach to disaster recovery is inadequate for today's digital businesses. If DR tools and initiatives are viewed as a cost center objective and not as a business driver, an organization's cloud and digital transformation (DX) initiatives will be exposed to a higher rate of failure, the report warns.
Other research estimates that as many as half of all organizations could not survive a disaster event. That research also found that many businesses do not properly protect their data, test their disaster recovery environment, or have automated DR processes in place.
"After an already stressful 2020 due to the COVID-19 pandemic, forecasters are expecting an above-average number of hurricanes this season. Regrettably, many businesses may be unprepared to weather those storms and could experience permanent data loss if they aren't ready from an IT perspective," Caroline Seymour, vice president of product marketing at Zerto, told TechNewsWorld.
To avoid becoming another victim, she recommends maintaining critical business operations, preserving valuable data, and ensuring IT resilience by having a formal DR plan in place that can be enacted rapidly.
In addition to having cloud-based disaster recovery technology implemented and tested, IT teams need to practice their DR plans to understand what works well and where there are opportunities for improvement, Seymour cautioned.
The Cost of Not PreparingIT resilience -- essential to disaster recovery -- is a measure of an organization's ability to protect data during planned disruptive events, effectively react to unplanned events, and accelerate data-oriented business initiatives. It includes traditional disaster recovery and backup tools, and also incorporates advanced analytics and security capabilities needed for the success of any digital business in the 21st century.
IDC's research found that many organizations are seeing new forms of disruptions, such as ransomware, cause considerable downtime.
Here are some key findings from IDC's disaster recovery research:
- More than half of the respondents are currently undertaking IT or digital transformation projects and view IT resilience. They see IT resilience as foundational. But few respondents believe their IT resilience strategy is optimized.
- Most organizations surveyed have experienced tech-related business disruptions. These situations resulted in material impact in terms of either recovery cost or additional staff hours, direct loss of revenue, permanent loss of data, or damage to company reputation.
- Data protection (DP) and disaster recovery (DR) are central tenets of digital transformation initiatives but may not be prioritized by many organizations.
- Only half of all apps are fully covered by a DR strategy. This indicates a disconnect at the business strategy level regarding the importance of data protection and data recovery to the organization's initiatives.
Much Can Go WrongThe research found that many companies struggle with the cost, complexity, and orchestration of their data protection and disaster recovery solutions. Almost half of the respondents (45 percent) reported challenges with restore or backup reliability.
The complexity of the backup and recovery process was also a leading challenge for 43 percent of the companies. These factors have a high probability of delaying or disrupting IT transformation (DX) initiatives.
That complexity process is pushing some 90 percent of the participating companies to pursue a convergence of backup and DR tools as they eliminate redundant tools. This indicates that users increasingly see backup and DR functions not as siloed products by as complementary assets of a single solution.
Researchers believe the best practice for corporate data recovery is to define what IT resilience means for their organization and develop a plan for implementation. That definition should begin with the core elements of data protection, backup, and disaster recovery.
It should also account for emerging security threats and address the requirements of all business applications. That includes on-premises or public cloud-based. It should not include a one-size-fits-all IT resilience solution.
"As of July 2020, the US has experienced 10 weather- and climate-related disaster events, losing more than $1 billion each time. This does not even count the storms that took out parts of the Northeast last week (Hurricane Asaias)," Jennifer Curry, vice president of Global Cloud Services at INAP, told TechNewsWorld.
Recipe for RecoverySuccessful disaster preparedness entails prioritization and communication. Curry outlined three ways companies can protect their data and information before disaster strikes:
Step One: Identify Risks
For many organizations, losing data and information is the biggest threat. Start by identifying where their data is stored, if there are copies, and if so, where are the copies stored (onsite or in a separate location).
"Having all information stored in one place is extremely risky because one natural disaster can wipe out everything," she said.
Step Two: Think About Off-Site Backups
If an organization does store data separate from its primary location, that is half the battle.
"To further protect their assets, companies should select a backup site that is in a different geographical region to reduce the chances that both locations would be knocked out by one disaster," she reasoned.
Step Three: Consider Disaster Recovery Solutions
Many companies use cloud storage as a backup since it is easily scaled and cost-effective. However, a more robust option is disaster recovery as a service (DRaaS).
"DRaaS is essentially a facility redundancy in company infrastructures. It replicates mission-critical information, applications, and data so companies can maintain business continuity during natural disasters," Curry explained.
"IT teams will be strapped when disaster strikes, and rather than having them tackle multiple requests from stakeholders across the organization, they are more successful if they have a prioritized list of applications," she offered.
INAP tells clients to make sure comprehensive business continuity is developed before a devastating event happens. This also serves as an opportunity to identify the risks and gaps that may be commonly missed.
Balancing the RisksManaging data loss is a case of reducing risks and consequences. The risk cannot and will not ever reach zero, according to David Zimmerman, CEO of LC Technology International.
"Events like fires, floods, tornados, earthquakes, and other disasters can result in business-altering data losses. Floods (especially salt water) severely damage equipment such as servers, SD cards, and laptops. With corrosion from seawater, data recovery might be impossible," he told TechNewsWorld.
However, the right mix of training, corporate protocols, and cloud backups can greatly reduce the downsides of any data losses, making them slight inconveniences instead of business-ending disasters, he added.
Companies can protect their electronics and data during an emergency by incorporating the risks of data loss into a disaster recovery plan that evaluates the physical and virtual locations of their data. Then review how susceptible both would be to loss from fire, floods, or other events, suggested Zimmerman.
Sidestep MishapsMany small business operators with no IT staff tend to think a single backup to an external hard drive or storage uploads to a cloud service is all they need. This is dangerous thinking, according to Zimmerman.
Just because your business does not have a full staff with a fancy data management system does not mean you cannot take smaller, easy steps to protect your data.
"A single backup to a hard drive is the first step a business without the resources of an IT staff can do. However, it must go beyond that.
Without a formal data protection plan, all your hard work and content are at risk every day it is not duplicated. There are easy steps to proactively prevent this from happening," he said.
Small business operators should follow what larger companies that have IT workers do. Implement a policy of redundancy.
This involves making multiple layers of backups, often more than you think is necessary. Create backups with the cloud combined with external hard drive storage. These should be used in tandem, not as replacements for each other, recommended Zimmerman.
"Managing the risk from any natural disaster should start with an inventory of all corporate-owned data. Back everything up to external hard drives -- noting that these are kept off-site -- that's the important part. If a disaster strikes and all the data is held in the office, then the backups are pointless," he offered.
One Thing Not to ForgetMany organizations still do not see the importance of creating a disaster recovery plan prior to a disaster happening, despite the massive risk of losing data that could impact the company's future, Zimmerman shared. The most critical point of data recovery is proactivity.
"You don't want to have to scramble to create a data recovery plan after a disaster strikes. The plan should function as a roadmap that includes all the sources and locations of data and who is responsible for it," he advised.
Evaluating what to do and where to go after data is lost can be crippling to a business model, company reputation, and ability to actually do business. That can hurt any existing relationships with customers and partners.
"Forgetting to protect something is usually not the problem. What companies regret most is not doing periodic restore testing from backup data and testing disaster recovery plans. If companies are unprepared, it prolongs downtime and in some cases leads to data loss," Shawn Lubahn, account product manager at Barracuda Networks, told TechNewsWorld.
Common Techniques & How to Prevent an Attack
Social engineering attacks are not only becoming more common against enterprises and SMBs, but they're also increasingly sophisticated. With hackers devising ever-more clever methods for fooling employees and individuals into handing over valuable company data, enterprises must use due diligence in an effort to stay two steps ahead of cyber criminals.
Social engineering attacks typically involve some form of psychological manipulation, fooling otherwise unsuspecting users or employees into handing over confidential or sensitive data. Commonly, social engineering involves email or other communication that invokes urgency, fear, or similar emotions in the victim, leading the victim to promptly reveal sensitive information, click a malicious link, or open a malicious file. Because social engineering involves a human element, preventing these attacks can be tricky for enterprises.
We wanted to educate companies, employees, and end users on how to better recognize social engineering efforts and prevent these attacks from succeeding. To uncover some of the most common social engineering attacks being used against modern enterprises and get tips on how to avoid them, we asked a panel of data security experts and business leaders to answer the following question:
"What are the common social engineering attacks made on companies, and how can they be prevented?"
See what our experts had to say below:
MEET OUR PANEL OF DATA SECURITY EXPERTS:
STU SJOUWERMAN AND KEVIN MITNICK@StuAllard
Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, LLC, which hosts the world’s most popular integrated Security Awareness Training and Simulated Phishing platform. A data security expert with more than 30 years in the IT industry, Sjouwerman was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010. Realizing that the human element of security was being seriously neglected, Sjouwerman decided to help organizations manage the problem of cybercrime social engineering tactics through new school security awareness training. KnowBe4 services over 1,200 organizations in a variety of industries, including highly-regulated fields such as healthcare, finance, energy, government and insurance and is experiencing explosive yearly growth of 300%. Sjouwerman is the author of four books, with his latest being “Cyberheist: The Biggest Financial Threat Facing American Businesses.”
@KevinMitnick
Kevin Mitnick, ‘the World’s Most Famous Hacker’, is an internationally recognized computer security expert with extensive experience in exposing the vulnerabilities of complex operating systems and telecom devices. He gained notoriety as a highly skilled hacker who penetrated some of the most resilient computer systems ever developed. Today, Mitnick is renowned as an information security consultant and keynote speaker and has authored four books, including The New York Times best seller Ghost in the Wires. His latest endeavor is a collaboration with KnowBe4, LLC as its Chief Hacking Officer.
Social engineering techniques
What does social engineering look like in action? It could look like an email that has been designed to seem like it is from a credible organization, like your message service or Fed Ex or even your bank. But if you open it and click on that attachment, you could be installing malware or ransomware . Or, it could be disguised to look like it comes from someone inside your organization (like an unusual title such as IT@yourorganization – someone whom you trust). But if you respond to that email with your user name and password, your computer is easily compromised. The rule is Think Before You Click.
Social engineering attacks
The technical director of Symantec Security Response said that bad guys are generally not trying to exploit technical vulnerabilities in Windows. They are going after you instead. “You don’t need as many technical skills to find one person who might be willing, in a moment of weakness, to open up an attachment that contains malicious content.” Only about 3% of the malware they run into tries to exploit a technical flaw. The other 97% is trying to trick a user through some type of social engineering scheme, so in the end, it does not matter if your workstation is a PC or a Mac.
Phishing
The most common social engineering attacks come from phishing or spear phishing and can vary with current events, disasters, or tax season. Since about 91% of data breaches come from phishing, this has become one of the most exploited forms of social engineering.
Here are some of the worst:
A. Court Notice to Appear - Scammers are sending phishing emails claiming to come from a real law firm called 'Baker & McKenzie' stating you are scheduled to appear in court and should click a link to view a copy of the court notice. If you click on the link, you download and install malware.
B. IRS refund ransomware - Many of us waited till the last moment before the April 15th tax deadline and are now holding our collective breath in expectation of that possibly rewarding refund. The problem is that cybercriminals are very aware of this anticipation and use social engineering tactics to trick taxpayers. Knowing that many in America are waiting for word from the Internal Revenue Service concerning pending refunds, the cyber mafia is working hard to get in first with a massive phishing attack that has a ransomware attachment. The attachment is an infected Word file, which holds a ransomware payload and encrypts the files of the unlucky end-user who opens the attachment, and all connected network drives if there are any.
C. Researchers at Proofpoint recently discovered a Phishing campaign that originated from select job postings on CareerBuilder. Taking advantage of the notification system the job portal uses, the attacker uploaded malicious attachments instead of résumés, which in turn forced CareerBuilder to act as a delivery vehicle for Phishing emails.
The scam is both simple and complex. It's simple because the attacker used a known job site to target a pool of willing email recipients, and complex because the malware that was delivered was deployed in stages.
The attack starts by submitting a malicious Word document (named resume.doc or cv.doc) to a job posting. On CareerBuilder, when someone submits a document to a job listing, a notification email is generated for the person(s) who posted the job and the attachment is included.
D. Last June, the Durham, New Hampshire police department fell prey to ransomware when an employee clicked on a legitimate-looking email. Numerous other police departments have been hit including Swansea and Tewksbury, MA, Dickson County (Tennessee) Sheriff, and others. As of this time, the primary means of infection appears to be through phishing emails containing malicious attachments, phony FedEx and UPS tracking notices, and even through pop-up ads.
Here are a few social engineering scams executed via phishing:
Banking Link Scam: Hackers send you an email with a phony link to your bank, tricking you into entering in your bank ID and password.
A billion dollar heist covering 30 countries and nearly a billion dollars in lost funds, nicknamed Carbanak by security firm Kaspersky, was reported on extensively in Feb 2015.
In the Carbanak scam, spear phishing emails were sent to employees that infected work stations, and from there the hackers tunneled deeper into the banks’ systems until they controlled employee stations that would allow them to make cash transfers, operate ATMs remotely, change account information, and make administrative changes.
It was a pretty standard scheme: an email with a link that looked like it was coming from a colleague contained the malicious code, which spread from there like a digital rhinovirus. The hackers recorded everything that happened on the affected computers to learn how the organization did things. When they had mastered the system, they commandeered it for a series of transactions that included the ATM hits, but also a practice of artificially inflating bank balances and then siphoning off that amount, so a customer’s account balance might go from $1,000 to $10,000 and then $9,000 would go to the hacker.
Fax Notice Scam: It's a phony link to a phony fax. But it will do real damage to your PC. This is quite common, especially for firms who still use faxes heavily such as document management, title companies, insurance and other financial services companies.
Dropbox Link Scam: Have we got a surprise waiting for you in Dropbox.
A couple variations of this were running 2014. One was a fake Dropbox password reset phishing email that when clicked, led users to a page saying their browser is out of date and they need to update it (with a “button” to the update). This would launch a Trojan in the Zeus family of malware.
Another was an email with Dropbox links that hosted malicious software like “CryptoWall” ransomware.
Court Secretary Complaint Link Scam: Here's a phony link confirming your complaint. Something tells us you'll be complaining about something else very soon.
A version of this has been in use for awhile. See A. above.
Facebook Message Link Scam: Vin Diesel has just died. Find out that your PC will be pushing up the daisies with this link.
This one is commonly used when a celebrity dies. This was exploited with Robin Williams when he passed away with the Robin Williams goodbye video. A bogus Facebook phishing message appeared that invited users to click a link and see an exclusive video of Robin Williams saying goodbye through his cell phone. Of course there was no video, and the link led to a bogus BBC news page which tried to trick clickers into clicking on other links that led to scam online surveys.
Since we train others and actively create test phishing campaigns for our customers to use, my staff tried to social engineer me the other day, trying to catch me as a prank.
It was a 2-stage attack, trying to get me to reveal my credentials. They spoofed our Director of HR, and sent me the email below. This is an example of very high operational sophistication, typical of top-tier whaling attacks, those cases when an individual is subjected to spear phishing attempts because they hold valuable information or wield influence within an organization. They had done their homework and knew I was active on the SpiceWorks forum for IT admins.
[email protected]
10:45 AM (1 hour ago)
to: stus
Stu,
I noticed that a user named securitybull72 (claiming to be an employee) in a security forum posted some negative comments about the company in general (executive compensation mainly) and you in specific (overpaid and incompetent). He gave detailed instances on his disagreements, and doing so, may have unwittingly divulged confidential company information regarding pending transactions.
The post generated quite a few replies, most of them agreeing with negative statements. While I understand that the employee has the right to his opinion, perhaps he should have vented his frustrations through appropriate channels before making this post. The link to the post is located here (it is the second one in the thread):
www.spiceworks.com/forums/security/234664/2345466.
Could you please talk to him?
Thanks.
Nine out of ten would fall for something like this. The only thing that saved me was the fact that when I hovered over the link I saw that the domain was one I had created myself for simulated phishing attacks. But it was a close call! One more second and I would have been pnwned.
The best prevention actions are:
1. Train users with an effective training program that routinely uses an integrated anti-phishing tool that keeps security top of mind for users and help them recognize what a phishing email might look like.
2. Back up just in case and regularly test those backups to make sure they work.
PAUL KUBLER, CISSP, CCNA, SEC+, ACE@lifarsllc
Paul Kubler is a Cyber Security and Digital Forensics Examiner at LIFARS LLC, an international cybersecurity and digital forensics firm. He’s a former employee at Boeing, in the Global Network Architecture division, the nation’s largest private cyberattack target. He previously worked at the Flushing Bank, in Network and Systems Infrastructure, protecting valuable financial data at various levels within the network and system. Paul has also performed forensic investigations into mobile devices aiding in the prosecution of criminals.
With several years of experience in cybersecurity and digital forensics, he conducted a wide range of investigations, including data breached through computer intrusions, theft of intellectual property, and computer hacking. He has worked on hardening the systems and deploying protection over an international organization. He has also created business networks with a defense in depth strategy and implemented firewalls on these networks.
Some of the more common forms of social engineering (and how to prevent them) include...
PHISHING
Phishing has become a big player in malware attacks in the last few years and this type of social engineering has proven hard to overcome. Attackers usually send well-crafted emails with seemingly legitimate attachments that carry a malicious payload. These aren’t the typical “Nigerian Prince” scammers, but rather sophisticated hacking groups with sufficient time and funding who launch these exploits. They usually hide behind a Tor network or the like and become hard to find, especially when they are backed by organized crime who use this as a source of income.
RANSOMWARE
In the recent years, we’ve seen a dramatic increase in the use of ransomware being delivered alongside phishing emails. They usually send an attachment such as “URGENT ACCOUNT INFO” with a file extension of “.PDF.zip” or “.PDF.rar,” which slips by the unsuspecting victim and delivers the payload. This attack often encrypts the entire hard disk, or the documents and requires a bitcoin payment to unlock. Luckily, these groups actually do unlock the data - this way future victims are more likely to pay.
What can you do to minimize the chances of yourself as an individual of falling a victim to these dirty schemes? Here are a few steps you can take:
DOUG FODEMAN@dailyscams
Doug Fodeman is the content director and co-owner of The Daily Scam, a web site devoted to helping individuals, companies, and organizations increase their understanding and awareness of internet-based threats, scams, and fraudulent practices in order to significantly decrease their risks and associated lost productivity.
When it comes to social engineering attacks, companies should understand...
Social engineering attacks that target companies or individuals are most easily and successfully launched through email. Everyone depends on email for communication, even more than social media which might be monitored by just one or a few company staff. Email is also a tool used daily by older members of the workforce. Also, email can direct a threat to everyone in an organization, including the CEO and CFO. But malicious emails require two triggers to be effective. The first is a cleverly worded subject line that will engage the recipient's curiosity and engineer them to open the email.
Some of the most effective subject lines are often innocent and simple like these recent ones I saw targeting an organization in just the last two weeks:
CURTIS PETERSON@SmartFile
Curtis Peterson is the Digital Marketing Manager for SmartFile. Peterson is responsible for strategy and execution of SmartFile's content, email, search, and social strategies. SmartFile provides IT administrators with time-saving file and user management tools that enable non-IT employees to access and share files securely. Scalable cloud or on-premise storage is available for any size business that regularly sends, receives, and archives files.
In terms of identifying and preventing social engineering attacks...
Obviously, Edward Snowden was the poster boy for social engineering attacks. He either befriended folks or asked for their passwords and logins by telling them they were needed for his computer systems administrator role. Pretext, or creating a fake persona or using one's role in an improper way, is pretty popular for social engineering attacks.
The bottom line is 63% of data breaches come from internal sources, either control, errors, or fraud. In 2013, $143 billion dollars came from data theft (both stats can be found on isyourdatasafe.com).
Social engineering is hard to prevent. That's the tough part. A lot of prevention comes from IT compliance best practices. But still, even in the case of Edward Snowden, how can you tell something bad is happening when it appears to be a user with clearance? We'd recommend diligent monitoring and analytics to try to understand when this is happening. For instance, if you have a number of highly sensitive files, you should track when those are downloaded/shared. An IT administrator should also receive instant notifications when these actions are taken on sensitive files. Finally, there should be logs that are analyzed regularly to understand abnormal usage behaviors. For instance, if the file is downloaded after hours, it should be a red flag. Or if multiple sensitive files from same user are downloaded, that should be identified and looked into.
JEREMY SCHOENEMANJeremy Schoeneman is an information security specialist with a focus on social engineering. He has worked at SecureState for over one year, and conducts social engineering engagements as part of client penetration tests on a regular basis.
The most common social engineering techniques used today include...
Today, there are many ways an attacker will try and compromise a corporate network, but in the end, the individual is at the highest risk from an attack. Attackers will take whatever means necessary to break into a network and steal information, and the most popular, and most successful, is by way of social engineering. Social engineering is responsible for many of the recent major attacks, from Sony to The White House. There are essentially two very popular types of attacks: phishing and vishing (voice phishing).
Phishing attacks are the most prevalent way of obtaining information or access into a network. An individual will open a seemingly harmless email, either click a link that leads to a malicious site or download an attachment which contains malicious code, and compromise a system. Phishing has been increasingly successful because the attackers are creating more legitimate looking emails and the attacks are more sophisticated. Thanks to the prevalence of social media, an attacker can look up everything they need to know about a person and their interests, craft an email specially tailored to that person, and email something directly to them, which increases the chances of that person clicking.
Vishing is essentially phishing over the phone. An attacker will call someone, such as an IT help desk, and with a little bit of information about a person (such as a name and date of birth) either get login credentials or more information about the individual, such as a social security number.
Protecting a company from these attacks starts with education. Teaching people what to look for when getting an email or receiving a phone call from someone asking for information or to click on something is what's going to lessen the likelihood of a successful attack. Actually looking at the from address, hovering over links and verifying the URL, and never downloading attachments unless you absolutely know where the email comes from will drastically decrease the likelihood of a successful attack against a company. When an individual receives a phone call asking for information, it's important to establish the identity of the person without giving hints. Remember: people's information is easily found on the internet. Asking good security questions on the IT help desk level is a great way to help guard against these attacks. Something like: What high school did you go to, or what was the make of your first car, is a thousand times better than your birthday.
PIERLUIGI PAGANINI@InfosecEdu
Pierluigi Paganini is a Security Researcher for the InfoSec Institute and has over 20 years experience in the field.
Here are a few basic rules to protect users' digital identities from social engineering attacks...
KEITH CASEY@CaseySoftware
Keith Casey currently serves as Director of Product for Clarify.io working to make APIs easier, more consistent, and help solve real world problems. Previously, as a developer evangelist at Twilio, he worked to get good technology into the hands of good people to do great things. In his spare time, he works to build and support the Austin technology community, blogs occasionally at CaseySoftware.com and is completely fascinated by monkeys. Keith is also a co-author of “A Practical Approach to API Design” from Leanpub.
The most common social engineering attacks by far come in the form of...
"I just need." Basically, someone calls the company claiming to represent the phone company, internet provider, etc., and starts asking questions. They claim to have a simple problem or know about a problem that can be fixed quickly but they just need one little thing. It could be as innocuous as asking for a username or someone's schedule or as blatant as asking for a password. Once the attacker has this information, they call someone else in the company and use the new information to refine their attack. Lather, rinse, repeat.
After a few calls, they can often pass themselves off as an employee — often the assistant of someone significant — and ask for access or more detailed information right now. The unsuspecting employee doesn't want to annoy the significant person, so they answer and help before they've had a chance to think. At this point, it's almost trivial to get access to email accounts, phone records, travel itineraries, etc.
The only solution to this is to never trust someone that calls you. Instead of immediately giving the requested information, get the person's phone number from the company directory, and offer to call them back at that number. An honest person may be annoyed but it will work. An attacker will give up and try someone else. Also, never ask the person for their phone number, go to a known safe source — like the company directory — to get the information.
The same applies to your credit card company. Never give sensitive information to someone who calls you. Use the phone number on your card and call them back.
JOE FERRARA@WombatSecurity
Joe Ferrara is President and CEO of Wombat Security Technologies. Joining Wombat in 2011, Joe brings 20 years of experience in technology marketing, operations and management to his role as President and CEO. Recently Joe was a finalist for EY Entrepreneur Of The Year Western Pennsylvania and West Virginia and received a CEO of the Year award from CEO World. Joe has provided expert commentary and has spoken at numerous information security industry events including RSA Europe, the CISO Executive Network forum, ISSA International, and information security regional conferences.
My advice for companies related to the increasing prevalence of social engineering attacks is...
Commonly defined as the art of exploiting human psychology to gain access to buildings, systems, or data, social engineering is evolving so rapidly that technology solutions, security policies, and operational procedures alone cannot protect critical resources. A recent Check Point sponsored survey revealed that 43 percent of the IT professionals surveyed said they had been targeted by social engineering schemes. The survey also found that new employees are the most susceptible to attacks, with 60 percent citing recent hires as being at high risk for social engineering.
Companies should:
Companies should use a combined approach of simulated social engineering attacks coupled with interactive training modules to deliver the best result. Incorporating continuous training methodology can be the difference between a five-alarm data breach and a quiet night at the office.
SANJAY RAMNATH@Barracuda
Sanjay Ramnath is a Senior Director of Product Management for Barracuda, the go-to provider of powerful, easy-to-use, affordable IT solutions for security and storage.
When it comes to social engineering, my advice for companies is...
Social media is a necessary evil. Companies need to recognize the value of these sites for business use and cannot just outright block these sites from the network.
There are, however, a few ways to help mitigate the risks while allowing social networks to be in use. When it comes to training, sure you can hold a class for new and older employees to show them the Do's and Don'ts to better protect themselves against threats; however, most of this is common knowledge and hard to really enforce.
BYOD has really put stress on network admins to protect the network from users' mobile devices.
Social media is a zero trust environment. Social networking is so simple to use that, often, people's guards are lowered. A friend you know well could send you a link to an album of a trip they recently took for you to click on to view or download. You, of course, seeing your friend's picture next to the link, or getting an email from their email address, click on it because you assume that it's safe, not knowing that they have been hacked and now the pictures you think you are downloading are actually downloading malware onto your computer.
Companies need to consider securing all threat vectors and putting in place dedicated solutions to address every need. In a case like social engineering where victims are subject to spear phishing attacks, phishing attacks, malicious emails, and compromised sites, it is good to have a spam firewall and web filter in place to mitigate those threats before they even reach the network.
Having a secure web browser or mobile device management solution to address BYOD both on and off the company network is something they should also consider to protect company and employee information.
ALEX MARKOWITZ@ChelseaTech
Alex Markowitz is a Systems Engineer for Chelsea Technologies, a managed IT services firm that provides design, implementation, hosting, and support services to the global financial industry. Alex has over 10 years of IT experience in the financial sector.
My top suggestion for companies in preventing social engineering attacks is...
The Power of No.
Google the top social engineering attacks. What do you get? Stories about Trojan Horses, phishing attacks, malware injections, redirects, spam, and people giving up way too much personal information on public websites. The surface area for social engineering attacks is as big as all the employees and users in your corporation. The best social engineering attack will involve nothing but an unnoticed slip or mistake from one user. I am going address the very specific aspect of internal security and leave you with the following: the most important protection you need in your company is the ability to say, "No."
Knowing the history of these attacks is useful, but overall, it is not going to protect you. The attackers are always ahead of those of us who are defending our information. A social engineer will always find a new way to do what they do. Someone who wants to target your company is considered an unending well of creativity, and must be treated as such. Keep in mind, technology always changes, but the humans utilizing that technology do not change. You can protect yourself with all the technology you want, but just one human mistake can blow your company's doors wide open. Humans are the attack surface on which a social engineer strikes.
Therefore, the problem we have as IT Professionals is keeping age-old human flaws from causing a technological attack. The following is an omnipresent human flaw that I would like to specifically address: I have worked at many financial institutions. At every institution, there is always a slew of executives, managers and the like that want to be treated special. They want access to the network on their personal laptop. They want access to the network on their iPad, but also let their kids play with that iPad. They want access when and where they should not have it, and they are in powerful positions that make them very difficult to reason with.
They want things that will make their professional lives even easier than we, in IT, struggle to make it. Unfortunately, in IT, we are in the habit of saying, "Yes." I have seen directors and CTOs create special exceptions for other high-ranking users to garner favors and popularity, but also because they are scared for their own position. This is lazy; this is arrogant; this is stupid, but this is most of all, human. We human beings are the system attacked by social engineering, and then we leave ourselves open by falling prey to our insecurities, giving an attacker an invitation to storm our gates. All IT needs to learn how to say is "No," and IT management needs to be strong and stubborn for the good of a company. One of the best ways to protect your company from social engineers is to learn how to say, "No." Keep politics and climbing the office ladder out of IT security.
I know I am addressing a very specific aspect of IT, but one of the best ways to shrink your attack surface is to learn how to say, "No." It takes strong leadership and determination from IT management to keep our protection streamlined. Only after our protection is streamlined can we accurately educate our users and create a secure infrastructure. Every individual exception opens a Pandora's Box for social engineers to find (or even just stumble upon) and exploit.
ROBERT HARROW@robert_harrow
Robert Harrow is a research analyst for ValuePenguin.com, where he covers various personal finance verticals, including credit cards, home insurance, and health insurance. His interest in security comes mainly from studying credit card and health insurance data breaches.
The biggest social engineering threat to companies today is...
Phishing scams are the biggest threat, and the most common means of social engineering. According to the most recent report by EMC, there has been $5.9 billion in losses due to phishing scams in 2013 alone — this from close to 450,000 attacks.
Spam filters can be useful in helping employees avoid exposure to these attacks. However, these fail in what is referred to as spear phishing. These attacks are less frequent, but more targeted to specific high value individuals — likely CEOs, CFOs, and other people with high-level access in their company. These attacks are generally not picked up by spam filters and are much harder to detect.
Educating employees about the dangers of phishing and being careful about all e-mails they receive is crucial.
STEVEN J.J. WEISMAN, ESQ.@Scamicide
Steven J.J. Weisman, Esq. is a lawyer, college professor at Bentley University where he teaches White Collar Crime, and one of the country's leading experts in scams, identity theft, and cybercrime. Weisman writes the blog Scamicide.com, where he provides daily updated information on the latest scams and identity theft schemes.
When it comes to social engineering attacks and how companies can prevent them, I advise...
Major data breaches and hacking of major companies such as Target, Sony, or even the State Department generally have one thing in common, and that is that despite the sophistication of the malware used to gather information, that malware has to be downloaded into the computers of the targeted company or agency and that is done, most often, through social engineering tactics that trick employees into clicking on links or downloading attachments that unwittingly download the malware.
So how do they convince employees to click on the links and download the attachments?
So what can be done to stop them?
Train employees on my motto, "Trust me, you can't trust anyone." No one should ever provide personal information to anyone in response to a request until they have verified that the request is legitimate. No one should ever click on any link without confirming that it is legitimate.
Train employees to be skeptical and what to be on the lookout for in regard to common phishing and spear phishing schemes.
Install and maintain the latest and constantly updated anti-virus and anti-malware software with the understanding that the latest updates are always at least a month behind the hackers.
Limit employees' information access to only that information that they have a need to have access to.
Use dual factor authentication along with strong passwords that are regularly changed.
AURELIAN NEAGU@HeimdalSecurity
A technical writer with 6 years' experience in the cyber security field at Bitdefender & Heimdal Security, Aurelian Neagu tries to discover and understand how technology changes human relationships in a society and modifies social perception of the world.
Social engineering attacks on companies...
Can come from both within and outside the organization.
Social engineering carried out by malicious insiders
According to PwC’s 18th Annual Global CEO Survey 2015, 21% of current or former employees use social engineering to gain financial advantage, for revenge, out of curiosity or for fun.
Social engineering methods used inside the organization can include:
Another example of a spear phishing attack targeted Danish architecture firms in March 2015.
How can social engineering attacks be prevented
SHOBHA MALLARAPU@anvayasolutions
Shobha Mallarapu is the President and CEO of Anvaya Solutions, Inc., a cyber security company. She has been featured in Business Journal articles on security and has taught hundreds of businesses on cyber security. Anvaya Solutions, Inc. has trained thousands of employees on security awareness in various organizations.
The common social engineering attacks on companies include...
1. Phishing: This is one of the most common attacks that entices employees to divulge information. An email impersonates a company or a government organization to extract the login and password of the user for a sensitive account within the company, or hijacks a known email and sends links which, once clicked, will embed a malware or a Trojan on the computer of the user. Hackers then take the reigns from there.
Similar attacks by phone, with the caller claiming to be a trusted source or an authorized organization, also can lead to employees revealing information that may be detrimental to the bottom line of the company or its reputation.
2. Information Sharing: Sharing too much information on social media can enable attackers to guess passwords or extract a company's confidential information through posts by employees. Security Awareness is the key to prevent such incidents. Developing policies, training employees, and implementing measures, such as warnings or other other disciplinary actions for repeat or serious incidents, will mitigate the risk of social engineering attacks.
If you are not expecting an email, type the link address instead of clicking on it. Or, call a person to confirm that the email came from them. The same principles apply to phone phishing attacks. Tell them you will call back and get their number. Make sure that number belongs to a valid organization by using the phone lookup before calling them.
ELVIS MORELANDElvis Moreland, CISSP-ISSEP, CGEIT, CISM, NSA IEM-IAM, CNSS 4012-4015-4016, is a Computerworld Magazine Premier 100 IT Leader and Chief Information Security Officer (CISO).
One of the most common social engineering attacks today is...
A Spear Phishing attack. This is an email that delivers malicious content via a web-link or attachment in an email.
Countermeasure(s):
1. Never open links or attachments from unknown sources. If in doubt, report it!
2. If the email seems to be from a normal source, ask yourself "Why would they want me to open this link or attachment? Is that normal behavior?" If not, report it!
3. When in doubt, double check the source, content, and/or ask for help from your IT security or cybersecurity department.
4. In a corporate setting, your business should be protected by using one of various, if not several combined, network security architectural appliances or countermeasures such as a SMTP Gateway with scanning and/or some filtering mechanism to help you tag or remove questionable email campaigns and content.
5. Never solely rely on just anti-virus or firewalls to protect you from these types of advanced attacks. They arrive bearing variants of malicious content that cannot be detected by blacklists or signature-based countermeasures (AV or firewalls) alone, because they just can't keep up.
GREG MANCUSI-UNGARO@BrandProtect
Greg Mancusi-Ungaro is responsible for developing and executing the BrandProtect market, marketing, and go to market strategy. A passionate evangelist for emerging technologies, business practices, and customer-centricity, Greg has been leading and advising world-class marketing initiatives, teams and organizations for more than twenty-five years. Prior to joining BrandProtect, Greg served in marketing leadership roles at ActiveRisk, Savi Technologies, Sepaton, Deltek, Novell, and Ximian, building breakthrough products and accelerating business growth. He is a co-founder of the openSUSE project, one of the world's leading open source initiatives.
Common quick cash-grab social engineering schemes usually involve...
Variations of the stranded traveler scam. In this type of scam, a social engineer sends their target an email that appears to be originating from a trusted colleague's personal email account. After a quick explanation of why they can't use the company email system, such as a lost/broken computer, VPN connection issues, or forgotten Outlook Web access domain, they claim that they are stranded in a far off place and need money wired to them. As this social engineer has access to your email, he or she knows who your colleagues are and can create a pretty convincing story.
Another common class of social engineering attacks occurs outside of the business environment, on social networks and other social media sites. There, social engineers will copy profiles, substitute headshots and literally steal an entire online identity, which they can then use to friend others at your firm or at other establishments, parlaying the stolen identity into a series of seemingly legitimate online friendships. From that moment forward, it's only a matter of time before the next social engineering ask is made.
Far more serious, however, are the social engineering schemes where the friend request involves using the company network. For example, a colleague emails you late at night and claims to have forgotten the VPN access code — this is a suspicious email to receive, and likely a social engineering attack. As a second example — and an even more sophisticated approach: Imagine a social network friend sending you an email with a cover letter and resume attached, requesting that you forward it to your hiring manager. The email might have the name of the hiring manager or the name of an open position, but in either case, it's a very effective approach. Meanwhile, behind the scenes, the social engineer is hoping you'll click on either document, unknowingly installing malware on your computer and infiltrating your company network.
Once a social engineer gains a trusted identity, or is accepted within a trusted circle of colleagues, they will leverage that trust to gain access to other people, networks, IPs, or corporate assets. Social engineers usually have their eyes on something bigger than their unsuspecting targets; the innocent victims are just a convenient and easy way for the cybercriminals to get to a bigger prize.
So, how do you prevent social engineers from succeeding?
As a company, the easiest way is to diligently monitor for unauthorized emails that use your brand, and validate that the social domain profiles that carry your brand are owned by individuals who have the right to do so. For instance, recently, a BrandProtect client discovered that more than half of their branded online agents were actually not authorized agents. Some of that activity was innocent — some former agents forgetting to remove a logo — but some of it was masquerading and identity theft!
As an individual, the simplest way to reduce social engineering exposure is to always be sure of who you are communicating with. If there is the least bit of doubt, explain that you can't assist with the incoming request. If they claim that they are your friend, there are additional ways to gently validate someone's identity. For instance, they can call you on your cell phone or email your personal account instead. After all, if they are who they claim to be, they will easily be able to reach you via other forms of communication.
Much of the personal defense against social engineering may seem to be common sense, but companies should invest in employee education about these and other online risks. By simply raising awareness of these dangers attacks, significant amounts of corporate risk will be mitigated.
DAVID HOWARDDavid Howard has been a Certified Ethical Hacker since 2009, and has worked in the security segment of IT since. Recently, David has founded PPL HACK, a Cincinnati based company that offers free seminars across the country including live hacking demonstrations to help small and medium sized businesses educate their staff to become better equipped to protect company data.
The most common types of social engineering attacks are...
As a Certified Ethical Hacker and founder of PPL HACK, I have done numerous intrusion attempts and social engineering are both the most fun and most common vectors of attack on a company's data. Phishing email, by far, is the number one method, where a company is flooded with email that looks legitimate, but gets you to click a link, open a file, or install a program that has nefarious intent. You'll also find cloned and faked websites meant to steal your login or financial information for later use. In some cases, your computer is attacked just because it can be used as a bot in a larger network that can do many things. Botnets to attack sites are common, but what is becoming even more common is hijacking your computer's power to work in a larger network mining Bitcoin and other Alt-Coins for the financial gain of others.
Another of the more common attacks is a wireless man in the middle. That is where a wireless access point that is under the control of a hacker is placed within your environment so that all of your login and data traffic is funneled through a control point that can be logged and accessed. Using public/open WiFi at hotels, coffee houses, etc. also puts your data in a precarious situation. How to stop these attacks is an ongoing question, but there are steps you can use to mitigate them. Don't use the same passwords over and over again. Use pass phrases such as I W3nt to h@wa11 4 phun instead of words that can be guessed with dictionary attacks. VPNs, and not the free ones that are often a scam of their own, should be used on any wireless device used on a network outside of your control. When using a VPN properly, the data between you and the websites you visit is encrypted from prying eyes.
OREN KEDEM@BioCatch
Oren Kedem brings over 15 years of experience in product management in the areas of Web Fraud Detection and Enterprise Security. Prior to BioCatch, Oren served as Director of Product Marketing at Trusteer (now part of IBM) and led the Anti-fraud e-commerce solution at RSA (now part of EMC). Oren also served at various product marketing and management positions at BMC covering the Identify and Access Management and System's Management solutions. Oren holds an MBA and BSc. In Industrial Engineering from the Israeli Institute of Technology (Technion).
The most common attacks on organizations are...
Referred to as Advanced Persistent Threats (APT). These attacks have two main phases: Reconnaissance and Attack. Social engineering plays a role in both. In the Attack Phase, detailed organizational, business, and internal process data is used to convince employees to perform an action aimed at ex-filtrating sensitive documents, or performing an action (e.g. approve a transaction in an internal system).
Attacks use simple communication vehicles such as phone calls and email messages that seems to come from a trusted source — for example a call from the bank or an email from a customer or partner. During this communication, employees are asked to perform actions that are within the norm of the business life (e.g., can you please approve this transaction?, can you please send me the contract for signing?).
These attacks are highly effective if the criminal has done his homework and has all the relevant information. Where do criminals get the information in the first place? Well...this is where the Reconnaissance Phase comes into play. At this phase, which may take anywhere from several months to a year (hence the Persistent in APT) the criminal typically infects a few organizational computers with spyware and patiently sifts information and access credentials.
Social engineering is used to convince employees to install malicious software or open a webpage or document embedded with harmful exploit code (i.e., code that knows to install software automatically). In one infamous case — the RSA breach — an HR admin opened and excel sheet that was attached to an email (supposedly with HR related stats) and infected her computer with malware. A few months later, code was stolen from RSA and, later, that code was used to attack Lockheed Martin in combination with other social engineering phones and emails.
So what can organizations do?
Educate employees to follow a few simple rules:
Rule #1: NEVER respond to unsolicited communications (email/phone) without verifying the identity of the person on the other side. The simple way to verify is to tell the person you will call them back on a verified phone.
Rule #2: NEVER open an attachment or access a site from an un-trusted / invalidated source. Many organizations have set up departmental unsafe computers for access to any document or site (either physical or as a remote VM). These computers are wiped out frequently and should never store sensitive data.
Rule #3: Change password and access frequently (every few months) and sporadically (do not have predictability on when passwords change as to not help fraudsters plan ahead).
Rule #4: Education, Education, Education. Share 'war stories' and industry experience with employees. They can't be cautious if they are not aware of the threats.
ROBERTO RODRIGUEZ@HumanFirewalls
Roberto A. Rodriguez is the Head HumanFirewall at HumanFirewalls LLC. HumanFirewalls is an organization located in Delaware that prides itself on offering top of the line Security Services such as Security Awareness, Threat Intelligence, Network Security Monitoring, Compliance Management, Vulnerability Management, and Integrity Controls. Humanfirewalls understands that small/midsized companies rarely have the in-house expertise, the time, or the budget to implement the right security controls that could protect their organizations from threats that are now capable to avoid detection and bypass traditional security controls.
The most common social engineering attacks made on companies are...
Phishing & Spear Phishing
A Phishing email is a crafted email that pretends to be from a known trusted source and that could trick the user to download an attachment, click on a malicious link, or simply cooperate to provide sensitive information such as your passwords. These emails, for example, can be sent to an entire organization without targeting specific people in the company. Spear Phishing emails, on the other hand, are emails that are crafted specifically for a few people in an organization that could have valuable information for an attacker.
Phishing, in general, has been being used a lot for the past couple of years by cyber criminals to break into an organization. Ranked #3 on the Verizon Report in 2014, it was made clear that cyber criminals are focusing more on the human factor instead of the technology in place.This is because it is not expensive to craft a phishing email. There are open source tools such as SET (Social Engineering Toolkit) that could help an attacker to circumvent high-end technology. Spam filters are great, but they end up being a fundamental layer of security to an organization if the attacker knows how to trick the user into cooperating without making him or her click on a link. One perfect example would be receiving an email from your bank asking you to call a number provided in the email to change your ATM PIN. The cyber criminal provides a number where he is waiting to forward the communication to the real bank, but mirroring/capturing/sniffing the traffic or conversation that the user trusted the number in the email.
How to prevent it?
Companies must approach security with proactive security controls addressing the human factor. Security Awareness Training programs are really helpful to reduce the risk of getting compromised and increase the level of awareness in the organization.
Vishing (Voice and Phishing)
This social-based attack tricks the user over the phone to reveal sensitive information regarding the organization. This one is very common in customer service departments, where they try to satisfy the customer over the phone and end up providing information that could be used to break into the network. Information varies and could include names of possible targets, hours of operations, financial or personal information, and even password resets.
How to prevent it?
Extensive Security Awareness Training to ensure the user understands what type of information they are allowed to reveal. Also, different technologies in places such as NAC solutions that limit the access to data that cannot be shared without authorization.
Tailgating or Piggybacking
This is a social-based attack that involves an attacker without authorized access and an employee with a low level of awareness. The way it works is by having the unaware user cooperate and provide the unauthorized person access to a restricted area. This is common in many organizations, because there are always people such as delivery guys from different institutions dropping packages and interacting with unaware users, creating a level of comfort and making it a routine. Once again, technology such as swiping cards to get into elevators or open doors in big organizations not always work, and this is because all it takes is, "I forgot my badge, and I am late for a meeting. Would you mind?" to trick the user and gain access.
How to prevent it?
Once again, Security Awareness Training, where the user learns the different security policies in place by the organization and is able to identify certain behaviors that might have put their organization in risk in the past.
JAYSON STREET@JaysonStreet
Jayson is an Infosec Ranger at Pwnie Express, a well known conference speaker, and author of the book “Dissecting the hack: The F0rb1dd3n Network.” Pwnie Express provides continuous visibility throughout the wired/wireless/RF spectrum, across all physical locations including remote sites and branch offices, detecting “known-bad,” unauthorized, vulnerable, and suspicious devices.
Here’s a look at some of the most common social engineering attacks...
A common solution to all lies in enhanced awareness and employee training. Companies need to include security practices as part of their job descriptions and properly train employees to think critically and react appropriately to suspicious activities. How to mitigate attacks:
1. Spearphishing: Contrary to popular belief, today’s spearphishing attacks are highly calculated and carefully crafted to be relevant and un-alarming to the user. It’s not as easy as most people think to spot a spoof, so employees must be trained to question and validate unprompted links by calling the sender, sending a separate follow-up email or checking via services such as https://www.virustotal.com/.
2. The Rogue Technician: Under the guise of technicians or delivery people, stealthy social engineers walk right into organizations and can physically compromise the network. Employees should heed basic “stranger danger” trainings and ensure anyone who enters the building has an appointment or pre-established purpose.
3. Malicious Websites: Often, malicious websites are disguised as corporate or partner sites, and will prompt visitors to update java/Adobe or install a specific plug-in. Users should always close the browser and open a new one to directly update java or Adobe from their official sites. If users are prompted for a specific program or missing plug-in, they should close the browser and send an email to the website asking about the specific configuration issue.
PATRICIA TITUS@RUSecur
With over 20 years of security management in several vertical markets, Patricia Titus has been responsible for designing and implementing robust information security programs, ensuring the continued protection of sensitive corporate, customer and personal information in her various positions.
Most recently, Titus served as the Vice President and Chief Information Security Officer at Freddie Mac and played a strategic role in the protection and integrity of Freddie Mac's information assets while transforming the information security program including the identity and access management program. Titus is also a member of the Visual Privacy Advisory Council.
While several technical solutions are available to prevent social engineering attacks, the weakest link is often...
The human. Only through rigorous training, education, and testing can you achieve a successful defense to this growing problem.
Common digital social engineering techniques are ones that trick or con our employees to provide information that leads to information reconnaissance, gaining access to systems, or criminal behavior including fraud.
To prevent social engineering attacks, start by addressing people, process, and technology, and taking the following steps into consideration:
People
The technology selection is very diverse and specific to the data you need to protect from social engineering. It can involve the following technology programs or projects, but is not limited to these:
GREG SCOTT@DGregScott
Greg Scott is a veteran of the tumultuous IT industry. After working as a consultant at Digital Equipment Corporation, a large computer company in its day, Scott branched out on his own in 1994 and started Scott Consulting. A larger firm bought Scott Consulting in 1999, just as the dot-com bust devastated the IT Service industry. Scott went out on his own again in late 1999 and started Infrasupport Corporation, this time with a laser focus on infrastructure and security. He currently lives in the Minneapolis/St. Paul metro area with wife, daughter, and two grandchildren. He holds several IT industry certifications, including CISSP number 358671.
Far and away, the most common social engineering attacks I've seen are...
Phishing emails. I must get 200 or more of them every single day. Every time I participate in another tech support forum, somebody must sell my email address to a new spammer/phisher. The most common of these lately are emails claiming to come from Amazon asking me to open a .zip or .doc file with the latest update. I get several asking for a tracking number for goods I allegedly shipped. Sometimes demanding them — just click on this document for the invoice I supposedly sent. Sometimes the first names in the emails match first names of people I know, so they social engineer me into opening the emails. But not the attachments.
Old-fashioned phone calls are making a comeback. Some of the bad guys these days have IP phones with callerID numbers in my area code, which entices me to answer when they call. I took one this morning from a lady with a thick accent. She wanted to send my $100 gift card that I requested last week from somebody. When I asked who was the somebody, she said she didn't know, that her company fulfills orders from many customers and she had no way to know which customer this was. I told her no thanks.
And then there's always the fake tech support phone calls.
How to defend against it? Nothing I can do about the emails that come in. Spam filtering gets rid of some of it, but there's no substitute for good human judgment and no automation will be 100 percent effective. Whenever I think the email might be legit, I check the email header to see if it came from where it claimed to come from. The absolute best defense against this is old-fashioned, human vigilance. The same holds true for phone schemes.
ONDREJ KREHEL@lifarsllc
Ondrej Krehel, CISSP, CEH, CEI, EnCE, is the founder and principal of LIFARS LLC, an international cybersecurity and digital forensics firm. He's the former Chief Information Security Officer of Identity Theft 911, the nation's premier identity theft recovery and data breach management service. He previously conducted forensics investigations and managed the cyber security department at Stroz Friedberg and the Loews Corporation. With two decades of experience in computer security and digital forensics, he has launched investigations into a broad range of IT security matters, from hacker attacks to data breaches to intellectual property theft. His work has received attention from CNN, Reuters, The Wall Street Journal, and The New York Times, among many others.
Some of the common types of social engineering tactics include...
Phishing - a popular way of obtaining sensitive information and credentials from users by sending out mass emails that imitate the design and form of, for example, an email from a bank, car insurance provider, etc., in hopes of tricking users to give up information. This information can later be used to open fraudulent credit cards or gain access to various online accounts.
Spear Phishing - a more sophisticated form of phishing. Attackers behind spear phishing campaigns typically know more information about the victims and target them specifically. For example, in the recent case of the LastPass breach, email addresses were stolen (along with other information). These will likely be abused and the attackers will send out an email to the owners of those mailboxes that will resemble an official LastPass email that will recommend users to change their passwords, but when the users do so, they are in fact sending it to the cybercriminals. Similarly, spear phishing is one of the most effective ways to breach a network. Victims will usually receive a spoofed email from someone in the company with an important document, which will usually install malware or some type of Trojan that will be used to compromise their computer. This initial attack vector has proven itself extremely effective and is often used in high level cyberespionage campaigns.
Another form of social engineering commonly exploited are phone calls. This can happen as a part of a larger scam or as a standalone scam.
Part of a larger scam:
Imagine an individual's bank account credentials get stolen by hackers. They are going to be unable to send money without a entering a unique code that gets sent to the victim's phone. Scammers have been known to contact the victim before wiring the money out of the account and telling them a lie in order for the victim to share the unique code. They can say something such as Hi. We are seeing some suspicious activity on your account. In order to review the activity in question, we will need to verify that you are in fact the owner of the account. You'll be receiving a verification SMS shortly. Once you receive it, go ahead and read the code to me and we will proceed with the review. - This is highly effective.
As a standalone scam:
You get a call from a person claiming to be a Microsoft tech support employee charged with contacting you about an error they are receiving from your computer. In order to fix the error, he will ask you to install one small program that he uses to diagnose the issue. This program will typically be malware. Often with key logger and Remote Access Trojan that they can abuse to steal your banking credentials, along with anything else they please. They will often also ask for you to pay for the service via a credit card — and, sadly, many people fall for it. These are just a few examples of how social engineering in the digital realm can be used to commit crimes and victimize innocent people.
AMICHAI SHULMAN@Imperva
Amichai Shulman is the co-founder and CTO of Imperva. Amichai oversees the company's security and compliance research group, the Application Defense Center (ADC). The ADC has been credited with discovering vulnerabilities in commercial Web application and database products including Oracle, IBM, and Microsoft. He was also InfoWorld's CTO of the year in 2006.
When it comes to social engineering attacks, companies should understand...
Social engineering is one of the most powerful tools used by attackers and is probably at the very root of every major breach. There are a lot of misconceptions about how social engineering is mostly used, but the reality is far less glamorous than the perception, and often occurs over email.
Most of the cybercrime activity stems from massive infection campaigns that rely on mass scale social engineering. When distributed in large enough numbers, these messages are bound to find their target victim population and become effective. With some careful distribution (e.g. choosing addresses like [email protected], [email protected]), these campaigns become even more effective with smaller distribution lists (which also makes it harder to detect them as spam).
Here are two very common email techniques that I have received in the past few weeks alone:
1. Match email to target audience
It's not uncommon to receive emails that seem perfectly normal and may be from a company you worked with previously, but are, in fact, infected. For example, I received an email from a law firm I had done business with. I noticed that the recipient list included every single contact in the lawyer's list, and was able to tell that this was done via automation tools. I'm sure that others on the list were fooled as they were likely waiting for information from this very lawyer and didn't suspect they were under attack. By making your emails look legitimate and relevant, many people wouldn't think twice about the email received.
2. Spoofing
I was recently sent an email from a travel agency that I had booked a trip with, and was sent a standard email from a separate account that was impersonating the sender's address. I would guess that the majority of people would fall prey to this attack, as the email looks like it came from a trusted address. In the case, often attackers get the information from their victim simply from a reply. What can we do?
While employee education is a necessity, infection is inevitable. Links will be clicked and attachments will be downloaded, opened, and executed because that is the job of the average employee. Organizations should focus on building a security suite that is fast in detecting a compromised machine or account, and then quickly and automatically apply a quarantine to that what's been compromised- preventing further access to sensitive enterprise data.
KEN SIMPSON@ttul
Ken Simpson is Co-founder and CEO of MailChannels. Ken first experienced the excitement and magic of software when his father brought home one of the first IBM PCs in 1980, teaching him how to write simple programs in BASIC. Since then, he has combined his passion for software with entrepreneurism, founding or participating as an early-stage employee in four successful startups in a broad range of technical areas including Voice-over-IP, Wireless Internet, and of course anti-spam. Ken has a First Class Honors degree in Computer Engineering from Simon Fraser University and Santa Clara University. At the Messaging Anti-Abuse Working Group (MAAWG), Ken splits his time running the botnet and web abuse sub-committees, as well as assisting in the work of the outbound abuse sub-committee.
Social engineering is generally used to...
Widen an already existing breach of information. So for example, an attacker may have certain information about the employees within a company, and he uses that information to learn something new — for instance, a password to an internal system. There is a misconception that social engineering is a one-shot deal: a single faked call from the cable company, and suddenly millions of credit card numbers are stolen. Professional cybercriminals extract one piece at a time, slowly earning their way in deeper to the organization.
For example, RSA was famously hacked via social engineering to gain access to the SecurID infrastructure. The first step was to email two phishing messages to two groups of relatively low level employees. The subject was Recruiting 2011, and the messages contained an Excel malware that executed a zero-day attack against the employees' machines. Despite the Excel file being junk-foldered, at least one employee fetched it from junk and opened it, executing the malware and compromising their machine. Prior to the phishing messages, it's presumed that the attacker used social media such as LinkedIn to map the company's targets by name, and that they guessed the email addresses using a familiar pattern such [email protected]. Once the malware was installed, the attacker perused files on the target system and accessed internal RSA web sites to determine higher value targets. With that information in hand, they moved toward the higher value targets and eventually to the data they were seeking.
Generally speaking, the most common social engineering attack these days is a spear phishing attack. In spear phishing — such as the RSA case outlined above — the attacker targets very specific employees with a message that they are likely to interpret as being genuine. The spear phishing message either earns a response containing information that allows the attacker to probe deeper, or directly results in malware installation. Either way, the next step is to proceed farther into the organization either electronically via vulnerabilities or via additional spear phishing emails to others in the organization located via internal directories.
KURT SIMIONE@TechnologySeed
Kurt started Technology Seed, LLC in June, 2000. Kurt is involved in most aspects of the business, including the “roll-up-your-sleeves” work. At his core, he’s a troubleshooter and enjoys the challenges that IT work brings. Kurt’s been known to catch a Bruin’s game with his kids from time to time.
The most common types of social engineering attacks carried out against companies include...
Email scams while nothing new are evolving from random email blasts to hundreds of thousands of targets, to targeted, deliberate email scam attacks. Email scammers are cleverly using social engineering as follows:
1. Research and select a target company.
a. This is a significant change from historical attacks which were random.
2. Purchase the required tools of the attack (almost identical domain name as the target company).
a. This is significant change, in that this attack actually costs the scammer money.
3. Select the appropriate executives of the target company.
4. Devise the scam, which usually involves a well-written email meant to exploit the trust of C-level executives who are too busy to properly vet their emails.
In the I.T. world, we find that no matter what steps we take, no matter what technology we implement, end-user training is the best protection against these types (and most types) of scams. Raise an eyebrow to anything that looks odd, just doesn't feel right or that you weren't expecting. If you're unsure, pick up the phone and call a trusted resource.
LUIS A. CHAPETTI@CudaSecurity
Luis A. Chapetti, Software Engineer and Data Scientist, Barracuda. Luis is part of the Barracuda Central Intelligence Team where he wears various hats handling IP reputation systems, Spydef databases, and other top security stuff on the Barracuda Real-time protection system.
When it comes to social engineering and preventing these types of attacks against your company, I recommend...
Once upon a time, hackers and spammers relied on blasting spam/phishing emails to as many eyes as possible to gain access to sensitive information via malicious attachments or links. The spam/phishing attempts have evolved to become extremely specific and, effectively, the most advanced persistent threats seen to date. Using social media tactics to find just about anyone, attackers have gotten great at personalizing phishing emails.
LinkedIn has provided a wealth of information about employees at just about any company. Facebook can assist the attacker by not only finding the C-level executives, but family members who may have access to a mobile device or machines that are connected to the network.
These are two commonly used elements in social engineering, to be safe we recommend the following:
NATHAN MAXWELL@CCI_team
Nathan Maxwell is a cyber security consultant helping organizations access/mitigate risk, and make themselves a little harder to compromise than the company next door.
Social engineering continues to be a highly pervasive way for attackers to establish a foothold in an organization...
The weakest link in a company is still the employees that work there.
Attack methods are as common as they are boring. Sometimes, they leverage data harvested from massive corporate information breaches. These emails are crafted to resonate with the recipient. To have a degree of validity: 'They already know this about me...'
Creative emails will substitute a capital I for a lower case l. They will use international characters, e.g., é vs è vs ė vs e. All designed to trick the recipient as to who actually sent the email.
While there are a few ways to use technology to protect against social engineering, the most effective is employee training. Simple directions like, 'Don't click links,' go a long way. If the email appears to be from Dropbox, delete the message, open a browser tab, enter www.dropbox.com and interact with the website accordingly.
Additionally, using an email service that checks every web address as you click it is a great stop-gap solution.
KAMYAR SHAH@kshahwork
Kamyar Shah is a small business advisor helping companies increase profitability and productivity, offering remote CMO and remote COO services.
There are simply too many different ways to name them all; however, the most successful social engineering attacks have a couple of things in common...
The origin is usually an authoritative venue such as a bank or government, and the creation of a sense of urgency either via potential benefits or potential harm/penalties.
Though there are several sophisticated tools that can aid in minimizing the impact of such attacks, the two most effective ones include education and backup. Continuous education and training of end users will aid in the reduction of overall successful attacks and the back up will serve as insurance in case an attack is successful.
IAN MACRAE@encomputers
Ian MacRae is the President of E-N Computers, Inc. Ian has been passionate about technology his entire life. He has been providing IT services in Washington DC and Virginia since 1997. He enjoys problem solving, knowing what is possible, and combining the right mix of people, process, and technology to make life a little easier.
I see three categories of social engineering attacks...
1. A direct ask for money or credit card information in electronic form.
Avoiding this might be trickier than you think. It's good to remember that if someone is asking you to give information or send an electronic form of money, and it's a bit out of the ordinary, to slow down and check with them using a secondary method. For example if you get an e-mail from the boss asking for Apple iTunes gift certificates codes to be purchased and e-mailed to him, call him on his cell phone and do a voice verification before completing the request.
2. Asking for access to your accounts or passwords, which is usually done by clicking on a link and taking you to a website, which will ask for your information.
I see a lot of this preying on new users posing to be popular web-based systems such as DropBox or Office 365. Although those systems are not insecure the bad guys use their logos and prey on users who are not completely familiar with what to expect with new technologies yet. For example, an email will come in saying you have a new Office 365 fax and if you click on the link, what they might really want is your password or access to install software on your computers. Once access and information is granted the bad guys can get into other credentials such as access to bank accounts, business information, credit card information which you might work with regularly online.
3. Being held ransom.
You might receive an email saying: "We have your password and a compromising video of you, pay us or else." There are a lot of ways to help prevent any of this from happening to you. First, when you get a new software or system, you need to be trained and not just on how to use it the first time. The training needs to be continual. Education is the best way to keep these criminals from playing into the fear of technology. For example, one of the measures we've used is phishing simulators to help people recognize malicious attempts.
For businesses, another way of preventing it is open lines of communication with your IT help desk, if you have one. We've found that if you don't, and you have a provider on an hourly fee, it might stop users from picking up the phone. That communication is paramount in fighting social engineering attacks. Your employees need to feel comfortable picking up the phone and asking about an odd email or text message. Also, of course, businesses need good password controls and security.
ADNAN RAJA@AtlanticNet
Adnan Raja is the Vice President of Marketing for Atlantic.Net, a web hosting solution that provides HIPAA-Compliant, Managed, and Dedicated Cloud hosting.
Social engineering attacks are very prevalent in today's digital workplace...
At its essence, company personnel are targeted and often tricked into giving out confidential information inadvertently. This is often via email or phone. Targets can be anyone from the CEO to helpdesk colleagues.
Common attacks include phishing, which is when a third party attempts to impersonate a genuine source and send fraudulent communications with the aim of extracting confidential data. A common example is impersonating banks, insurance brokers or legal firms. Phishing emails are disguised within genuine looking company branding publishing fake company announcements.
Another common attack is a derivative of phishing known as whaling. This is when higher-ranking executive personnel, such as the CEO, directors, or high-profile staff are being targeted to extract information. Hackers often prey on people with high churn email accounts when the accidental opening of fake attachments is more likely. Threats such as fake invoices which contain malicious macro-code can embed into the computer and mine data or sensitive keystrokes.
Outsourcing IT operations to a provider who has a strong reputation for security is one option which can be considered to help prevent social engineering attacks. These managed service providers can offer a hardware protection layer to business IT systems as well as proactively monitor for suspicious activity and threat detection.
BRANDON SCHROTH@gwdatarecovery
Brandon Schroth is the Digital Manager for Gillware Data Recovery, a world class data recovery company and digital forensics lab.
Helpdesk personnel might receive telephone calls from people spoofing for information...
Possibly password resets or attempts to gain access to confidential information, such as bank account information. A call center may be targeted when the hacker has some general information about a target, and they will use tenacity to extract additional information from the call center. Regular staff training is paramount for employees to learn social engineering attack techniques and ensure that they follow security best practice at all times.
ULADZISLAU MURASHKA@ScienceSoft
Uladzislau Murashka is a Certified Ethical Hacker at ScienceSoft with 6+ years of experience in penetration testing. Uladzislau's spheres of competence include reverse engineering, black box, white box and gray box penetration testing of web and mobile applications, bug hunting and research work in the area of Information Security.
Social engineering attacks like phishing emails and identity theft are the most common cyberthreats that companies face...
To be less susceptible to such attacks, companies should train their employees to use complex passwords and not log in third-party websites with corporate email addresses.
Tags: Social Engineering, Phishing
Social engineering attacks typically involve some form of psychological manipulation, fooling otherwise unsuspecting users or employees into handing over confidential or sensitive data. Commonly, social engineering involves email or other communication that invokes urgency, fear, or similar emotions in the victim, leading the victim to promptly reveal sensitive information, click a malicious link, or open a malicious file. Because social engineering involves a human element, preventing these attacks can be tricky for enterprises.
We wanted to educate companies, employees, and end users on how to better recognize social engineering efforts and prevent these attacks from succeeding. To uncover some of the most common social engineering attacks being used against modern enterprises and get tips on how to avoid them, we asked a panel of data security experts and business leaders to answer the following question:
"What are the common social engineering attacks made on companies, and how can they be prevented?"
See what our experts had to say below:
MEET OUR PANEL OF DATA SECURITY EXPERTS:
- Stu Sjouwerman and Kevin Mitnick
- Paul Kubler
- Doug Fodeman
- Curtis Peterson
- Jeremy Schoeneman
- Pierluigi Paganini
- Keith Casey
- Joe Ferrara
- Sanjay Ramnath
- Alex Markowitz
- Robert Harrow
- Steven J.J. Weisman, Esq.
- Aurelian Neagu
- Shobha Mallarapu
- Elvis Moreland
- Greg Mancusi-Ungaro
- David Howard
- Oren Kedem
- Roberto Rodriguez
- Jayson Street
- Patricia Titus
- Greg Scott
- Ondrej Krehel
- Amichai Shulman
- Ken Simpson
- Kurt Simione
- Luis Chapetti
- Nathan Maxwell
- Kamyar Shah
- Ian MacRae
- Adnan Raja
- Brandon Schroth
- Uladzislau Murashka
STU SJOUWERMAN AND KEVIN MITNICK@StuAllard
Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, LLC, which hosts the world’s most popular integrated Security Awareness Training and Simulated Phishing platform. A data security expert with more than 30 years in the IT industry, Sjouwerman was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010. Realizing that the human element of security was being seriously neglected, Sjouwerman decided to help organizations manage the problem of cybercrime social engineering tactics through new school security awareness training. KnowBe4 services over 1,200 organizations in a variety of industries, including highly-regulated fields such as healthcare, finance, energy, government and insurance and is experiencing explosive yearly growth of 300%. Sjouwerman is the author of four books, with his latest being “Cyberheist: The Biggest Financial Threat Facing American Businesses.”
@KevinMitnick
Kevin Mitnick, ‘the World’s Most Famous Hacker’, is an internationally recognized computer security expert with extensive experience in exposing the vulnerabilities of complex operating systems and telecom devices. He gained notoriety as a highly skilled hacker who penetrated some of the most resilient computer systems ever developed. Today, Mitnick is renowned as an information security consultant and keynote speaker and has authored four books, including The New York Times best seller Ghost in the Wires. His latest endeavor is a collaboration with KnowBe4, LLC as its Chief Hacking Officer.
Social engineering techniques
What does social engineering look like in action? It could look like an email that has been designed to seem like it is from a credible organization, like your message service or Fed Ex or even your bank. But if you open it and click on that attachment, you could be installing malware or ransomware . Or, it could be disguised to look like it comes from someone inside your organization (like an unusual title such as IT@yourorganization – someone whom you trust). But if you respond to that email with your user name and password, your computer is easily compromised. The rule is Think Before You Click.
Social engineering attacks
The technical director of Symantec Security Response said that bad guys are generally not trying to exploit technical vulnerabilities in Windows. They are going after you instead. “You don’t need as many technical skills to find one person who might be willing, in a moment of weakness, to open up an attachment that contains malicious content.” Only about 3% of the malware they run into tries to exploit a technical flaw. The other 97% is trying to trick a user through some type of social engineering scheme, so in the end, it does not matter if your workstation is a PC or a Mac.
Phishing
The most common social engineering attacks come from phishing or spear phishing and can vary with current events, disasters, or tax season. Since about 91% of data breaches come from phishing, this has become one of the most exploited forms of social engineering.
Here are some of the worst:
A. Court Notice to Appear - Scammers are sending phishing emails claiming to come from a real law firm called 'Baker & McKenzie' stating you are scheduled to appear in court and should click a link to view a copy of the court notice. If you click on the link, you download and install malware.
B. IRS refund ransomware - Many of us waited till the last moment before the April 15th tax deadline and are now holding our collective breath in expectation of that possibly rewarding refund. The problem is that cybercriminals are very aware of this anticipation and use social engineering tactics to trick taxpayers. Knowing that many in America are waiting for word from the Internal Revenue Service concerning pending refunds, the cyber mafia is working hard to get in first with a massive phishing attack that has a ransomware attachment. The attachment is an infected Word file, which holds a ransomware payload and encrypts the files of the unlucky end-user who opens the attachment, and all connected network drives if there are any.
C. Researchers at Proofpoint recently discovered a Phishing campaign that originated from select job postings on CareerBuilder. Taking advantage of the notification system the job portal uses, the attacker uploaded malicious attachments instead of résumés, which in turn forced CareerBuilder to act as a delivery vehicle for Phishing emails.
The scam is both simple and complex. It's simple because the attacker used a known job site to target a pool of willing email recipients, and complex because the malware that was delivered was deployed in stages.
The attack starts by submitting a malicious Word document (named resume.doc or cv.doc) to a job posting. On CareerBuilder, when someone submits a document to a job listing, a notification email is generated for the person(s) who posted the job and the attachment is included.
D. Last June, the Durham, New Hampshire police department fell prey to ransomware when an employee clicked on a legitimate-looking email. Numerous other police departments have been hit including Swansea and Tewksbury, MA, Dickson County (Tennessee) Sheriff, and others. As of this time, the primary means of infection appears to be through phishing emails containing malicious attachments, phony FedEx and UPS tracking notices, and even through pop-up ads.
Here are a few social engineering scams executed via phishing:
Banking Link Scam: Hackers send you an email with a phony link to your bank, tricking you into entering in your bank ID and password.
A billion dollar heist covering 30 countries and nearly a billion dollars in lost funds, nicknamed Carbanak by security firm Kaspersky, was reported on extensively in Feb 2015.
In the Carbanak scam, spear phishing emails were sent to employees that infected work stations, and from there the hackers tunneled deeper into the banks’ systems until they controlled employee stations that would allow them to make cash transfers, operate ATMs remotely, change account information, and make administrative changes.
It was a pretty standard scheme: an email with a link that looked like it was coming from a colleague contained the malicious code, which spread from there like a digital rhinovirus. The hackers recorded everything that happened on the affected computers to learn how the organization did things. When they had mastered the system, they commandeered it for a series of transactions that included the ATM hits, but also a practice of artificially inflating bank balances and then siphoning off that amount, so a customer’s account balance might go from $1,000 to $10,000 and then $9,000 would go to the hacker.
Fax Notice Scam: It's a phony link to a phony fax. But it will do real damage to your PC. This is quite common, especially for firms who still use faxes heavily such as document management, title companies, insurance and other financial services companies.
Dropbox Link Scam: Have we got a surprise waiting for you in Dropbox.
A couple variations of this were running 2014. One was a fake Dropbox password reset phishing email that when clicked, led users to a page saying their browser is out of date and they need to update it (with a “button” to the update). This would launch a Trojan in the Zeus family of malware.
Another was an email with Dropbox links that hosted malicious software like “CryptoWall” ransomware.
Court Secretary Complaint Link Scam: Here's a phony link confirming your complaint. Something tells us you'll be complaining about something else very soon.
A version of this has been in use for awhile. See A. above.
Facebook Message Link Scam: Vin Diesel has just died. Find out that your PC will be pushing up the daisies with this link.
This one is commonly used when a celebrity dies. This was exploited with Robin Williams when he passed away with the Robin Williams goodbye video. A bogus Facebook phishing message appeared that invited users to click a link and see an exclusive video of Robin Williams saying goodbye through his cell phone. Of course there was no video, and the link led to a bogus BBC news page which tried to trick clickers into clicking on other links that led to scam online surveys.
Since we train others and actively create test phishing campaigns for our customers to use, my staff tried to social engineer me the other day, trying to catch me as a prank.
It was a 2-stage attack, trying to get me to reveal my credentials. They spoofed our Director of HR, and sent me the email below. This is an example of very high operational sophistication, typical of top-tier whaling attacks, those cases when an individual is subjected to spear phishing attempts because they hold valuable information or wield influence within an organization. They had done their homework and knew I was active on the SpiceWorks forum for IT admins.
[email protected]
10:45 AM (1 hour ago)
to: stus
Stu,
I noticed that a user named securitybull72 (claiming to be an employee) in a security forum posted some negative comments about the company in general (executive compensation mainly) and you in specific (overpaid and incompetent). He gave detailed instances on his disagreements, and doing so, may have unwittingly divulged confidential company information regarding pending transactions.
The post generated quite a few replies, most of them agreeing with negative statements. While I understand that the employee has the right to his opinion, perhaps he should have vented his frustrations through appropriate channels before making this post. The link to the post is located here (it is the second one in the thread):
www.spiceworks.com/forums/security/234664/2345466.
Could you please talk to him?
Thanks.
Nine out of ten would fall for something like this. The only thing that saved me was the fact that when I hovered over the link I saw that the domain was one I had created myself for simulated phishing attacks. But it was a close call! One more second and I would have been pnwned.
The best prevention actions are:
1. Train users with an effective training program that routinely uses an integrated anti-phishing tool that keeps security top of mind for users and help them recognize what a phishing email might look like.
2. Back up just in case and regularly test those backups to make sure they work.
PAUL KUBLER, CISSP, CCNA, SEC+, ACE@lifarsllc
Paul Kubler is a Cyber Security and Digital Forensics Examiner at LIFARS LLC, an international cybersecurity and digital forensics firm. He’s a former employee at Boeing, in the Global Network Architecture division, the nation’s largest private cyberattack target. He previously worked at the Flushing Bank, in Network and Systems Infrastructure, protecting valuable financial data at various levels within the network and system. Paul has also performed forensic investigations into mobile devices aiding in the prosecution of criminals.
With several years of experience in cybersecurity and digital forensics, he conducted a wide range of investigations, including data breached through computer intrusions, theft of intellectual property, and computer hacking. He has worked on hardening the systems and deploying protection over an international organization. He has also created business networks with a defense in depth strategy and implemented firewalls on these networks.
Some of the more common forms of social engineering (and how to prevent them) include...
PHISHING
Phishing has become a big player in malware attacks in the last few years and this type of social engineering has proven hard to overcome. Attackers usually send well-crafted emails with seemingly legitimate attachments that carry a malicious payload. These aren’t the typical “Nigerian Prince” scammers, but rather sophisticated hacking groups with sufficient time and funding who launch these exploits. They usually hide behind a Tor network or the like and become hard to find, especially when they are backed by organized crime who use this as a source of income.
RANSOMWARE
In the recent years, we’ve seen a dramatic increase in the use of ransomware being delivered alongside phishing emails. They usually send an attachment such as “URGENT ACCOUNT INFO” with a file extension of “.PDF.zip” or “.PDF.rar,” which slips by the unsuspecting victim and delivers the payload. This attack often encrypts the entire hard disk, or the documents and requires a bitcoin payment to unlock. Luckily, these groups actually do unlock the data - this way future victims are more likely to pay.
What can you do to minimize the chances of yourself as an individual of falling a victim to these dirty schemes? Here are a few steps you can take:
- DO NOT open emails in the spam folder or emails whose recipients you do not know.
- DO NOT open attachments in emails of unknown origin.
- Use a reputable antivirus software - I recommend Kaspersky or Symentec.
- Perform a regular backup to an external medium (external hard drive or the cloud).
- After backing up, disconnect your drive. Current ransomware is known to encrypt your backup drive as well.
- DO NOT pay the ransom. The reason why the criminals keep utilizing this form of blackmailing attacks is that people keep paying. To try to get your data back, consult a professional in your area.
- Humans need to be trained – they are the weakest link. Companies should employ, at minimum, a bi-annual training geared towards each user group (end-users, IT staff, managers, etc.) so that everyone is aware of the latest attacks.
- Employees should be tested by having an outside party conduct a social engineering test. These kinds of tests help keep the employee on their toes and more likely to avoid the attacks.
- Since these attacks are on the rise, a number of new defenses have been developed. AppRiver is a great Spam and Virus email filter that can block a large number of phishing exploits before they even reach the internal servers.
- If they happen to get through, an endpoint protection system that can block the latest malware is probably your best bet at stopping the attack.
- As a last line of defense, Cyphort has a good IDS/IPS solution that can help detect known attacks and how far they managed to get into the network by signature, behavior, and by community knowledge.
DOUG FODEMAN@dailyscams
Doug Fodeman is the content director and co-owner of The Daily Scam, a web site devoted to helping individuals, companies, and organizations increase their understanding and awareness of internet-based threats, scams, and fraudulent practices in order to significantly decrease their risks and associated lost productivity.
When it comes to social engineering attacks, companies should understand...
Social engineering attacks that target companies or individuals are most easily and successfully launched through email. Everyone depends on email for communication, even more than social media which might be monitored by just one or a few company staff. Email is also a tool used daily by older members of the workforce. Also, email can direct a threat to everyone in an organization, including the CEO and CFO. But malicious emails require two triggers to be effective. The first is a cleverly worded subject line that will engage the recipient's curiosity and engineer them to open the email.
Some of the most effective subject lines are often innocent and simple like these recent ones I saw targeting an organization in just the last two weeks:
- A Special Invitation Advisory: Your online file was accessed
- Celebrate Mom this Sunday with an exquisite $29.96 bouquet
- Get noticed and watch your career take off
- Learn about harp
- Mothers Day bouquets with DESIGNER VASES
- Service cancellation May 10
- SHIPPING DOCUMENT / BL CONFIRMATION
- Welcome to the Whos Who Connection
- Confirm for your delivery
- Confirm your 3K transfer by Monday
- FBI letter of notification [code 210]
- Incoming fax
- I think you'll like this
- New health care reform laws are in
- No interest for the first year
- Notice of payment
- Treat as urgent and get back to me
- Your installation
- Your phone number
- Emails with a very professional look and presentation. These emails may include spoofed email addresses of legitimate companies or seemingly innocent pitches such as the sale of Mother's Day flowers.
- Emails that are very short and to the point, often citing a bogus invoice, blocked payment, delivery, or fax.
- Emails that are meant to engineer click-behavior by intimidation, such as an email made to look like it is from the FBI, a bank authority, or the IRS.
CURTIS PETERSON@SmartFile
Curtis Peterson is the Digital Marketing Manager for SmartFile. Peterson is responsible for strategy and execution of SmartFile's content, email, search, and social strategies. SmartFile provides IT administrators with time-saving file and user management tools that enable non-IT employees to access and share files securely. Scalable cloud or on-premise storage is available for any size business that regularly sends, receives, and archives files.
In terms of identifying and preventing social engineering attacks...
Obviously, Edward Snowden was the poster boy for social engineering attacks. He either befriended folks or asked for their passwords and logins by telling them they were needed for his computer systems administrator role. Pretext, or creating a fake persona or using one's role in an improper way, is pretty popular for social engineering attacks.
The bottom line is 63% of data breaches come from internal sources, either control, errors, or fraud. In 2013, $143 billion dollars came from data theft (both stats can be found on isyourdatasafe.com).
Social engineering is hard to prevent. That's the tough part. A lot of prevention comes from IT compliance best practices. But still, even in the case of Edward Snowden, how can you tell something bad is happening when it appears to be a user with clearance? We'd recommend diligent monitoring and analytics to try to understand when this is happening. For instance, if you have a number of highly sensitive files, you should track when those are downloaded/shared. An IT administrator should also receive instant notifications when these actions are taken on sensitive files. Finally, there should be logs that are analyzed regularly to understand abnormal usage behaviors. For instance, if the file is downloaded after hours, it should be a red flag. Or if multiple sensitive files from same user are downloaded, that should be identified and looked into.
JEREMY SCHOENEMANJeremy Schoeneman is an information security specialist with a focus on social engineering. He has worked at SecureState for over one year, and conducts social engineering engagements as part of client penetration tests on a regular basis.
The most common social engineering techniques used today include...
Today, there are many ways an attacker will try and compromise a corporate network, but in the end, the individual is at the highest risk from an attack. Attackers will take whatever means necessary to break into a network and steal information, and the most popular, and most successful, is by way of social engineering. Social engineering is responsible for many of the recent major attacks, from Sony to The White House. There are essentially two very popular types of attacks: phishing and vishing (voice phishing).
Phishing attacks are the most prevalent way of obtaining information or access into a network. An individual will open a seemingly harmless email, either click a link that leads to a malicious site or download an attachment which contains malicious code, and compromise a system. Phishing has been increasingly successful because the attackers are creating more legitimate looking emails and the attacks are more sophisticated. Thanks to the prevalence of social media, an attacker can look up everything they need to know about a person and their interests, craft an email specially tailored to that person, and email something directly to them, which increases the chances of that person clicking.
Vishing is essentially phishing over the phone. An attacker will call someone, such as an IT help desk, and with a little bit of information about a person (such as a name and date of birth) either get login credentials or more information about the individual, such as a social security number.
Protecting a company from these attacks starts with education. Teaching people what to look for when getting an email or receiving a phone call from someone asking for information or to click on something is what's going to lessen the likelihood of a successful attack. Actually looking at the from address, hovering over links and verifying the URL, and never downloading attachments unless you absolutely know where the email comes from will drastically decrease the likelihood of a successful attack against a company. When an individual receives a phone call asking for information, it's important to establish the identity of the person without giving hints. Remember: people's information is easily found on the internet. Asking good security questions on the IT help desk level is a great way to help guard against these attacks. Something like: What high school did you go to, or what was the make of your first car, is a thousand times better than your birthday.
PIERLUIGI PAGANINI@InfosecEdu
Pierluigi Paganini is a Security Researcher for the InfoSec Institute and has over 20 years experience in the field.
Here are a few basic rules to protect users' digital identities from social engineering attacks...
- Be aware of spam and adopt special cautions for email that:
- requests confirmation of personal or financial information with high urgency.
- requests quick action by threatening the user with frightening information.
- is sent by unknown senders.
- Monitor online accounts regularly to ensure that no unauthorized transactions have been made.
- Never divulge personal information via phone or on unsecure websites.
- Do not click on links, download files, or open email attachments from unknown senders.
- Be sure to make online transactions only on websites that use the https protocol. Look for a sign that indicates that the site is secure (e.g., a padlock on the address bar).
- Beware of phone phishing; never provide personal information over the phone if you receive a call. Beware of emails that ask the user to contact a specific phone number to update user’s information as well.
- Never divulge personal or financial information via email.
- Beware of links to web forms that request personal information, even if the email appears to come from a legitimate source. Phishing websites are often exact replicas of legitimate websites.
- Beware of pop-ups; never enter personal information in a pop-up screen or click on it.
- Adopt proper defense systems such as spam filters, anti-virus software, and a firewall, and keep all systems updated.
- For a social network user, it’s fundamental to trust no one and reveal only a limited amount of information. Never post personal information, such as a vacation schedule and home photos. Never click on links and videos from unknown origin and never download uncertified applications.
KEITH CASEY@CaseySoftware
Keith Casey currently serves as Director of Product for Clarify.io working to make APIs easier, more consistent, and help solve real world problems. Previously, as a developer evangelist at Twilio, he worked to get good technology into the hands of good people to do great things. In his spare time, he works to build and support the Austin technology community, blogs occasionally at CaseySoftware.com and is completely fascinated by monkeys. Keith is also a co-author of “A Practical Approach to API Design” from Leanpub.
The most common social engineering attacks by far come in the form of...
"I just need." Basically, someone calls the company claiming to represent the phone company, internet provider, etc., and starts asking questions. They claim to have a simple problem or know about a problem that can be fixed quickly but they just need one little thing. It could be as innocuous as asking for a username or someone's schedule or as blatant as asking for a password. Once the attacker has this information, they call someone else in the company and use the new information to refine their attack. Lather, rinse, repeat.
After a few calls, they can often pass themselves off as an employee — often the assistant of someone significant — and ask for access or more detailed information right now. The unsuspecting employee doesn't want to annoy the significant person, so they answer and help before they've had a chance to think. At this point, it's almost trivial to get access to email accounts, phone records, travel itineraries, etc.
The only solution to this is to never trust someone that calls you. Instead of immediately giving the requested information, get the person's phone number from the company directory, and offer to call them back at that number. An honest person may be annoyed but it will work. An attacker will give up and try someone else. Also, never ask the person for their phone number, go to a known safe source — like the company directory — to get the information.
The same applies to your credit card company. Never give sensitive information to someone who calls you. Use the phone number on your card and call them back.
JOE FERRARA@WombatSecurity
Joe Ferrara is President and CEO of Wombat Security Technologies. Joining Wombat in 2011, Joe brings 20 years of experience in technology marketing, operations and management to his role as President and CEO. Recently Joe was a finalist for EY Entrepreneur Of The Year Western Pennsylvania and West Virginia and received a CEO of the Year award from CEO World. Joe has provided expert commentary and has spoken at numerous information security industry events including RSA Europe, the CISO Executive Network forum, ISSA International, and information security regional conferences.
My advice for companies related to the increasing prevalence of social engineering attacks is...
Commonly defined as the art of exploiting human psychology to gain access to buildings, systems, or data, social engineering is evolving so rapidly that technology solutions, security policies, and operational procedures alone cannot protect critical resources. A recent Check Point sponsored survey revealed that 43 percent of the IT professionals surveyed said they had been targeted by social engineering schemes. The survey also found that new employees are the most susceptible to attacks, with 60 percent citing recent hires as being at high risk for social engineering.
Companies should:
- Take a baseline assessment of employee understanding.
- Help employees understand why their security discretion is vital to corporate health.
- Create a targeted training program that addresses the most risky employees and/or prevalent behaviors first.
- Empower employees to recognize potential threats and independently make correct security decisions.
- Improve knowledge retention with short interactive training sessions that work easily into employees' busy schedules and feature proven effective learning science principles.
- Monitor employee completion of assignments and deliver automatic reminders about training deadlines.
- Show measurable knowledge improvement over time with easy-to-read reports for executive management.
Companies should use a combined approach of simulated social engineering attacks coupled with interactive training modules to deliver the best result. Incorporating continuous training methodology can be the difference between a five-alarm data breach and a quiet night at the office.
SANJAY RAMNATH@Barracuda
Sanjay Ramnath is a Senior Director of Product Management for Barracuda, the go-to provider of powerful, easy-to-use, affordable IT solutions for security and storage.
When it comes to social engineering, my advice for companies is...
Social media is a necessary evil. Companies need to recognize the value of these sites for business use and cannot just outright block these sites from the network.
There are, however, a few ways to help mitigate the risks while allowing social networks to be in use. When it comes to training, sure you can hold a class for new and older employees to show them the Do's and Don'ts to better protect themselves against threats; however, most of this is common knowledge and hard to really enforce.
BYOD has really put stress on network admins to protect the network from users' mobile devices.
Social media is a zero trust environment. Social networking is so simple to use that, often, people's guards are lowered. A friend you know well could send you a link to an album of a trip they recently took for you to click on to view or download. You, of course, seeing your friend's picture next to the link, or getting an email from their email address, click on it because you assume that it's safe, not knowing that they have been hacked and now the pictures you think you are downloading are actually downloading malware onto your computer.
Companies need to consider securing all threat vectors and putting in place dedicated solutions to address every need. In a case like social engineering where victims are subject to spear phishing attacks, phishing attacks, malicious emails, and compromised sites, it is good to have a spam firewall and web filter in place to mitigate those threats before they even reach the network.
Having a secure web browser or mobile device management solution to address BYOD both on and off the company network is something they should also consider to protect company and employee information.
ALEX MARKOWITZ@ChelseaTech
Alex Markowitz is a Systems Engineer for Chelsea Technologies, a managed IT services firm that provides design, implementation, hosting, and support services to the global financial industry. Alex has over 10 years of IT experience in the financial sector.
My top suggestion for companies in preventing social engineering attacks is...
The Power of No.
Google the top social engineering attacks. What do you get? Stories about Trojan Horses, phishing attacks, malware injections, redirects, spam, and people giving up way too much personal information on public websites. The surface area for social engineering attacks is as big as all the employees and users in your corporation. The best social engineering attack will involve nothing but an unnoticed slip or mistake from one user. I am going address the very specific aspect of internal security and leave you with the following: the most important protection you need in your company is the ability to say, "No."
Knowing the history of these attacks is useful, but overall, it is not going to protect you. The attackers are always ahead of those of us who are defending our information. A social engineer will always find a new way to do what they do. Someone who wants to target your company is considered an unending well of creativity, and must be treated as such. Keep in mind, technology always changes, but the humans utilizing that technology do not change. You can protect yourself with all the technology you want, but just one human mistake can blow your company's doors wide open. Humans are the attack surface on which a social engineer strikes.
Therefore, the problem we have as IT Professionals is keeping age-old human flaws from causing a technological attack. The following is an omnipresent human flaw that I would like to specifically address: I have worked at many financial institutions. At every institution, there is always a slew of executives, managers and the like that want to be treated special. They want access to the network on their personal laptop. They want access to the network on their iPad, but also let their kids play with that iPad. They want access when and where they should not have it, and they are in powerful positions that make them very difficult to reason with.
They want things that will make their professional lives even easier than we, in IT, struggle to make it. Unfortunately, in IT, we are in the habit of saying, "Yes." I have seen directors and CTOs create special exceptions for other high-ranking users to garner favors and popularity, but also because they are scared for their own position. This is lazy; this is arrogant; this is stupid, but this is most of all, human. We human beings are the system attacked by social engineering, and then we leave ourselves open by falling prey to our insecurities, giving an attacker an invitation to storm our gates. All IT needs to learn how to say is "No," and IT management needs to be strong and stubborn for the good of a company. One of the best ways to protect your company from social engineers is to learn how to say, "No." Keep politics and climbing the office ladder out of IT security.
I know I am addressing a very specific aspect of IT, but one of the best ways to shrink your attack surface is to learn how to say, "No." It takes strong leadership and determination from IT management to keep our protection streamlined. Only after our protection is streamlined can we accurately educate our users and create a secure infrastructure. Every individual exception opens a Pandora's Box for social engineers to find (or even just stumble upon) and exploit.
ROBERT HARROW@robert_harrow
Robert Harrow is a research analyst for ValuePenguin.com, where he covers various personal finance verticals, including credit cards, home insurance, and health insurance. His interest in security comes mainly from studying credit card and health insurance data breaches.
The biggest social engineering threat to companies today is...
Phishing scams are the biggest threat, and the most common means of social engineering. According to the most recent report by EMC, there has been $5.9 billion in losses due to phishing scams in 2013 alone — this from close to 450,000 attacks.
Spam filters can be useful in helping employees avoid exposure to these attacks. However, these fail in what is referred to as spear phishing. These attacks are less frequent, but more targeted to specific high value individuals — likely CEOs, CFOs, and other people with high-level access in their company. These attacks are generally not picked up by spam filters and are much harder to detect.
Educating employees about the dangers of phishing and being careful about all e-mails they receive is crucial.
STEVEN J.J. WEISMAN, ESQ.@Scamicide
Steven J.J. Weisman, Esq. is a lawyer, college professor at Bentley University where he teaches White Collar Crime, and one of the country's leading experts in scams, identity theft, and cybercrime. Weisman writes the blog Scamicide.com, where he provides daily updated information on the latest scams and identity theft schemes.
When it comes to social engineering attacks and how companies can prevent them, I advise...
Major data breaches and hacking of major companies such as Target, Sony, or even the State Department generally have one thing in common, and that is that despite the sophistication of the malware used to gather information, that malware has to be downloaded into the computers of the targeted company or agency and that is done, most often, through social engineering tactics that trick employees into clicking on links or downloading attachments that unwittingly download the malware.
So how do they convince employees to click on the links and download the attachments?
- They make it appear that the email comes from a friend, whose email they have hacked.
- They make it appear that the email comes from someone within the company, whose name and email address may have been obtained through a myriad of available databases including LinkedIn.
- They gather information on the targeted employee through social media, where the employee may have made personal information public that enables a skilled hacker to use that information to trick the employee into clicking on a link dealing with something in which they are interested in.
- The link is for free pornography.
- The link is to provide celebrity photos or gossip.
- The link is to provide sensational photographs or videos of an important and compelling news event.
- It appears to come from someone in IT security from the company informing the employee of an emergency.
So what can be done to stop them?
Train employees on my motto, "Trust me, you can't trust anyone." No one should ever provide personal information to anyone in response to a request until they have verified that the request is legitimate. No one should ever click on any link without confirming that it is legitimate.
Train employees to be skeptical and what to be on the lookout for in regard to common phishing and spear phishing schemes.
Install and maintain the latest and constantly updated anti-virus and anti-malware software with the understanding that the latest updates are always at least a month behind the hackers.
Limit employees' information access to only that information that they have a need to have access to.
Use dual factor authentication along with strong passwords that are regularly changed.
AURELIAN NEAGU@HeimdalSecurity
A technical writer with 6 years' experience in the cyber security field at Bitdefender & Heimdal Security, Aurelian Neagu tries to discover and understand how technology changes human relationships in a society and modifies social perception of the world.
Social engineering attacks on companies...
Can come from both within and outside the organization.
Social engineering carried out by malicious insiders
According to PwC’s 18th Annual Global CEO Survey 2015, 21% of current or former employees use social engineering to gain financial advantage, for revenge, out of curiosity or for fun.
Social engineering methods used inside the organization can include:
- Extracting company information (such as passwords, credentials) from the inside and delivering it to third parties.
- Using confidential information as leverage for finding a new job or achieving a better position inside the company.
- Leaving the organization with login information and confidential information and using it for malicious purposes.
- Malicious outsiders very often pose as company contractors to extract confidential information from gullible employees. They can do that either through phone calls, emails, or by physically gaining access to company premises.
- Social engineering often relies on the strong confidence that cyber criminals possess and on the trust that is usually instilled in external contractors, especially if they come from reputed companies, such as Cisco or IBM.
- Information about employees found on social networking sites can also be a method of gaining the victim’s trust in order to gather sensitive information from him/her.
- Malicious outsiders can also use malware-laden programs or executables hidden in email attachments. Once such a Trojan gets inside an employee’s computer, it can act in various ways, such as sending copies of documents or spying on the employee’s computer activity.
- Phishing is yet another method used by cyber criminals. It includes the use of e-mails that appear to originate from a trusted source to trick an employee into entering valid credentials on a fake website.
Another example of a spear phishing attack targeted Danish architecture firms in March 2015.
How can social engineering attacks be prevented
- The most important advice for companies is to invest in educating their employees about cyber security. If employees learn how to protect their data and the company’s confidential data, they’ll be able to spot a social engineering attempt and mitigate its consequences. Additionally, they can become more vigilant and become a much-needed security layer themselves.
- Periodic cyber security assessments are also necessary, because companies evolve, they grow, they change — and the information flow changes within the organization. Consequently, penetration testing should be carried out on a regular basis and lead to actionable recommendations that can improve data security across the organization.
- Additionally — I always recommend companies who haven’t done this yet — define and implement a thorough security policy. This is the type of policy that is worth investing in, because it can have a huge impact on the organization and prevent cyber attacks from happening and leading to serious consequences.
SHOBHA MALLARAPU@anvayasolutions
Shobha Mallarapu is the President and CEO of Anvaya Solutions, Inc., a cyber security company. She has been featured in Business Journal articles on security and has taught hundreds of businesses on cyber security. Anvaya Solutions, Inc. has trained thousands of employees on security awareness in various organizations.
The common social engineering attacks on companies include...
1. Phishing: This is one of the most common attacks that entices employees to divulge information. An email impersonates a company or a government organization to extract the login and password of the user for a sensitive account within the company, or hijacks a known email and sends links which, once clicked, will embed a malware or a Trojan on the computer of the user. Hackers then take the reigns from there.
Similar attacks by phone, with the caller claiming to be a trusted source or an authorized organization, also can lead to employees revealing information that may be detrimental to the bottom line of the company or its reputation.
2. Information Sharing: Sharing too much information on social media can enable attackers to guess passwords or extract a company's confidential information through posts by employees. Security Awareness is the key to prevent such incidents. Developing policies, training employees, and implementing measures, such as warnings or other other disciplinary actions for repeat or serious incidents, will mitigate the risk of social engineering attacks.
If you are not expecting an email, type the link address instead of clicking on it. Or, call a person to confirm that the email came from them. The same principles apply to phone phishing attacks. Tell them you will call back and get their number. Make sure that number belongs to a valid organization by using the phone lookup before calling them.
ELVIS MORELANDElvis Moreland, CISSP-ISSEP, CGEIT, CISM, NSA IEM-IAM, CNSS 4012-4015-4016, is a Computerworld Magazine Premier 100 IT Leader and Chief Information Security Officer (CISO).
One of the most common social engineering attacks today is...
A Spear Phishing attack. This is an email that delivers malicious content via a web-link or attachment in an email.
Countermeasure(s):
1. Never open links or attachments from unknown sources. If in doubt, report it!
2. If the email seems to be from a normal source, ask yourself "Why would they want me to open this link or attachment? Is that normal behavior?" If not, report it!
3. When in doubt, double check the source, content, and/or ask for help from your IT security or cybersecurity department.
4. In a corporate setting, your business should be protected by using one of various, if not several combined, network security architectural appliances or countermeasures such as a SMTP Gateway with scanning and/or some filtering mechanism to help you tag or remove questionable email campaigns and content.
5. Never solely rely on just anti-virus or firewalls to protect you from these types of advanced attacks. They arrive bearing variants of malicious content that cannot be detected by blacklists or signature-based countermeasures (AV or firewalls) alone, because they just can't keep up.
GREG MANCUSI-UNGARO@BrandProtect
Greg Mancusi-Ungaro is responsible for developing and executing the BrandProtect market, marketing, and go to market strategy. A passionate evangelist for emerging technologies, business practices, and customer-centricity, Greg has been leading and advising world-class marketing initiatives, teams and organizations for more than twenty-five years. Prior to joining BrandProtect, Greg served in marketing leadership roles at ActiveRisk, Savi Technologies, Sepaton, Deltek, Novell, and Ximian, building breakthrough products and accelerating business growth. He is a co-founder of the openSUSE project, one of the world's leading open source initiatives.
Common quick cash-grab social engineering schemes usually involve...
Variations of the stranded traveler scam. In this type of scam, a social engineer sends their target an email that appears to be originating from a trusted colleague's personal email account. After a quick explanation of why they can't use the company email system, such as a lost/broken computer, VPN connection issues, or forgotten Outlook Web access domain, they claim that they are stranded in a far off place and need money wired to them. As this social engineer has access to your email, he or she knows who your colleagues are and can create a pretty convincing story.
Another common class of social engineering attacks occurs outside of the business environment, on social networks and other social media sites. There, social engineers will copy profiles, substitute headshots and literally steal an entire online identity, which they can then use to friend others at your firm or at other establishments, parlaying the stolen identity into a series of seemingly legitimate online friendships. From that moment forward, it's only a matter of time before the next social engineering ask is made.
Far more serious, however, are the social engineering schemes where the friend request involves using the company network. For example, a colleague emails you late at night and claims to have forgotten the VPN access code — this is a suspicious email to receive, and likely a social engineering attack. As a second example — and an even more sophisticated approach: Imagine a social network friend sending you an email with a cover letter and resume attached, requesting that you forward it to your hiring manager. The email might have the name of the hiring manager or the name of an open position, but in either case, it's a very effective approach. Meanwhile, behind the scenes, the social engineer is hoping you'll click on either document, unknowingly installing malware on your computer and infiltrating your company network.
Once a social engineer gains a trusted identity, or is accepted within a trusted circle of colleagues, they will leverage that trust to gain access to other people, networks, IPs, or corporate assets. Social engineers usually have their eyes on something bigger than their unsuspecting targets; the innocent victims are just a convenient and easy way for the cybercriminals to get to a bigger prize.
So, how do you prevent social engineers from succeeding?
As a company, the easiest way is to diligently monitor for unauthorized emails that use your brand, and validate that the social domain profiles that carry your brand are owned by individuals who have the right to do so. For instance, recently, a BrandProtect client discovered that more than half of their branded online agents were actually not authorized agents. Some of that activity was innocent — some former agents forgetting to remove a logo — but some of it was masquerading and identity theft!
As an individual, the simplest way to reduce social engineering exposure is to always be sure of who you are communicating with. If there is the least bit of doubt, explain that you can't assist with the incoming request. If they claim that they are your friend, there are additional ways to gently validate someone's identity. For instance, they can call you on your cell phone or email your personal account instead. After all, if they are who they claim to be, they will easily be able to reach you via other forms of communication.
Much of the personal defense against social engineering may seem to be common sense, but companies should invest in employee education about these and other online risks. By simply raising awareness of these dangers attacks, significant amounts of corporate risk will be mitigated.
DAVID HOWARDDavid Howard has been a Certified Ethical Hacker since 2009, and has worked in the security segment of IT since. Recently, David has founded PPL HACK, a Cincinnati based company that offers free seminars across the country including live hacking demonstrations to help small and medium sized businesses educate their staff to become better equipped to protect company data.
The most common types of social engineering attacks are...
As a Certified Ethical Hacker and founder of PPL HACK, I have done numerous intrusion attempts and social engineering are both the most fun and most common vectors of attack on a company's data. Phishing email, by far, is the number one method, where a company is flooded with email that looks legitimate, but gets you to click a link, open a file, or install a program that has nefarious intent. You'll also find cloned and faked websites meant to steal your login or financial information for later use. In some cases, your computer is attacked just because it can be used as a bot in a larger network that can do many things. Botnets to attack sites are common, but what is becoming even more common is hijacking your computer's power to work in a larger network mining Bitcoin and other Alt-Coins for the financial gain of others.
Another of the more common attacks is a wireless man in the middle. That is where a wireless access point that is under the control of a hacker is placed within your environment so that all of your login and data traffic is funneled through a control point that can be logged and accessed. Using public/open WiFi at hotels, coffee houses, etc. also puts your data in a precarious situation. How to stop these attacks is an ongoing question, but there are steps you can use to mitigate them. Don't use the same passwords over and over again. Use pass phrases such as I W3nt to h@wa11 4 phun instead of words that can be guessed with dictionary attacks. VPNs, and not the free ones that are often a scam of their own, should be used on any wireless device used on a network outside of your control. When using a VPN properly, the data between you and the websites you visit is encrypted from prying eyes.
OREN KEDEM@BioCatch
Oren Kedem brings over 15 years of experience in product management in the areas of Web Fraud Detection and Enterprise Security. Prior to BioCatch, Oren served as Director of Product Marketing at Trusteer (now part of IBM) and led the Anti-fraud e-commerce solution at RSA (now part of EMC). Oren also served at various product marketing and management positions at BMC covering the Identify and Access Management and System's Management solutions. Oren holds an MBA and BSc. In Industrial Engineering from the Israeli Institute of Technology (Technion).
The most common attacks on organizations are...
Referred to as Advanced Persistent Threats (APT). These attacks have two main phases: Reconnaissance and Attack. Social engineering plays a role in both. In the Attack Phase, detailed organizational, business, and internal process data is used to convince employees to perform an action aimed at ex-filtrating sensitive documents, or performing an action (e.g. approve a transaction in an internal system).
Attacks use simple communication vehicles such as phone calls and email messages that seems to come from a trusted source — for example a call from the bank or an email from a customer or partner. During this communication, employees are asked to perform actions that are within the norm of the business life (e.g., can you please approve this transaction?, can you please send me the contract for signing?).
These attacks are highly effective if the criminal has done his homework and has all the relevant information. Where do criminals get the information in the first place? Well...this is where the Reconnaissance Phase comes into play. At this phase, which may take anywhere from several months to a year (hence the Persistent in APT) the criminal typically infects a few organizational computers with spyware and patiently sifts information and access credentials.
Social engineering is used to convince employees to install malicious software or open a webpage or document embedded with harmful exploit code (i.e., code that knows to install software automatically). In one infamous case — the RSA breach — an HR admin opened and excel sheet that was attached to an email (supposedly with HR related stats) and infected her computer with malware. A few months later, code was stolen from RSA and, later, that code was used to attack Lockheed Martin in combination with other social engineering phones and emails.
So what can organizations do?
Educate employees to follow a few simple rules:
Rule #1: NEVER respond to unsolicited communications (email/phone) without verifying the identity of the person on the other side. The simple way to verify is to tell the person you will call them back on a verified phone.
Rule #2: NEVER open an attachment or access a site from an un-trusted / invalidated source. Many organizations have set up departmental unsafe computers for access to any document or site (either physical or as a remote VM). These computers are wiped out frequently and should never store sensitive data.
Rule #3: Change password and access frequently (every few months) and sporadically (do not have predictability on when passwords change as to not help fraudsters plan ahead).
Rule #4: Education, Education, Education. Share 'war stories' and industry experience with employees. They can't be cautious if they are not aware of the threats.
ROBERTO RODRIGUEZ@HumanFirewalls
Roberto A. Rodriguez is the Head HumanFirewall at HumanFirewalls LLC. HumanFirewalls is an organization located in Delaware that prides itself on offering top of the line Security Services such as Security Awareness, Threat Intelligence, Network Security Monitoring, Compliance Management, Vulnerability Management, and Integrity Controls. Humanfirewalls understands that small/midsized companies rarely have the in-house expertise, the time, or the budget to implement the right security controls that could protect their organizations from threats that are now capable to avoid detection and bypass traditional security controls.
The most common social engineering attacks made on companies are...
Phishing & Spear Phishing
A Phishing email is a crafted email that pretends to be from a known trusted source and that could trick the user to download an attachment, click on a malicious link, or simply cooperate to provide sensitive information such as your passwords. These emails, for example, can be sent to an entire organization without targeting specific people in the company. Spear Phishing emails, on the other hand, are emails that are crafted specifically for a few people in an organization that could have valuable information for an attacker.
Phishing, in general, has been being used a lot for the past couple of years by cyber criminals to break into an organization. Ranked #3 on the Verizon Report in 2014, it was made clear that cyber criminals are focusing more on the human factor instead of the technology in place.This is because it is not expensive to craft a phishing email. There are open source tools such as SET (Social Engineering Toolkit) that could help an attacker to circumvent high-end technology. Spam filters are great, but they end up being a fundamental layer of security to an organization if the attacker knows how to trick the user into cooperating without making him or her click on a link. One perfect example would be receiving an email from your bank asking you to call a number provided in the email to change your ATM PIN. The cyber criminal provides a number where he is waiting to forward the communication to the real bank, but mirroring/capturing/sniffing the traffic or conversation that the user trusted the number in the email.
How to prevent it?
Companies must approach security with proactive security controls addressing the human factor. Security Awareness Training programs are really helpful to reduce the risk of getting compromised and increase the level of awareness in the organization.
Vishing (Voice and Phishing)
This social-based attack tricks the user over the phone to reveal sensitive information regarding the organization. This one is very common in customer service departments, where they try to satisfy the customer over the phone and end up providing information that could be used to break into the network. Information varies and could include names of possible targets, hours of operations, financial or personal information, and even password resets.
How to prevent it?
Extensive Security Awareness Training to ensure the user understands what type of information they are allowed to reveal. Also, different technologies in places such as NAC solutions that limit the access to data that cannot be shared without authorization.
Tailgating or Piggybacking
This is a social-based attack that involves an attacker without authorized access and an employee with a low level of awareness. The way it works is by having the unaware user cooperate and provide the unauthorized person access to a restricted area. This is common in many organizations, because there are always people such as delivery guys from different institutions dropping packages and interacting with unaware users, creating a level of comfort and making it a routine. Once again, technology such as swiping cards to get into elevators or open doors in big organizations not always work, and this is because all it takes is, "I forgot my badge, and I am late for a meeting. Would you mind?" to trick the user and gain access.
How to prevent it?
Once again, Security Awareness Training, where the user learns the different security policies in place by the organization and is able to identify certain behaviors that might have put their organization in risk in the past.
JAYSON STREET@JaysonStreet
Jayson is an Infosec Ranger at Pwnie Express, a well known conference speaker, and author of the book “Dissecting the hack: The F0rb1dd3n Network.” Pwnie Express provides continuous visibility throughout the wired/wireless/RF spectrum, across all physical locations including remote sites and branch offices, detecting “known-bad,” unauthorized, vulnerable, and suspicious devices.
Here’s a look at some of the most common social engineering attacks...
A common solution to all lies in enhanced awareness and employee training. Companies need to include security practices as part of their job descriptions and properly train employees to think critically and react appropriately to suspicious activities. How to mitigate attacks:
1. Spearphishing: Contrary to popular belief, today’s spearphishing attacks are highly calculated and carefully crafted to be relevant and un-alarming to the user. It’s not as easy as most people think to spot a spoof, so employees must be trained to question and validate unprompted links by calling the sender, sending a separate follow-up email or checking via services such as https://www.virustotal.com/.
2. The Rogue Technician: Under the guise of technicians or delivery people, stealthy social engineers walk right into organizations and can physically compromise the network. Employees should heed basic “stranger danger” trainings and ensure anyone who enters the building has an appointment or pre-established purpose.
3. Malicious Websites: Often, malicious websites are disguised as corporate or partner sites, and will prompt visitors to update java/Adobe or install a specific plug-in. Users should always close the browser and open a new one to directly update java or Adobe from their official sites. If users are prompted for a specific program or missing plug-in, they should close the browser and send an email to the website asking about the specific configuration issue.
PATRICIA TITUS@RUSecur
With over 20 years of security management in several vertical markets, Patricia Titus has been responsible for designing and implementing robust information security programs, ensuring the continued protection of sensitive corporate, customer and personal information in her various positions.
Most recently, Titus served as the Vice President and Chief Information Security Officer at Freddie Mac and played a strategic role in the protection and integrity of Freddie Mac's information assets while transforming the information security program including the identity and access management program. Titus is also a member of the Visual Privacy Advisory Council.
While several technical solutions are available to prevent social engineering attacks, the weakest link is often...
The human. Only through rigorous training, education, and testing can you achieve a successful defense to this growing problem.
Common digital social engineering techniques are ones that trick or con our employees to provide information that leads to information reconnaissance, gaining access to systems, or criminal behavior including fraud.
To prevent social engineering attacks, start by addressing people, process, and technology, and taking the following steps into consideration:
People
- Develop and establish a targeted security awareness program centered on social engineering. Make it interesting and interactive.
- Create a social engineering security awareness marketing campaign within the company to help employees understand how the company is addressing the issue. Educate employees, partners, vendors, etc. about the threat and their responsibility to prevent it.
- Establish a framework and program of high trust or privileged employees.
- These employees are allowed to handle the most sensitive information.
- They have heightened training and testing.
- The company performs enhanced background screening on regular intervals, including random drug testing and credit checking.
- Identify your critical data or data that would cause the greatest harm if exposed to social engineering. Enlist a third party to perform a risk assessment to determine any possible security gaps.
- Establish handling guidelines or policies for the critical data.
- Report to the executive level or possibly board on the results of your social engineering tests both positive and negative.
- Perform random and scheduled tests against all employees using social engineering techniques.
The technology selection is very diverse and specific to the data you need to protect from social engineering. It can involve the following technology programs or projects, but is not limited to these:
- Identity and access management
- Security incident and event management system
- Non-signature based malware technology
- Proxy blocking both white and black listing
- Inbound and outbound communication monitoring
GREG SCOTT@DGregScott
Greg Scott is a veteran of the tumultuous IT industry. After working as a consultant at Digital Equipment Corporation, a large computer company in its day, Scott branched out on his own in 1994 and started Scott Consulting. A larger firm bought Scott Consulting in 1999, just as the dot-com bust devastated the IT Service industry. Scott went out on his own again in late 1999 and started Infrasupport Corporation, this time with a laser focus on infrastructure and security. He currently lives in the Minneapolis/St. Paul metro area with wife, daughter, and two grandchildren. He holds several IT industry certifications, including CISSP number 358671.
Far and away, the most common social engineering attacks I've seen are...
Phishing emails. I must get 200 or more of them every single day. Every time I participate in another tech support forum, somebody must sell my email address to a new spammer/phisher. The most common of these lately are emails claiming to come from Amazon asking me to open a .zip or .doc file with the latest update. I get several asking for a tracking number for goods I allegedly shipped. Sometimes demanding them — just click on this document for the invoice I supposedly sent. Sometimes the first names in the emails match first names of people I know, so they social engineer me into opening the emails. But not the attachments.
Old-fashioned phone calls are making a comeback. Some of the bad guys these days have IP phones with callerID numbers in my area code, which entices me to answer when they call. I took one this morning from a lady with a thick accent. She wanted to send my $100 gift card that I requested last week from somebody. When I asked who was the somebody, she said she didn't know, that her company fulfills orders from many customers and she had no way to know which customer this was. I told her no thanks.
And then there's always the fake tech support phone calls.
How to defend against it? Nothing I can do about the emails that come in. Spam filtering gets rid of some of it, but there's no substitute for good human judgment and no automation will be 100 percent effective. Whenever I think the email might be legit, I check the email header to see if it came from where it claimed to come from. The absolute best defense against this is old-fashioned, human vigilance. The same holds true for phone schemes.
ONDREJ KREHEL@lifarsllc
Ondrej Krehel, CISSP, CEH, CEI, EnCE, is the founder and principal of LIFARS LLC, an international cybersecurity and digital forensics firm. He's the former Chief Information Security Officer of Identity Theft 911, the nation's premier identity theft recovery and data breach management service. He previously conducted forensics investigations and managed the cyber security department at Stroz Friedberg and the Loews Corporation. With two decades of experience in computer security and digital forensics, he has launched investigations into a broad range of IT security matters, from hacker attacks to data breaches to intellectual property theft. His work has received attention from CNN, Reuters, The Wall Street Journal, and The New York Times, among many others.
Some of the common types of social engineering tactics include...
Phishing - a popular way of obtaining sensitive information and credentials from users by sending out mass emails that imitate the design and form of, for example, an email from a bank, car insurance provider, etc., in hopes of tricking users to give up information. This information can later be used to open fraudulent credit cards or gain access to various online accounts.
Spear Phishing - a more sophisticated form of phishing. Attackers behind spear phishing campaigns typically know more information about the victims and target them specifically. For example, in the recent case of the LastPass breach, email addresses were stolen (along with other information). These will likely be abused and the attackers will send out an email to the owners of those mailboxes that will resemble an official LastPass email that will recommend users to change their passwords, but when the users do so, they are in fact sending it to the cybercriminals. Similarly, spear phishing is one of the most effective ways to breach a network. Victims will usually receive a spoofed email from someone in the company with an important document, which will usually install malware or some type of Trojan that will be used to compromise their computer. This initial attack vector has proven itself extremely effective and is often used in high level cyberespionage campaigns.
Another form of social engineering commonly exploited are phone calls. This can happen as a part of a larger scam or as a standalone scam.
Part of a larger scam:
Imagine an individual's bank account credentials get stolen by hackers. They are going to be unable to send money without a entering a unique code that gets sent to the victim's phone. Scammers have been known to contact the victim before wiring the money out of the account and telling them a lie in order for the victim to share the unique code. They can say something such as Hi. We are seeing some suspicious activity on your account. In order to review the activity in question, we will need to verify that you are in fact the owner of the account. You'll be receiving a verification SMS shortly. Once you receive it, go ahead and read the code to me and we will proceed with the review. - This is highly effective.
As a standalone scam:
You get a call from a person claiming to be a Microsoft tech support employee charged with contacting you about an error they are receiving from your computer. In order to fix the error, he will ask you to install one small program that he uses to diagnose the issue. This program will typically be malware. Often with key logger and Remote Access Trojan that they can abuse to steal your banking credentials, along with anything else they please. They will often also ask for you to pay for the service via a credit card — and, sadly, many people fall for it. These are just a few examples of how social engineering in the digital realm can be used to commit crimes and victimize innocent people.
AMICHAI SHULMAN@Imperva
Amichai Shulman is the co-founder and CTO of Imperva. Amichai oversees the company's security and compliance research group, the Application Defense Center (ADC). The ADC has been credited with discovering vulnerabilities in commercial Web application and database products including Oracle, IBM, and Microsoft. He was also InfoWorld's CTO of the year in 2006.
When it comes to social engineering attacks, companies should understand...
Social engineering is one of the most powerful tools used by attackers and is probably at the very root of every major breach. There are a lot of misconceptions about how social engineering is mostly used, but the reality is far less glamorous than the perception, and often occurs over email.
Most of the cybercrime activity stems from massive infection campaigns that rely on mass scale social engineering. When distributed in large enough numbers, these messages are bound to find their target victim population and become effective. With some careful distribution (e.g. choosing addresses like [email protected], [email protected]), these campaigns become even more effective with smaller distribution lists (which also makes it harder to detect them as spam).
Here are two very common email techniques that I have received in the past few weeks alone:
1. Match email to target audience
It's not uncommon to receive emails that seem perfectly normal and may be from a company you worked with previously, but are, in fact, infected. For example, I received an email from a law firm I had done business with. I noticed that the recipient list included every single contact in the lawyer's list, and was able to tell that this was done via automation tools. I'm sure that others on the list were fooled as they were likely waiting for information from this very lawyer and didn't suspect they were under attack. By making your emails look legitimate and relevant, many people wouldn't think twice about the email received.
2. Spoofing
I was recently sent an email from a travel agency that I had booked a trip with, and was sent a standard email from a separate account that was impersonating the sender's address. I would guess that the majority of people would fall prey to this attack, as the email looks like it came from a trusted address. In the case, often attackers get the information from their victim simply from a reply. What can we do?
While employee education is a necessity, infection is inevitable. Links will be clicked and attachments will be downloaded, opened, and executed because that is the job of the average employee. Organizations should focus on building a security suite that is fast in detecting a compromised machine or account, and then quickly and automatically apply a quarantine to that what's been compromised- preventing further access to sensitive enterprise data.
KEN SIMPSON@ttul
Ken Simpson is Co-founder and CEO of MailChannels. Ken first experienced the excitement and magic of software when his father brought home one of the first IBM PCs in 1980, teaching him how to write simple programs in BASIC. Since then, he has combined his passion for software with entrepreneurism, founding or participating as an early-stage employee in four successful startups in a broad range of technical areas including Voice-over-IP, Wireless Internet, and of course anti-spam. Ken has a First Class Honors degree in Computer Engineering from Simon Fraser University and Santa Clara University. At the Messaging Anti-Abuse Working Group (MAAWG), Ken splits his time running the botnet and web abuse sub-committees, as well as assisting in the work of the outbound abuse sub-committee.
Social engineering is generally used to...
Widen an already existing breach of information. So for example, an attacker may have certain information about the employees within a company, and he uses that information to learn something new — for instance, a password to an internal system. There is a misconception that social engineering is a one-shot deal: a single faked call from the cable company, and suddenly millions of credit card numbers are stolen. Professional cybercriminals extract one piece at a time, slowly earning their way in deeper to the organization.
For example, RSA was famously hacked via social engineering to gain access to the SecurID infrastructure. The first step was to email two phishing messages to two groups of relatively low level employees. The subject was Recruiting 2011, and the messages contained an Excel malware that executed a zero-day attack against the employees' machines. Despite the Excel file being junk-foldered, at least one employee fetched it from junk and opened it, executing the malware and compromising their machine. Prior to the phishing messages, it's presumed that the attacker used social media such as LinkedIn to map the company's targets by name, and that they guessed the email addresses using a familiar pattern such [email protected]. Once the malware was installed, the attacker perused files on the target system and accessed internal RSA web sites to determine higher value targets. With that information in hand, they moved toward the higher value targets and eventually to the data they were seeking.
Generally speaking, the most common social engineering attack these days is a spear phishing attack. In spear phishing — such as the RSA case outlined above — the attacker targets very specific employees with a message that they are likely to interpret as being genuine. The spear phishing message either earns a response containing information that allows the attacker to probe deeper, or directly results in malware installation. Either way, the next step is to proceed farther into the organization either electronically via vulnerabilities or via additional spear phishing emails to others in the organization located via internal directories.
KURT SIMIONE@TechnologySeed
Kurt started Technology Seed, LLC in June, 2000. Kurt is involved in most aspects of the business, including the “roll-up-your-sleeves” work. At his core, he’s a troubleshooter and enjoys the challenges that IT work brings. Kurt’s been known to catch a Bruin’s game with his kids from time to time.
The most common types of social engineering attacks carried out against companies include...
Email scams while nothing new are evolving from random email blasts to hundreds of thousands of targets, to targeted, deliberate email scam attacks. Email scammers are cleverly using social engineering as follows:
1. Research and select a target company.
a. This is a significant change from historical attacks which were random.
2. Purchase the required tools of the attack (almost identical domain name as the target company).
a. This is significant change, in that this attack actually costs the scammer money.
3. Select the appropriate executives of the target company.
4. Devise the scam, which usually involves a well-written email meant to exploit the trust of C-level executives who are too busy to properly vet their emails.
In the I.T. world, we find that no matter what steps we take, no matter what technology we implement, end-user training is the best protection against these types (and most types) of scams. Raise an eyebrow to anything that looks odd, just doesn't feel right or that you weren't expecting. If you're unsure, pick up the phone and call a trusted resource.
LUIS A. CHAPETTI@CudaSecurity
Luis A. Chapetti, Software Engineer and Data Scientist, Barracuda. Luis is part of the Barracuda Central Intelligence Team where he wears various hats handling IP reputation systems, Spydef databases, and other top security stuff on the Barracuda Real-time protection system.
When it comes to social engineering and preventing these types of attacks against your company, I recommend...
Once upon a time, hackers and spammers relied on blasting spam/phishing emails to as many eyes as possible to gain access to sensitive information via malicious attachments or links. The spam/phishing attempts have evolved to become extremely specific and, effectively, the most advanced persistent threats seen to date. Using social media tactics to find just about anyone, attackers have gotten great at personalizing phishing emails.
LinkedIn has provided a wealth of information about employees at just about any company. Facebook can assist the attacker by not only finding the C-level executives, but family members who may have access to a mobile device or machines that are connected to the network.
These are two commonly used elements in social engineering, to be safe we recommend the following:
- Use a mobile device management system that carries the same strong level of security you would expect to see at your headquarters, everywhere you go.
- Segment the level of access. Be sure that the only people that have access to sensitive data, have specific credentials to that data.
- Use a powerful email filter. Almost all successful attacks gain some kind of information or infect machines this way.
- LinkedIn and Facebook should be used to connect to only those you know or do business with. Treat it as such and remember it is not a popularity contest, this could prove costly in the end.
- Educate your employee's and be sure they are aware of the potential risk of these types of social engineering attacks. The more they know the better off your employees and company will be.
NATHAN MAXWELL@CCI_team
Nathan Maxwell is a cyber security consultant helping organizations access/mitigate risk, and make themselves a little harder to compromise than the company next door.
Social engineering continues to be a highly pervasive way for attackers to establish a foothold in an organization...
The weakest link in a company is still the employees that work there.
Attack methods are as common as they are boring. Sometimes, they leverage data harvested from massive corporate information breaches. These emails are crafted to resonate with the recipient. To have a degree of validity: 'They already know this about me...'
Creative emails will substitute a capital I for a lower case l. They will use international characters, e.g., é vs è vs ė vs e. All designed to trick the recipient as to who actually sent the email.
While there are a few ways to use technology to protect against social engineering, the most effective is employee training. Simple directions like, 'Don't click links,' go a long way. If the email appears to be from Dropbox, delete the message, open a browser tab, enter www.dropbox.com and interact with the website accordingly.
Additionally, using an email service that checks every web address as you click it is a great stop-gap solution.
KAMYAR SHAH@kshahwork
Kamyar Shah is a small business advisor helping companies increase profitability and productivity, offering remote CMO and remote COO services.
There are simply too many different ways to name them all; however, the most successful social engineering attacks have a couple of things in common...
The origin is usually an authoritative venue such as a bank or government, and the creation of a sense of urgency either via potential benefits or potential harm/penalties.
Though there are several sophisticated tools that can aid in minimizing the impact of such attacks, the two most effective ones include education and backup. Continuous education and training of end users will aid in the reduction of overall successful attacks and the back up will serve as insurance in case an attack is successful.
IAN MACRAE@encomputers
Ian MacRae is the President of E-N Computers, Inc. Ian has been passionate about technology his entire life. He has been providing IT services in Washington DC and Virginia since 1997. He enjoys problem solving, knowing what is possible, and combining the right mix of people, process, and technology to make life a little easier.
I see three categories of social engineering attacks...
1. A direct ask for money or credit card information in electronic form.
Avoiding this might be trickier than you think. It's good to remember that if someone is asking you to give information or send an electronic form of money, and it's a bit out of the ordinary, to slow down and check with them using a secondary method. For example if you get an e-mail from the boss asking for Apple iTunes gift certificates codes to be purchased and e-mailed to him, call him on his cell phone and do a voice verification before completing the request.
2. Asking for access to your accounts or passwords, which is usually done by clicking on a link and taking you to a website, which will ask for your information.
I see a lot of this preying on new users posing to be popular web-based systems such as DropBox or Office 365. Although those systems are not insecure the bad guys use their logos and prey on users who are not completely familiar with what to expect with new technologies yet. For example, an email will come in saying you have a new Office 365 fax and if you click on the link, what they might really want is your password or access to install software on your computers. Once access and information is granted the bad guys can get into other credentials such as access to bank accounts, business information, credit card information which you might work with regularly online.
3. Being held ransom.
You might receive an email saying: "We have your password and a compromising video of you, pay us or else." There are a lot of ways to help prevent any of this from happening to you. First, when you get a new software or system, you need to be trained and not just on how to use it the first time. The training needs to be continual. Education is the best way to keep these criminals from playing into the fear of technology. For example, one of the measures we've used is phishing simulators to help people recognize malicious attempts.
For businesses, another way of preventing it is open lines of communication with your IT help desk, if you have one. We've found that if you don't, and you have a provider on an hourly fee, it might stop users from picking up the phone. That communication is paramount in fighting social engineering attacks. Your employees need to feel comfortable picking up the phone and asking about an odd email or text message. Also, of course, businesses need good password controls and security.
ADNAN RAJA@AtlanticNet
Adnan Raja is the Vice President of Marketing for Atlantic.Net, a web hosting solution that provides HIPAA-Compliant, Managed, and Dedicated Cloud hosting.
Social engineering attacks are very prevalent in today's digital workplace...
At its essence, company personnel are targeted and often tricked into giving out confidential information inadvertently. This is often via email or phone. Targets can be anyone from the CEO to helpdesk colleagues.
Common attacks include phishing, which is when a third party attempts to impersonate a genuine source and send fraudulent communications with the aim of extracting confidential data. A common example is impersonating banks, insurance brokers or legal firms. Phishing emails are disguised within genuine looking company branding publishing fake company announcements.
Another common attack is a derivative of phishing known as whaling. This is when higher-ranking executive personnel, such as the CEO, directors, or high-profile staff are being targeted to extract information. Hackers often prey on people with high churn email accounts when the accidental opening of fake attachments is more likely. Threats such as fake invoices which contain malicious macro-code can embed into the computer and mine data or sensitive keystrokes.
Outsourcing IT operations to a provider who has a strong reputation for security is one option which can be considered to help prevent social engineering attacks. These managed service providers can offer a hardware protection layer to business IT systems as well as proactively monitor for suspicious activity and threat detection.
BRANDON SCHROTH@gwdatarecovery
Brandon Schroth is the Digital Manager for Gillware Data Recovery, a world class data recovery company and digital forensics lab.
Helpdesk personnel might receive telephone calls from people spoofing for information...
Possibly password resets or attempts to gain access to confidential information, such as bank account information. A call center may be targeted when the hacker has some general information about a target, and they will use tenacity to extract additional information from the call center. Regular staff training is paramount for employees to learn social engineering attack techniques and ensure that they follow security best practice at all times.
ULADZISLAU MURASHKA@ScienceSoft
Uladzislau Murashka is a Certified Ethical Hacker at ScienceSoft with 6+ years of experience in penetration testing. Uladzislau's spheres of competence include reverse engineering, black box, white box and gray box penetration testing of web and mobile applications, bug hunting and research work in the area of Information Security.
Social engineering attacks like phishing emails and identity theft are the most common cyberthreats that companies face...
To be less susceptible to such attacks, companies should train their employees to use complex passwords and not log in third-party websites with corporate email addresses.
Tags: Social Engineering, Phishing
Top 100 Hacking Websites and Blogs for Hackers in 2020
1. Latest Hacking NewsJaipur, Rajasthan, IndiaAbout Blog This Blog provides the latest hacking news, exploits and vulnerabilities for ethical hackers. The Hacking News And Tutorials has been internationally recognized as a leading source dedicated to promoting awareness for security experts and hackers. Frequency 1 post / day Blog latesthackingnews.com+ Follow
Facebook fans 2.2M ⋅ Twitter followers 43.6K ⋅ Social Engagement 261ⓘ ⋅ Domain Authority 52ⓘ ⋅ Alexa Rank 114.7KⓘView Latest Posts⋅Get Email Contact
Follow on FeedspotⓘGet Influential Bloggers ContactsDoing blogger outreach and want to connect with new influencers in niche markets? Feedspot media database has over 100K Influential Bloggers in 1500 niche categories. Email us the type of bloggers you want to reach out for your marketing campaign.Email us
2. The Hacker NewsBuffalo, New York, United StatesAbout Blog The Hacker News has been internationally recognized as a leading news source dedicated to promoting awareness for security experts and hackers. Frequency 1 post / dayAlso in Information Security Blogs Blog thehackernews.com+ Follow
Facebook fans 2M ⋅ Twitter followers 591.7K ⋅ Instagram Followers 97.1K ⋅ Social Engagement 4.5Kⓘ ⋅ Domain Authority 87ⓘ ⋅ Alexa Rank 17.6KⓘView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
3. WeLiveSecurityBratislava, Bratislavsky Kraj, SlovakiaAbout Blog WeLiveSecurity is an IT security site covering the latest news, research, cyber threats and malware discoveries, with insights from ESET experts. Frequency 1 post / dayAlso in Cyber Security News Websites Blog welivesecurity.com+ Follow
Facebook fans 2.2M ⋅ Twitter followers 5.9K ⋅ Social Engagement 708ⓘ ⋅ Domain Authority 77ⓘ ⋅ Alexa Rank 43.4KⓘView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
4. HackerOne - Bug Bounty, Vulnerability CoordinationSan Francisco, California, United StatesAbout Blog The world's leading bug bounty and vulnerability coordination platform. Bringing you an extensive network of ethical hackers and bug bounty programs, our platform streamlines vulnerability coordination to help improve your digital security. Frequency 1 post / day Blog hackerone.com/blog+ Follow
Facebook fans 39.4K ⋅ Twitter followers 121.5K ⋅ Social Engagement 27ⓘ ⋅ Domain Authority 83ⓘ ⋅ Alexa Rank 15.4KⓘView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
5. Hacker NoonSan Francisco & Colorado, United StatesAbout Blog Hacker Noon is everything hackers need at noon. Frequency 15 posts / dayAlso in Technology Blogs Blog hackernoon.com+ Follow
Facebook fans 23.8K ⋅ Twitter followers 59.1K ⋅ Social Engagement 1ⓘ ⋅ Domain Authority 85ⓘ ⋅ Alexa Rank 14.1KⓘView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
6. KitPloitAbout Blog Hacking and PenTest Tools for your Security Arsenal. Leading source of Security Tools, Hacking Tools, CyberSecurity and Network Security. Frequency 2 posts / day Blog kitploit.com+ Follow
Facebook fans 39.4K ⋅ Twitter followers 76.1K ⋅ Social Engagement 325ⓘ ⋅ Domain Authority 48ⓘ ⋅ Alexa Rank 113.7KⓘView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
7. Extreme Hacking - Sadik ShaikhPune, Maharashtra, IndiaAbout Blog Extreme Hacking is a Research Institute for Ethical Hacking Training in India, providing certified training on Advanced Ethical Hacking and Computer Forensic. Frequency 2 posts / month Blog blog.extremehacking.org+ Follow
Facebook fans 22.6K ⋅ Twitter followers 1.1K ⋅ Social Engagement 5 ⋅ Domain Authority 23 ⋅ Alexa Rank 1.8MView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
8. Reddit - HackingSan Francisco, California, United StatesAbout Blog A subreddit dedicated to hacking and hackers. What we are about: constructive collaboration and learning about exploits, industry standards, grey and white hat hacking, new hardware and software hacking technology, sharing ideas and suggestions for small business and personal security. Frequency 23 posts / day Blog reddit.com/r/hacking+ Follow
Facebook fans 1.5M ⋅ Twitter followers 728.1K ⋅ Social Engagement 58 ⋅ Domain Authority 91 ⋅ Alexa Rank 17View Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
9. KnowBe4 Security Awareness Training BlogClearwater, Florida, United StatesAbout Blog KnowBe4's blog keeps you informed about the latest in security including social engineering, ransomware and phishing attacks. KnowBe4 provides Security Awareness Training to help you manage the IT security problems of social engineering, spear phishing and ransomware attacks. Frequency 4 posts / day Blog blog.knowbe4.com+ Follow
Facebook fans 3.3K ⋅ Twitter followers 10.1K ⋅ Social Engagement 8 ⋅ Domain Authority 62 ⋅ Alexa Rank 13.4KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
10. GBHackers On SecurityChennai, Tamil Nadu, IndiaAbout Blog GBHackers offer Online Hacking News & updates, cybersecurity news, Technology updates. Web Application, Network PenetrationTesting, SOC, IDS,IPS, SIEM, hacking courses, Ransomware, malware. Frequency 8 posts / week Blog gbhackers.com+ Follow
Facebook fans 53.8K ⋅ Social Engagement 35 ⋅ Domain Authority 48 ⋅ Alexa Rank 65.8KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
11. Black HatSan Francisco, California, United StatesAbout Blog The Black Hat Briefings are a series of highly technical information security conferences that bring together thought leaders from all facets of the infosec world - from the corporate and government sectors to academic and even underground researchers. Black Hat remains the best and biggest event of its kind, unique in its ability to define tomorrow's information security landscape. Frequency 2 videos / month Since Jul 2013 Also in Cyber Security Youtube Channels Blog youtube.com/user/BlackHat..+ Follow
Twitter followers 279.7K ⋅ Social Engagement 27 ⋅ Domain Authority 100 ⋅View Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
12. (ISC)2 BlogClearwater, Florida, United StatesAbout Blog A place for (ISC)² leaders, members, and cybersecurity professionals to share knowledge and valuable insights that can benefit the information security industry, the people in it and the public at large. Frequency 1 post / week Blog blog.isc2.org/isc2_blog+ Follow
Facebook fans 19.5K ⋅ Twitter followers 60.9K ⋅ Social Engagement 15 ⋅ Domain Authority 66 ⋅ Alexa Rank 47.1KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
13. iTech HacksHimachal Pradesh, IndiaAbout Blog iTechHacks Welcomes you on the premium brand based blog of technology, we work hard and wants to put you up to date before others. Here we share our best knowledge to satisfy your hunger and craze about technology. Hope you will get all latest hacking tricks and tricks & tips about tech hacks and security tricks to protect you from hacking attacks. Frequency 5 posts / week Blog itechhacks.com+ Follow
Facebook fans 188.5K ⋅ Twitter followers 85 ⋅ Social Engagement 14 ⋅ Domain Authority 39 ⋅ Alexa Rank 60.2KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
14. Detectify Blog | Go hack yourself!Stockholms Lan, SwedenAbout Blog Detectify is a Swedish web security company founded by a team of the world's best security researchers. Detectify continuously analyzes your web application from a hacker's perspective and reports back to you with security issues and descriptive reports. Let us monitor your security, so that you can focus on building great products. Frequency 1 post / week Blog blog.detectify.com+ Follow
Facebook fans 2.3K ⋅ Twitter followers 7.5K ⋅ Domain Authority 59 ⋅ Alexa Rank 94.1KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
15. Securelist | Information about Viruses, Hackers and SpamMoscow, Moskva, Russian FederationAbout Blog The resource for Kaspersky Lab experts' technical research, analysis, and thoughts. Online headquarters of Kaspersky Lab security experts. Frequency 1 post / day Blog securelist.com+ Follow
Facebook fans 29.7K ⋅ Twitter followers 18.4K ⋅ Social Engagement 73 ⋅ Domain Authority 77 ⋅ Alexa Rank 101.6KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
16. HackRead | Latest Cyber Crime - InfoSec- Tech - Hacking NewsItalyAbout Blog HackRead is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance, and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Frequency 3 posts / day Blog hackread.com+ Follow
Facebook fans 86.8K ⋅ Twitter followers 104K ⋅ Social Engagement 210 ⋅ Domain Authority 75 ⋅ Alexa Rank 113.2KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
17. Major League Hacking NewsNew York, United StatesAbout Blog Major League Hacking (MLH) is the official student hackathon league. Each year, we power over 200 weekend-long invention competitions that inspire innovation, cultivate communities and teach computer science skills to more than 65,000 students around the world. MLH is an engaged and passionate maker community, consisting of the next generation of technology leaders and entrepreneurs. Frequency 1 post / day Blog news.mlh.io/posts+ Follow
Facebook fans 36.2K ⋅ Twitter followers 34K ⋅ Instagram Followers 4.2K ⋅ Social Engagement 56 ⋅ Domain Authority 55 ⋅ Alexa Rank 128KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
18. KoDDoS BlogHollandAbout Blog KoDDoS Blog is an Informative and News blog that focus on Hacking, Information Security, Cyber Crime, Privacy, Surveillance. Frequency 1 post / day Blog koddos.net/blog+ Follow
Facebook fans 12 ⋅ Twitter followers 70 ⋅ Domain Authority 42 ⋅ Alexa Rank 137.1KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
19. AndroidHackersAbout Blog We have the best Android hacks for your favorite games. All verified and working hacks apps. Frequency 7 posts / week Blog androidhackers.net+ Follow
Domain Authority 35 ⋅ Alexa Rank 178.6KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
20. Hakin9 IT Security MagazinePolandAbout Blog Hakin9 is one of the biggest IT security magazine, published for 10 years. They have a database of 100 000 IT security specialist. Hakin9 magazine provides online visitors the exact information they need to stay up to date with the latest IT Security news and solutions and to learn what they can find on Hakin9′s pages. Frequency 3 posts / week Blog hakin9.org/blog+ Follow
Facebook fans 196.5K ⋅ Twitter followers 32K ⋅ Social Engagement 10 ⋅ Domain Authority 51 ⋅ Alexa Rank 217.4KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
21. HackerCombat | Cyber Security and Hacking NewsUnited StatesAbout Blog Hacker combat provides frequent updates on cyber attacks, hacking, and exclusive events. Explore the latest news and security stories from around the world. Frequency 2 posts / week Blog hackercombat.com+ Follow
Facebook fans 13.8K ⋅ Twitter followers 7.1K ⋅ Social Engagement 4 ⋅ Domain Authority 40 ⋅ Alexa Rank 263.4KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
22. Penetration Testing LabAbout Blog PenTestLab was designed with the idea of helping ethical penetration testers to build their own private lab,to develop their skills in a safe environment and to learn existing and new exploitation techniques. Frequency 1 post / month Since Feb 2012 Also in Pentest Blogs Blog pentestlab.blog+ Follow
Facebook fans 10.8K ⋅ Twitter followers 16.5K ⋅ Social Engagement 401 ⋅ Domain Authority 40 ⋅ Alexa Rank 257.9KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
23. Menlo Security BlogMenlo Park, California, United StatesAbout Blog Menlo Security delivers 100% safety via its isolation platform, eliminating malware & phishing attacks while delivering a seamless end-user experience. Frequency 1 post / day Blog menlosecurity.com/blog+ Follow
Facebook fans 596 ⋅ Twitter followers 20K ⋅ Social Engagement 1 ⋅ Domain Authority 47 ⋅ Alexa Rank 212KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
24. Synack BlogSan Francisco, California, United StatesAbout Blog Synack is a security company revolutionizing how enterprises view cybersecurity: through a hacker's eyes. Synack's private, managed hacker-powered security solution arms clients with hundreds of the world's most skilled, highly vetted ethical hackers who provide a truly adversarial perspective to clients' IT environments. Frequency 6 posts / month Blog synack.com/blog+ Follow
Facebook fans 2.4K ⋅ Twitter followers 20.6K ⋅ Instagram Followers 998 ⋅ Social Engagement 4 ⋅ Domain Authority 57 ⋅ Alexa Rank 249KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
25. Hackers Online Club (HOC)About Blog Get Updates of latest Tools, Exploits, Security, Vulnerabilities and Hacking tutorials. HackersOnlineClub is a leading website for Information Security Ethical Hacking, Cyber Forensic, Website Security, VAPT, Mobile Security. Frequency 13 posts / year Blog blog.hackersonlineclub.com+ Follow
Facebook fans 67.6K ⋅ Twitter followers 29.8K ⋅ Social Engagement 91 ⋅ Domain Authority 46 ⋅ Alexa Rank 356.8KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
26. Hackology - Internet Security BlogIrelandAbout Blog Hackology blog is Source of Information Security, Hacking News, Cyber Security, Network Security with in-depth technical coverage of issues and events loved by Technophiles. Frequency 4 posts / month Blog blog.drhack.net+ Follow
Facebook fans 14.9K ⋅ Twitter followers 4.5K ⋅ Social Engagement 11 ⋅ Domain Authority 34 ⋅ Alexa Rank 491.3KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
27. Ethical Hacking Tutorials - A Place For Ethical Hacking LearnersAbout Blog Ethical Hacking Tutorials blog is all about increasing security awareness, teaching the basics of security, pentesting and ethical hacking. Blog ethicalhackingtutorials.com+ Follow
Facebook fans 1.5K ⋅ Domain Authority 26 ⋅ Alexa Rank 693KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
28. Hacking WorldIndiaAbout Blog Welcome to Hacking World. A place for hackers and tech-lovers to find the latest and most amazing hacks you never could have thought of. Happy Hacking Frequency 8 posts / month Blog myhackingworld.com+ Follow
Social Engagement 1 ⋅ Domain Authority 10 ⋅ Alexa Rank 503.1KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
29. The Hacker Factor BlogUnited StatesAbout Blog Hacker Factor is a leader in cutting edge computer forensics research, providing custom security-oriented software and consulting services to business customers. Frequency 1 post / week Blog hackerfactor.com/blog+ Follow
Twitter followers 3.6K ⋅ Social Engagement 93 ⋅ Domain Authority 59 ⋅ Alexa Rank 539.8KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
30. Hacking Blogs | Become an Ethical HackerAbout Blog Hacking Blogs On Security is one of the leading Information security blog covering various security domains. Every week Hacking Blogs provide you latest stuff information about cybersecurity. Frequency 1 post / week Blog hackingblogs.com+ Follow
Domain Authority 29 ⋅ Alexa Rank 685.4KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
31. SecuriTeam BlogCupertino, California, United StatesAbout Blog SecuriTeam is a small group within Beyond Security dedicated to bringing the latest news and utilities in computer security. Having experience as Security Specialists, Programmers and System Administrators we appreciate your need for a 'Security Portal' - A central Security web site containing all the newest security information from various mailing lists, hacker channels. Frequency 30 posts / day Blog securiteam.com+ Follow
Twitter followers 6.4K ⋅ Domain Authority 66 ⋅ Alexa Rank 892.5KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
32. Official Hacker- Cyber Security, Hacking News, Tips And TricksIndiaAbout Blog Official Hacker is your news, tips and tricks website. We provide you with the latest hacking news and hacking tutorials straight from the cyber Industry. Frequency 3 posts / quarter Blog officialhacker.com+ Follow
Facebook fans 54.4K ⋅ Twitter followers 704 ⋅ Instagram Followers 48.6K ⋅ Social Engagement 2 ⋅ Domain Authority 19 ⋅ Alexa Rank 924.4KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
33. HackingPassion.comAbout Blog HackingPassion.com Learn Ethical Hacking and Cyber-Security. We help people become ethical hackers so they can test security systems. We love open-source and Linux. Frequency 1 post / week Blog hackingpassion.com+ Follow
Facebook fans 4.7K ⋅ Twitter followers 522 ⋅ Domain Authority 13 ⋅ Alexa Rank 596.9KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
34. E Hacking News [ EHN ] - The Best IT Security News | Hacker NewsAbout Blog Latest Information Security and hacker news blog. Know about cyber crime and law. Cyber Security updates to improve your network security Frequency 2 posts / day Blog ehackingnews.com+ Follow
Facebook fans 103.2K ⋅ Twitter followers 118.9K ⋅ Social Engagement 11 ⋅ Domain Authority 57 ⋅ Alexa Rank 1.2MView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
35. ethicalhackx.com - Ethical Hacking TutorialsBihar, IndiaAbout Blog ethicalhackx.com blog shares Ethical Hacking Tutorials, LINUX tutorials, WINDOWS hacking, website hacking & designing, Mobile hacking. Frequency 3 posts / quarter Blog ethicalhackx.com+ Follow
Twitter followers 7.4K ⋅ Social Engagement 14 ⋅ Domain Authority 30 ⋅ Alexa Rank 932.8KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
36. Lesley Carhart - Full Spectrum Cyber-Warrior PrincessChicago, Illinois, United StatesAbout Blog Lesley Carhart is a 17 year IT industry veteran, including 8 years in information security (specifically, digital forensics and incident response). She speaks and writes about digital forensics and incident response, OSINT, and information security careers, is highly involved in the Chicagoland information security community,and is staff at Circle City Con, Indianapolis. Frequency 2 posts / quarter Blog tisiphone.net+ Follow
Twitter followers 119.7K ⋅ Social Engagement 102 ⋅ Domain Authority 48 ⋅ Alexa Rank 988.4KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
37. CQURE Academy Blog - Where Windows Hackers Level UpSwitzerlandAbout Blog CQURE Academy Blog covers information on topics like Windows Internals, Identity Theft Protection, Penetration Testing, Malware, Secure Server, Forensics. Frequency 1 post / day Blog cqureacademy.com/blog+ Follow
Facebook fans 12K ⋅ Twitter followers 3.5K ⋅ Social Engagement 5 ⋅ Domain Authority 34 ⋅ Alexa Rank 865.5KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
38. HackeRoyale - Hacking and Penetration Testing Galore!Forty Fort, Pennsylvania, USAbout Blog HackeRoyale: a repository of information about hacking, penetration testing, and programming related topics. Frequency 4 posts / month Blog hackeroyale.com+ Follow
Twitter followers 211 ⋅ Instagram Followers 135 ⋅ Domain Authority 29 ⋅ Alexa Rank 758.5KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
39. Hack 2 World ®About Blog Articles on bash Script, Android, Bitcoin, Botnet, Cheatsheet and much more. Frequency 3 posts / week Blog hack2wwworld.blogspot.com+ Follow
Domain Authority 14 ⋅ Alexa Rank 1.2MView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
40. TechncyberIndiaAbout Blog A Blog for Cyber Techonology News Updates, Ethical Hacking Tutorials, Online Safety Tips, Latest tricks, Tutorials, Latest Gadget Reviews and Many More... Frequency 2 posts / quarter Blog techncyber.com+ Follow
Twitter followers 29 ⋅ Domain Authority 30 ⋅ Alexa Rank 941.3KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
41. Hacker's KingIndiaAbout Blog Learn Ethical Hacking, Termux Tutorials, Virus creation, Android tricks and Windows tricks for free. Frequency 1 post / week Blog hackersking.in+ Follow
Instagram Followers 4.5K ⋅ Domain Authority 3 ⋅ Alexa Rank 854.5KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
42. HacksLandAbout Blog Keep up with articles from HacksLand. Frequency 11 posts / quarter Blog hacksland.net+ Follow
Social Engagement 1 ⋅ Domain Authority 17 ⋅ Alexa Rank 1.5MView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
43. The Hacker Blog - Matthew BryantSan Francisco, California, United StatesAbout Blog A Hacker's Blog of Unintended Use and Insomnia. Matthew Bryant is a XSS Hunter author, security researcher, and caffeine addict. Blog thehackerblog.com+ Follow
Twitter followers 6.6K ⋅ Domain Authority 44 ⋅ Alexa Rank 1.5MView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
44. Pure Hacking blogsAustraliaAbout Blog Pure Hacking is a leading, highly-specialised penetration testing and information technology (IT) security consultancy. Blog purehacking.com/blog+ Follow
Facebook fans 88 ⋅ Twitter followers 6 ⋅ Domain Authority 45 ⋅ Alexa Rank 2.5MView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
45. Hackercool BlogHyderabad, IndiaAbout Blog This blog is dedicated for absolute beginners to learn hacking. That means there is no disabling firewall, turning of antivirus in articles Frequency 7 posts / year Blog hackercool.com+ Follow
Facebook fans 886 ⋅ Domain Authority 21 ⋅ Alexa Rank 4MView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
46. DefenseStorm BlogSeattle, Washington, United StatesAbout Blog Get the latest cyber security news and critical industry insights written by experts in DefenseStorm's Cybermind blog. Blog defensestorm.com/resources/i..+ Follow
Facebook fans 144 ⋅ Twitter followers 645 ⋅ Domain Authority 31 ⋅ Alexa Rank 1.3MView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
47. ToolsWatch.org - The Hackers Arsenal ToolsAbout Blog ToolsWatch is a Free, Interactive, Modern, Eye-catching service designed to help Auditors, Pentesters & Security Experts to keep their ethical hacking oriented toolbox up-to-date. Frequency 6 posts / year Blog toolswatch.org+ Follow
Facebook fans 850 ⋅ Twitter followers 19.3K ⋅ Social Engagement 7 ⋅ Domain Authority 40 ⋅ Alexa Rank 2.9MView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
48. Massive Alliance BlogUnited StatesAbout Blog Industry news, whitepapers and technical insight into cyber security, hacks and reputation management. Subscribe to get notified. Frequency 2 posts / week Blog massivealliance.com/blog+ Follow
Facebook fans 143 ⋅ Twitter followers 156 ⋅ Social Engagement 1 ⋅ Domain Authority 32 ⋅ Alexa Rank 3MView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
49. Hackercool MagazineHyderabad, IndiaAbout Blog Hackercool Magazine is a monthly magazine that is dedicated to all things ethical hacking and cyber security. Frequency 1 post / quarter Blog hackercoolmagazine.com/blog+ Follow
Facebook fans 195 ⋅ Twitter followers 106 ⋅ Domain Authority 7 ⋅ Alexa Rank 1.7MView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
50. Dark Hacker WorldIndiaAbout Blog Dark hacker world is a blog about Ethical Hacking, money-making, latest technology, programming, and many more things. Frequency 1 post / day Blog darkhackerworld.com+ Follow
Facebook fans 19 ⋅ Twitter followers 5 ⋅ Instagram Followers 991 ⋅ Domain Authority 7 ⋅ Alexa Rank 976.6KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
51. Ethical Hacking Blog - Gus KhawajaMontreal, Quebec, CanadaAbout Blog Learn and enjoy new articles, posts about ethical hacking, cyber-security and more by Gus Khawaja. Frequency 1 post / week Blog ethicalhackingblog.com+ Follow
Facebook fans 3K ⋅ Twitter followers 1.7K ⋅ Domain Authority 12 ⋅ Alexa Rank 1.8MView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
52. The Ethicalhacking GuruAbout Blog The Ethicalhacking Guru features Hacking Tutorials For Beginners And Advanced Security Professionals Frequency 1 post / quarter Since Aug 2018 Blog ethicalhackingguru.com+ Follow
Domain Authority 8 ⋅ Alexa Rank 4.3MView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
53. Vinstechs | Geeks HangoverKarnataka, IndiaAbout Blog Vinstechs delivers in-depth knowledge and contents regarding new technology trends, Security Tips, Ethical Hacking Tips, How-To Tutorials, tips tricks and information about new Vulnerabilities and Ransomware. Frequency 29 posts / year Blog vinstechs.com+ Follow
Facebook fans 5.6K ⋅ Twitter followers 14 ⋅ Instagram Followers 450 ⋅ Social Engagement 4 ⋅ Domain Authority 16 ⋅View Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
54. SenseCy - Cyber Threat Insider BlogIsraelAbout Blog SenseCy is a Cyber Threat Intelligence (CTI) provider based in Israel. SenseCy enables continuous monitoring and early identification of cyber threats through a unique methodology called Virtual HUMINT coupled with strong dedicated technology. Frequency 2 posts / quarter Blog blog.sensecy.com+ Follow
Facebook fans 133 ⋅ Twitter followers 2.6K ⋅ Social Engagement 3 ⋅ Domain Authority 44 ⋅ Alexa Rank 9.6MView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
55. Tips For HackingAbout Blog Tips4Hacking Provide you the best tips for hacking and Its Short Message that Dont Hate the Hacker, Hate the Code. Visit Our website for latest news of Hacking and technology and Outstanding Code for Hacker. Frequency 2 posts / week Blog tips4hacking.com+ Follow
Social Engagement 2 ⋅ Alexa Rank 6.5MView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
56. Hacker NTIndiaAbout Blog Anyone can learn to hack in my blog for absolutely free. This is only for educational purpose Frequency 2 posts / year Since Nov 2019 Blog everythingnt.blogspot.com+ Follow
Domain Authority 3 ⋅ Alexa Rank 9.1MView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
57. Offensive Sec 3.0About Blog Security of Information, Hacking, Offensive Security, Pentest, Open Source, Hackers Tools, etc. Blog offensivesec.blogspot.com+ Follow
Twitter followers 54 ⋅ Domain Authority 17 ⋅ Alexa Rank 9.9MView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
58. Dancho Danchev's Blog | Mind Streams of Information Security KnowledgeAbout Blog Cybercrime Researcher Security Blogger Threat Intelligence Analyst. Dancho Danchev is the world's leading expert in the field of cybercrime fighting and threat intelligence gathering having actively pioneered his own methodology for processing threat intelligence throughout the past decade following a successful career as a hacker-enthusiast in the 90's leading to active-community participation and contribution as a Member to WarIndustries. Frequency 7 posts / month Blog ddanchev.blogspot.com+ Follow
Twitter followers 139 ⋅ Social Engagement 74 ⋅ Domain Authority 52 ⋅ Alexa Rank 4.4MView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
59. Basics of Ethical Hacking | Tutorials, Tips and TricksHoshiarpur, Punjab, IndiaAbout Blog Learn different Ethical Hacking techniques for beginner or intermediate with simple step by step tutorials and how to stay safe online. Blog basicsofhacking.com+ Follow
Facebook fans 83.1K ⋅ Twitter followers 203 ⋅ Domain Authority 15 ⋅View Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
60. Hacker Nucleus - Ethical Hacking, Hacker NewsNew Delhi, Delhi, IndiaAbout Blog Hacker Nucleus blog highlights the most recent Hackers News, ethical hacking tutorial, free Hackers ebooks and Tools for devoted students. Blog hackernucleus.com+ Follow
Twitter followers 65 ⋅ Domain Authority 13 ⋅View Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
61. Terry Cutler The Ethical HackerMontreal, Quebec, CanadaAbout Blog Terry Cutler is a government-cleared cybersecurity expert (a certified ethical hacker), and the Director of Cybersecurity at SIRCO Investigation and Protection, in Montral, Canada. For the general public, he developed an effective online learning program arranged in modules and updated regularly to keep up with the rapidly changing digital landscape. Blog terrycutler.com/blog+ Follow
Facebook fans 480 ⋅ Twitter followers 2.3K ⋅ Instagram Followers 684 ⋅ Domain Authority 27 ⋅View Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
62. Darknet | Hacking Tools, Hacker News & Cyber SecurityUnited KingdomAbout Blog Darknet is your best source for the latest hacking tools, hacker news, cybersecurity best practices, ethical hacking & pen-testing. Frequency 1 post / month Blog darknet.org.uk+ Follow
Facebook fans 383.8K ⋅ Twitter followers 19K ⋅ Social Engagement 492 ⋅ Domain Authority 56 ⋅View Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
63. Professional Hackers On SecurityIndiaAbout Blog Professional Hackers provides single platform for latest and trending IT updates, business updates, trending lifestyle, social media updates, enterprise trends, entertainment, hacking updates, core hacking techniques, and other free stuff. Frequency 1 post / day Blog professionalhackers.in+ Follow
Facebook fans 3.7K ⋅ Twitter followers 675 ⋅ Social Engagement 3 ⋅ Domain Authority 18 ⋅View Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
64. DarkPloitIstanbul, TurkeyAbout Blog DarkPloit is a blog that aims to provide the latest updates on Hacking Tools, Exploits, Tutorials, and News bind to penetration testing and security. Frequency 22 posts / year Blog darkploit.com+ Follow
Facebook fans 1.2K ⋅ Twitter followers 14 ⋅ Instagram Followers 12 ⋅ Social Engagement 32 ⋅ Domain Authority 7 ⋅View Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
65. Hacking ArticlesDelhi, IndiaAbout Blog Hacking Articles is a very interesting blog about information security, penetration testing and vulnerability assessment managed by Raj Chandel. In this blog it's possible to find many resources and detailed tutorials about Ethical Hacking, Cyber Security. Frequency 1 post / day Blog hackingarticles.com+ Follow
Twitter followers 3.9K ⋅ Domain Authority 17 ⋅View Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
66. Hackingtutorials.inAbout Blog Want to learn Ethical Hacker with termux for free. Want Best tutorials to become a cybersecurity expert we will help you in becoming one. Frequency 7 posts / quarter Blog hackingtutorials.in+ Follow
Facebook fans 298 ⋅ Instagram Followers 14.3K ⋅ Domain Authority 1 ⋅ Alexa Rank 6.3MView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
67. AnonhackAbout Blog The Blog, Anonhack.in is for the readers who find hacking interesting. Every Article on this blog has been written based on my experience. I started working on this blog in 2015. This blog will teach you how stuff actually work in the hacking arena. Frequency 1 post / month Blog anonhack.in+ Follow
Domain Authority 8 ⋅View Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
68. Ark Dots Hacking TricksArkansas, United StatesAbout Blog Ark Dots is tech blog for Learning Android Mobile Tricks, Computer Hacking Tricks, iPhone Tricks, Facebook Tricks and Hacks. A Blog About Hacking And Cracking Passwords Of WiFi And Social Media Networks. Blog arkdots.com+ Follow
Facebook fans 4.5K ⋅ Domain Authority 14 ⋅View Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
69. Hackshade BlogRaipur, Chhattisgarh, IndiaAbout Blog This is a descriptive blog about DIY, Electronics, Trending technology, Daily Hacks, Computer Tricks & Ethical Hacking Tutorials. Frequency 3 posts / week Blog hackshade.com+ Follow
Facebook fans 169 ⋅ Twitter followers 30 ⋅ Domain Authority 10 ⋅View Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
70. Superior Solutions Inc - Ethical Hacking and Penetration TestingHouston, Texas, United StatesAbout Blog Superior Solutions Inc blog is all about penetration testing, security vulnerability assessments, IT audit services, cyber security training, and CISSP, CISA, CISM, and CEH certification. Blog thesolutionfirm.com/blog+ Follow
Facebook fans 1.5K ⋅ Twitter followers 1.6K ⋅ Domain Authority 40 ⋅View Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
71. The Real HackersAbout Blog The Real Hackers offer you ALL your hacking needs. Our track record of success in Android spy, Whatsapp spy, Phone tracker etc makes our customers trust us. Frequency 7 posts / year Since Dec 2017 Blog therealhackers.com+ Follow
Domain Authority 9 ⋅View Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
72. HackAccessAbout Blog Hack Access is a one stop solution of all Ethical and Unethical Stuff. We are here to provide you best content and knowledge. Take a dive in the the world of unknown. Now all the expert hackers technique on your finger tips. Just browse to anything. Blog blog.hackaccess.com+ Follow
Facebook fans 1.1K ⋅ Twitter followers 59 ⋅ Domain Authority 9 ⋅View Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
73. Creed Sec | Best Ethical Hacking and Penetration TutorialsIndiaAbout Blog CreedSec is a blog about hacking, cracking, penetration testing, In CreedSec they post tutorials on hacking and penetration testing. Blog creedsec.net+ Follow
Twitter followers 128 ⋅ Domain Authority 10 ⋅View Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
74. ThreatNinja Improve AwarenessAbout Blog I'm a Security Enthusiast and a Security Writer. I'm also still learning a lot of thing especially related to Security. Frequency 5 posts / week Blog threatninja.net+ Follow
Domain Authority 10 ⋅View Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
75. Hacking TutorialsAbout Blog Keep up with the articles from Hacking Tutorials. Frequency 9 posts / quarter Since Jun 2020 Blog anonymousvkhk.blogspot.com+ Follow
View Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
76. The Hacking Press - Latest Cyber Security, Infosec and Hacking NewsAbout Blog The Hacking Press is a Cyber Security News Platform dedicated to provide readers with top of the shelf news about hackers & the hacked, the leakers & the leaked, surveillance & privacy issues to keep you informed and secure. Blog https://hacked.press/+ Follow
Domain Authority 18 ⋅View Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
77. My Hacking Tricks | Android and Linux HackingDelhi, IndiaAbout Blog This Blog helps in learning RHEL, ethical hacking, Python programming, using different kali Linux tools, using termux as a hacking device, Insta, FB hacking, Android hacking, Website hacking, admin page hacking, and database hacking. Blog https://www.myhacktricks.com/+ Follow
Domain Authority 3 ⋅View Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
78. EiQ Networks BlogBoston, England, United KingdomAbout Blog Read up on how to proactively identify, prioritize, and combat modern security threats using EiQ Networks' true situational awareness solutions. Frequency 2 posts / year Blog https://blog.eiqnetworks.com/blog+ Follow
Twitter followers 2 ⋅ Domain Authority 36 ⋅ Alexa Rank 8.6MView Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
79. HakerinAbout Blog Hakerin is web portal for all computer enthusiasts. We provide professional and interesting news feed about Hacking, Coding, Tech News and more. Blog http://hakerin.com/+ Follow
Facebook fans 32.2K ⋅ Domain Authority 5 ⋅View Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
80. Hackarma The cause and effect of high profile hacksAbout Blog Hackarma brings you the cause and effect of the worlds most high profile hacks. We publish the latest news with one common theme, cause and effect, what caused the hack and what effect is has had on the targeted organisation. The format of our content is designed to provide you with a quick and simple overview, as and when the stories emerge. Blog http://www.hackarma.com/+ Follow
Domain Authority 6 ⋅View Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
81. Shouthacker - Hack Begins HereAbout Blog Shouthacker blog will give knowledge of everything about hacking, hacking Ebook, Tutorials, Hacking Forum, Ethical Hacking, Hacking Tools. Blog https://www.shouthacker.com/blog+ Follow
Facebook fans 99 ⋅ Domain Authority 5 ⋅View Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
82. Gray Hat HackersAbout Blog Learn hacking/security skills, follow tutorials, get to a CEH level, and take on challenges. Free tools and resources are available. Blog https://grayhathackers.com/+ Follow
Domain Authority 7 ⋅View Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
83. Ultimate HackersNew York, United StatesAbout Blog Ultimate Hackers are the people having vision of making hacking community a better place by helping each other by learning and sharing. They emphasis on basics and how things work so you can learn the deep concepts in this field. Frequency 2 posts / month Blog http://teamultimate.com/+ Follow
Facebook fans 2.8K ⋅ Twitter followers 599 ⋅ Domain Authority 9 ⋅View Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
84. Ethical Hackers ClubMumbai, Maharashtra, IndiaAbout Blog Ethical Hackers Club Provides Free Support to Victims Facing Cyber Crime, Cyber Bullying and other such activities. Learn Ethical Hacking and get Certifications. Frequency 3 posts / year Blog http://www.ethicalhackersclub.com/+ Follow
Facebook fans 2.2K ⋅ Twitter followers 158 ⋅ Domain Authority 6 ⋅View Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
85. FH-Team - Penetration Testing | Ethical HackingMaharashtra, IndiaAbout Blog This is official blog of fukreyhackers.in which provides solution on Linux, Windows as well as networking and hacking tricks. Blog http://fukreyhackers.com/+ Follow
Twitter followers 62 ⋅ Domain Authority 4 ⋅View Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
86. The Hacker JournalLahore, Punjab, PakistanAbout Blog The Hacker Journals mission here is to raise awareness and prevention related to cyber crimes such as scamming, phishing, hacking, spying to groom public for their welfare. Frequency 22 posts / month Blog https://thehackerjournal.com/+ Follow
Facebook fans 224 ⋅ Twitter followers 25 ⋅ Domain Authority 4 ⋅View Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
87. Hacker GeneralAbout Blog This blog is all about my hacking experience. The post are related to my thoughts on hacking and getting started with it. Since May 2017Blog https://thehackergeneral.blogspot.com/+ Follow
Facebook fans 59 ⋅ Domain Authority 3 ⋅View Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
88. Top Hacking NewsAbout Blog Top Hacking News is an blog that you can read Hacking news, cyber attacks, security news from around the world. Blog http://top-hackingnews.blogspot.com/+ Follow
Domain Authority 7 ⋅View Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
89. kk news indiaAbout Blog Get updates from kk news india Frequency 30 posts / year Blog https://kknewsindia.blogspot.com/+ Follow
Domain Authority 3 ⋅View Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
90. Technology TodayAbout Blog Technology Today is a blog with small tricks and hacks. Blog https://technologyshouri.blogspot.com/+ Follow
Domain Authority 3 ⋅View Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
91. DARKCYBERSOCIETYMumbai, Maharashtra, IndiaAbout Blog Darkcybersociety is the online Hacking education organization company. Blog http://www.darkcybersociety.com/+ Follow
Domain Authority 6 ⋅View Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
92. thelearninghackingIndiaAbout Blog Learn Ethical Hacking from this site. Blog http://thelearninghacking.com/+ Follow
Domain Authority 12 ⋅View Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
93. Hack The WorldAbout Blog Learn free all about hacking with written post and hacking video tutorials. Frequency 3 posts / year Blog https://htwhacker.blogspot.com/+ Follow
Domain Authority 3 ⋅View Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
94. Kamran Mohsin - Cyber Security, Hacking BlogPakistanAbout Blog This blog delivers best of its resources to the end readers. Blog data includes daily cyber news, hacking directives, their prevention, technology posts, WordPress etc. Frequency 2 posts / year Blog https://www.kamranmohsin.com/+ Follow
Facebook fans 2.1K ⋅ Twitter followers 842 ⋅ Domain Authority 17 ⋅View Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
95. Manish Bhardwaj BlogGurgaon, Haryana, IndiaAbout Blog Manish Bhardwaj is an Ethical Hacker, Penetration Tester & Blogger. Blog https://manishbhardwajblog.wordpress.com/blog/+ Follow
Twitter followers 291 ⋅ Domain Authority 7 ⋅View Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
96. Enjoy HackingAbout Blog Learn about Hacker, Ethical Hacking, Hacking tools, CEH, Hacking Tricks, Latest Hacking News, Proxy Website, Hacking Simulator. Frequency 3 posts / year Since Jan 2014Blog https://wholovehacking.blogspot.com/+ Follow
Twitter followers 235 ⋅ Social Engagement 8 ⋅ Domain Authority 5 ⋅View Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
97. HackingTutorials.inIndiaAbout Blog Want to learn Ethical Hacker with termux for free. Want Best tutorials to become a cybersecurity expert we will help you in becoming one. Frequency 30 posts / year Blog https://www.hackingtutorials.in/+ Follow
Domain Authority 1 ⋅View Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
98. KNOWLEDGE UNLIMITEDAbout Blog Get latest tips & tricks about technology and hacking be safe from hackers. This blog is written to update you about new thing of hacking &technology Frequency 3 posts / quarter Since May 2020Blog https://knowledgeunlimited76.blogspot.com/+ Follow
View Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
99. HackerzzAbout Blog A blog about Cyber Security and Ethical hacking. In this blog i will give you tutorials, tricks and information about hacking tools. Frequency 1 post / quarter Blog https://hackerzz01.blogspot.com/+ Follow
View Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
100. Hacking Tutorials - The best Step-by-Step Hacking TutorialsAbout Blog Follow this blog for step-by-step Hacking Tutorials about WiFi hacking, Kali Linux, Metasploit, exploits, ethical hacking, information security, malware analysis and scanning. Frequency 1 post / year Blog https://www.hackingtutorials.org/+ Follow
Twitter followers 38.6K ⋅ Domain Authority 40 ⋅ Alexa Rank 328.5KView Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
101. Effect Hacking - Learn To Hack and ProtectUnited StatesAbout Blog A dedicated blog for hackers. A blog to learn about internet security, hacking, security tools, and etc. Frequency 17 posts / year Blog http://www.effecthacking.com/+ Follow
Twitter followers 205 ⋅ Domain Authority 41 ⋅ Alexa Rank 2.6MView Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
102. Freedom Hacker - Hacking News, Security News & Everything CyberUnited StatesAbout Blog A leading source for security and hacking news. The latest on privacy, DDoS attacks, malware, NSA revelations and cyber crime related news across the web. Frequency 1 post / year Blog https://freedomhacker.net/+ Follow
Facebook fans 1.4K ⋅ Twitter followers 1.4K ⋅ Domain Authority 43 ⋅ Alexa Rank 634.1KView Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
103. Ethical Hacking - Your Way To The World Of IT SecurityUnited StatesAbout Blog Ethical Hacking is the best place to learn and practice hacking in ethical way. Learn about IT security with some tips and tricks including various operating system. Frequency 8 posts / year Blog https://www.ehacking.net/+ Follow
Facebook fans 241.5K ⋅ Twitter followers 19.4K ⋅ Social Engagement 38 ⋅ Domain Authority 45 ⋅ Alexa Rank 119.5KView Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
104. IbnshehuKaduna, NigeriaAbout Blog I'm Abubakar Shehu. I am a CyberSecurity Engineer, Bug Hunter, Full Stack Developer, and a Part Time Blogger working at the intersection of security, technology, and people. CEO at SUUMAB Enterprise, CybserSecurity Engineer at KAD ICT Hub. I guide passion-fuelled people out of fear and uncertainty, and into lives, blogs and businesses they love (and truly desire). Frequency 2 posts / year Blog https://ibnshehu.com/+ Follow
Twitter followers 6K ⋅ Instagram Followers 2.4K ⋅ Domain Authority 12 ⋅View Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
105. Netragard BlogBoston, Massachusetts, United StatesAbout Blog Netragard, Inc is a research driven Network Penetration Testing firm. Their penetration testing deliverables are guaranteed to be free of false positives and the product of expert driven research. Frequency 1 post / year Blog https://www.netragard.com/blog+ Follow
Facebook fans 488 ⋅ Twitter followers 939 ⋅ Social Engagement 28 ⋅ Domain Authority 47 ⋅ Alexa Rank 2MView Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
106. Hackers Arise BlogAbout Blog Hackers Arise was developed solely to help those who are interested in a career in cyber security. They will have tutorials on all forms of hacking, digital forensics, Linux, information security and just about any subject related to cyber security. Frequency 2 posts / month Blog https://www.hackers-arise.com/+ Follow
Twitter followers 62.4K ⋅ Domain Authority 33 ⋅ Alexa Rank 441.6KView Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
107. DefCamp BlogRomaniaAbout Blog DefCamp is the most important annual conference on Hacking & Information Security in Central Eastern Europe that brings together the world's leading cyber security doers to share latest researches and knowledge. Blog https://def.camp/blog/+ Follow
Facebook fans 5.2K ⋅ Twitter followers 1.3K ⋅ Social Engagement 49 ⋅ Domain Authority 37 ⋅ Alexa Rank 5.2MView Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
108. Cryptohackers | Hacking News & Guide on How to HackAbout Blog We provide hackers for hire and cyber investigation services find email hackers, phone hackers, facebook hackers, also hire a hacker at Cryptohackers. We specialize in cell phone hacking and remote mobile monitoring of iPhones and Android devices. Learn how to hack and learn how to hack remotely with mobile devices, computers, cellphones, and more. We provide you with full on guides and tutorials on how to hack. Blog https://cryptohackers.com/news/+ Follow
Domain Authority 22 ⋅ Alexa Rank 1.8MView Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
109. CSO Online Salted Hash-Top security newsFramingham, Massachusetts, United StatesAbout Blog CSO offers the latest information and best practices on business continuity and data protection, best practices for prevention of social engineering scams, malware and breaches, and tips and advice abut security careers and leadership. Blog https://www.csoonline.com/blog/salted-hash-top-security-news/+ Follow
Facebook fans 16.8K ⋅ Twitter followers 56.2K ⋅ Domain Authority 81 ⋅ Alexa Rank 26K
Facebook fans 2.2M ⋅ Twitter followers 43.6K ⋅ Social Engagement 261ⓘ ⋅ Domain Authority 52ⓘ ⋅ Alexa Rank 114.7KⓘView Latest Posts⋅Get Email Contact
Follow on FeedspotⓘGet Influential Bloggers ContactsDoing blogger outreach and want to connect with new influencers in niche markets? Feedspot media database has over 100K Influential Bloggers in 1500 niche categories. Email us the type of bloggers you want to reach out for your marketing campaign.Email us
2. The Hacker NewsBuffalo, New York, United StatesAbout Blog The Hacker News has been internationally recognized as a leading news source dedicated to promoting awareness for security experts and hackers. Frequency 1 post / dayAlso in Information Security Blogs Blog thehackernews.com+ Follow
Facebook fans 2M ⋅ Twitter followers 591.7K ⋅ Instagram Followers 97.1K ⋅ Social Engagement 4.5Kⓘ ⋅ Domain Authority 87ⓘ ⋅ Alexa Rank 17.6KⓘView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
3. WeLiveSecurityBratislava, Bratislavsky Kraj, SlovakiaAbout Blog WeLiveSecurity is an IT security site covering the latest news, research, cyber threats and malware discoveries, with insights from ESET experts. Frequency 1 post / dayAlso in Cyber Security News Websites Blog welivesecurity.com+ Follow
Facebook fans 2.2M ⋅ Twitter followers 5.9K ⋅ Social Engagement 708ⓘ ⋅ Domain Authority 77ⓘ ⋅ Alexa Rank 43.4KⓘView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
4. HackerOne - Bug Bounty, Vulnerability CoordinationSan Francisco, California, United StatesAbout Blog The world's leading bug bounty and vulnerability coordination platform. Bringing you an extensive network of ethical hackers and bug bounty programs, our platform streamlines vulnerability coordination to help improve your digital security. Frequency 1 post / day Blog hackerone.com/blog+ Follow
Facebook fans 39.4K ⋅ Twitter followers 121.5K ⋅ Social Engagement 27ⓘ ⋅ Domain Authority 83ⓘ ⋅ Alexa Rank 15.4KⓘView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
5. Hacker NoonSan Francisco & Colorado, United StatesAbout Blog Hacker Noon is everything hackers need at noon. Frequency 15 posts / dayAlso in Technology Blogs Blog hackernoon.com+ Follow
Facebook fans 23.8K ⋅ Twitter followers 59.1K ⋅ Social Engagement 1ⓘ ⋅ Domain Authority 85ⓘ ⋅ Alexa Rank 14.1KⓘView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
6. KitPloitAbout Blog Hacking and PenTest Tools for your Security Arsenal. Leading source of Security Tools, Hacking Tools, CyberSecurity and Network Security. Frequency 2 posts / day Blog kitploit.com+ Follow
Facebook fans 39.4K ⋅ Twitter followers 76.1K ⋅ Social Engagement 325ⓘ ⋅ Domain Authority 48ⓘ ⋅ Alexa Rank 113.7KⓘView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
7. Extreme Hacking - Sadik ShaikhPune, Maharashtra, IndiaAbout Blog Extreme Hacking is a Research Institute for Ethical Hacking Training in India, providing certified training on Advanced Ethical Hacking and Computer Forensic. Frequency 2 posts / month Blog blog.extremehacking.org+ Follow
Facebook fans 22.6K ⋅ Twitter followers 1.1K ⋅ Social Engagement 5 ⋅ Domain Authority 23 ⋅ Alexa Rank 1.8MView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
8. Reddit - HackingSan Francisco, California, United StatesAbout Blog A subreddit dedicated to hacking and hackers. What we are about: constructive collaboration and learning about exploits, industry standards, grey and white hat hacking, new hardware and software hacking technology, sharing ideas and suggestions for small business and personal security. Frequency 23 posts / day Blog reddit.com/r/hacking+ Follow
Facebook fans 1.5M ⋅ Twitter followers 728.1K ⋅ Social Engagement 58 ⋅ Domain Authority 91 ⋅ Alexa Rank 17View Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
9. KnowBe4 Security Awareness Training BlogClearwater, Florida, United StatesAbout Blog KnowBe4's blog keeps you informed about the latest in security including social engineering, ransomware and phishing attacks. KnowBe4 provides Security Awareness Training to help you manage the IT security problems of social engineering, spear phishing and ransomware attacks. Frequency 4 posts / day Blog blog.knowbe4.com+ Follow
Facebook fans 3.3K ⋅ Twitter followers 10.1K ⋅ Social Engagement 8 ⋅ Domain Authority 62 ⋅ Alexa Rank 13.4KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
10. GBHackers On SecurityChennai, Tamil Nadu, IndiaAbout Blog GBHackers offer Online Hacking News & updates, cybersecurity news, Technology updates. Web Application, Network PenetrationTesting, SOC, IDS,IPS, SIEM, hacking courses, Ransomware, malware. Frequency 8 posts / week Blog gbhackers.com+ Follow
Facebook fans 53.8K ⋅ Social Engagement 35 ⋅ Domain Authority 48 ⋅ Alexa Rank 65.8KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
11. Black HatSan Francisco, California, United StatesAbout Blog The Black Hat Briefings are a series of highly technical information security conferences that bring together thought leaders from all facets of the infosec world - from the corporate and government sectors to academic and even underground researchers. Black Hat remains the best and biggest event of its kind, unique in its ability to define tomorrow's information security landscape. Frequency 2 videos / month Since Jul 2013 Also in Cyber Security Youtube Channels Blog youtube.com/user/BlackHat..+ Follow
Twitter followers 279.7K ⋅ Social Engagement 27 ⋅ Domain Authority 100 ⋅View Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
12. (ISC)2 BlogClearwater, Florida, United StatesAbout Blog A place for (ISC)² leaders, members, and cybersecurity professionals to share knowledge and valuable insights that can benefit the information security industry, the people in it and the public at large. Frequency 1 post / week Blog blog.isc2.org/isc2_blog+ Follow
Facebook fans 19.5K ⋅ Twitter followers 60.9K ⋅ Social Engagement 15 ⋅ Domain Authority 66 ⋅ Alexa Rank 47.1KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
13. iTech HacksHimachal Pradesh, IndiaAbout Blog iTechHacks Welcomes you on the premium brand based blog of technology, we work hard and wants to put you up to date before others. Here we share our best knowledge to satisfy your hunger and craze about technology. Hope you will get all latest hacking tricks and tricks & tips about tech hacks and security tricks to protect you from hacking attacks. Frequency 5 posts / week Blog itechhacks.com+ Follow
Facebook fans 188.5K ⋅ Twitter followers 85 ⋅ Social Engagement 14 ⋅ Domain Authority 39 ⋅ Alexa Rank 60.2KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
14. Detectify Blog | Go hack yourself!Stockholms Lan, SwedenAbout Blog Detectify is a Swedish web security company founded by a team of the world's best security researchers. Detectify continuously analyzes your web application from a hacker's perspective and reports back to you with security issues and descriptive reports. Let us monitor your security, so that you can focus on building great products. Frequency 1 post / week Blog blog.detectify.com+ Follow
Facebook fans 2.3K ⋅ Twitter followers 7.5K ⋅ Domain Authority 59 ⋅ Alexa Rank 94.1KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
15. Securelist | Information about Viruses, Hackers and SpamMoscow, Moskva, Russian FederationAbout Blog The resource for Kaspersky Lab experts' technical research, analysis, and thoughts. Online headquarters of Kaspersky Lab security experts. Frequency 1 post / day Blog securelist.com+ Follow
Facebook fans 29.7K ⋅ Twitter followers 18.4K ⋅ Social Engagement 73 ⋅ Domain Authority 77 ⋅ Alexa Rank 101.6KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
16. HackRead | Latest Cyber Crime - InfoSec- Tech - Hacking NewsItalyAbout Blog HackRead is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance, and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Frequency 3 posts / day Blog hackread.com+ Follow
Facebook fans 86.8K ⋅ Twitter followers 104K ⋅ Social Engagement 210 ⋅ Domain Authority 75 ⋅ Alexa Rank 113.2KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
17. Major League Hacking NewsNew York, United StatesAbout Blog Major League Hacking (MLH) is the official student hackathon league. Each year, we power over 200 weekend-long invention competitions that inspire innovation, cultivate communities and teach computer science skills to more than 65,000 students around the world. MLH is an engaged and passionate maker community, consisting of the next generation of technology leaders and entrepreneurs. Frequency 1 post / day Blog news.mlh.io/posts+ Follow
Facebook fans 36.2K ⋅ Twitter followers 34K ⋅ Instagram Followers 4.2K ⋅ Social Engagement 56 ⋅ Domain Authority 55 ⋅ Alexa Rank 128KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
18. KoDDoS BlogHollandAbout Blog KoDDoS Blog is an Informative and News blog that focus on Hacking, Information Security, Cyber Crime, Privacy, Surveillance. Frequency 1 post / day Blog koddos.net/blog+ Follow
Facebook fans 12 ⋅ Twitter followers 70 ⋅ Domain Authority 42 ⋅ Alexa Rank 137.1KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
19. AndroidHackersAbout Blog We have the best Android hacks for your favorite games. All verified and working hacks apps. Frequency 7 posts / week Blog androidhackers.net+ Follow
Domain Authority 35 ⋅ Alexa Rank 178.6KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
20. Hakin9 IT Security MagazinePolandAbout Blog Hakin9 is one of the biggest IT security magazine, published for 10 years. They have a database of 100 000 IT security specialist. Hakin9 magazine provides online visitors the exact information they need to stay up to date with the latest IT Security news and solutions and to learn what they can find on Hakin9′s pages. Frequency 3 posts / week Blog hakin9.org/blog+ Follow
Facebook fans 196.5K ⋅ Twitter followers 32K ⋅ Social Engagement 10 ⋅ Domain Authority 51 ⋅ Alexa Rank 217.4KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
21. HackerCombat | Cyber Security and Hacking NewsUnited StatesAbout Blog Hacker combat provides frequent updates on cyber attacks, hacking, and exclusive events. Explore the latest news and security stories from around the world. Frequency 2 posts / week Blog hackercombat.com+ Follow
Facebook fans 13.8K ⋅ Twitter followers 7.1K ⋅ Social Engagement 4 ⋅ Domain Authority 40 ⋅ Alexa Rank 263.4KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
22. Penetration Testing LabAbout Blog PenTestLab was designed with the idea of helping ethical penetration testers to build their own private lab,to develop their skills in a safe environment and to learn existing and new exploitation techniques. Frequency 1 post / month Since Feb 2012 Also in Pentest Blogs Blog pentestlab.blog+ Follow
Facebook fans 10.8K ⋅ Twitter followers 16.5K ⋅ Social Engagement 401 ⋅ Domain Authority 40 ⋅ Alexa Rank 257.9KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
23. Menlo Security BlogMenlo Park, California, United StatesAbout Blog Menlo Security delivers 100% safety via its isolation platform, eliminating malware & phishing attacks while delivering a seamless end-user experience. Frequency 1 post / day Blog menlosecurity.com/blog+ Follow
Facebook fans 596 ⋅ Twitter followers 20K ⋅ Social Engagement 1 ⋅ Domain Authority 47 ⋅ Alexa Rank 212KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
24. Synack BlogSan Francisco, California, United StatesAbout Blog Synack is a security company revolutionizing how enterprises view cybersecurity: through a hacker's eyes. Synack's private, managed hacker-powered security solution arms clients with hundreds of the world's most skilled, highly vetted ethical hackers who provide a truly adversarial perspective to clients' IT environments. Frequency 6 posts / month Blog synack.com/blog+ Follow
Facebook fans 2.4K ⋅ Twitter followers 20.6K ⋅ Instagram Followers 998 ⋅ Social Engagement 4 ⋅ Domain Authority 57 ⋅ Alexa Rank 249KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
25. Hackers Online Club (HOC)About Blog Get Updates of latest Tools, Exploits, Security, Vulnerabilities and Hacking tutorials. HackersOnlineClub is a leading website for Information Security Ethical Hacking, Cyber Forensic, Website Security, VAPT, Mobile Security. Frequency 13 posts / year Blog blog.hackersonlineclub.com+ Follow
Facebook fans 67.6K ⋅ Twitter followers 29.8K ⋅ Social Engagement 91 ⋅ Domain Authority 46 ⋅ Alexa Rank 356.8KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
26. Hackology - Internet Security BlogIrelandAbout Blog Hackology blog is Source of Information Security, Hacking News, Cyber Security, Network Security with in-depth technical coverage of issues and events loved by Technophiles. Frequency 4 posts / month Blog blog.drhack.net+ Follow
Facebook fans 14.9K ⋅ Twitter followers 4.5K ⋅ Social Engagement 11 ⋅ Domain Authority 34 ⋅ Alexa Rank 491.3KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
27. Ethical Hacking Tutorials - A Place For Ethical Hacking LearnersAbout Blog Ethical Hacking Tutorials blog is all about increasing security awareness, teaching the basics of security, pentesting and ethical hacking. Blog ethicalhackingtutorials.com+ Follow
Facebook fans 1.5K ⋅ Domain Authority 26 ⋅ Alexa Rank 693KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
28. Hacking WorldIndiaAbout Blog Welcome to Hacking World. A place for hackers and tech-lovers to find the latest and most amazing hacks you never could have thought of. Happy Hacking Frequency 8 posts / month Blog myhackingworld.com+ Follow
Social Engagement 1 ⋅ Domain Authority 10 ⋅ Alexa Rank 503.1KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
29. The Hacker Factor BlogUnited StatesAbout Blog Hacker Factor is a leader in cutting edge computer forensics research, providing custom security-oriented software and consulting services to business customers. Frequency 1 post / week Blog hackerfactor.com/blog+ Follow
Twitter followers 3.6K ⋅ Social Engagement 93 ⋅ Domain Authority 59 ⋅ Alexa Rank 539.8KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
30. Hacking Blogs | Become an Ethical HackerAbout Blog Hacking Blogs On Security is one of the leading Information security blog covering various security domains. Every week Hacking Blogs provide you latest stuff information about cybersecurity. Frequency 1 post / week Blog hackingblogs.com+ Follow
Domain Authority 29 ⋅ Alexa Rank 685.4KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
31. SecuriTeam BlogCupertino, California, United StatesAbout Blog SecuriTeam is a small group within Beyond Security dedicated to bringing the latest news and utilities in computer security. Having experience as Security Specialists, Programmers and System Administrators we appreciate your need for a 'Security Portal' - A central Security web site containing all the newest security information from various mailing lists, hacker channels. Frequency 30 posts / day Blog securiteam.com+ Follow
Twitter followers 6.4K ⋅ Domain Authority 66 ⋅ Alexa Rank 892.5KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
32. Official Hacker- Cyber Security, Hacking News, Tips And TricksIndiaAbout Blog Official Hacker is your news, tips and tricks website. We provide you with the latest hacking news and hacking tutorials straight from the cyber Industry. Frequency 3 posts / quarter Blog officialhacker.com+ Follow
Facebook fans 54.4K ⋅ Twitter followers 704 ⋅ Instagram Followers 48.6K ⋅ Social Engagement 2 ⋅ Domain Authority 19 ⋅ Alexa Rank 924.4KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
33. HackingPassion.comAbout Blog HackingPassion.com Learn Ethical Hacking and Cyber-Security. We help people become ethical hackers so they can test security systems. We love open-source and Linux. Frequency 1 post / week Blog hackingpassion.com+ Follow
Facebook fans 4.7K ⋅ Twitter followers 522 ⋅ Domain Authority 13 ⋅ Alexa Rank 596.9KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
34. E Hacking News [ EHN ] - The Best IT Security News | Hacker NewsAbout Blog Latest Information Security and hacker news blog. Know about cyber crime and law. Cyber Security updates to improve your network security Frequency 2 posts / day Blog ehackingnews.com+ Follow
Facebook fans 103.2K ⋅ Twitter followers 118.9K ⋅ Social Engagement 11 ⋅ Domain Authority 57 ⋅ Alexa Rank 1.2MView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
35. ethicalhackx.com - Ethical Hacking TutorialsBihar, IndiaAbout Blog ethicalhackx.com blog shares Ethical Hacking Tutorials, LINUX tutorials, WINDOWS hacking, website hacking & designing, Mobile hacking. Frequency 3 posts / quarter Blog ethicalhackx.com+ Follow
Twitter followers 7.4K ⋅ Social Engagement 14 ⋅ Domain Authority 30 ⋅ Alexa Rank 932.8KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
36. Lesley Carhart - Full Spectrum Cyber-Warrior PrincessChicago, Illinois, United StatesAbout Blog Lesley Carhart is a 17 year IT industry veteran, including 8 years in information security (specifically, digital forensics and incident response). She speaks and writes about digital forensics and incident response, OSINT, and information security careers, is highly involved in the Chicagoland information security community,and is staff at Circle City Con, Indianapolis. Frequency 2 posts / quarter Blog tisiphone.net+ Follow
Twitter followers 119.7K ⋅ Social Engagement 102 ⋅ Domain Authority 48 ⋅ Alexa Rank 988.4KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
37. CQURE Academy Blog - Where Windows Hackers Level UpSwitzerlandAbout Blog CQURE Academy Blog covers information on topics like Windows Internals, Identity Theft Protection, Penetration Testing, Malware, Secure Server, Forensics. Frequency 1 post / day Blog cqureacademy.com/blog+ Follow
Facebook fans 12K ⋅ Twitter followers 3.5K ⋅ Social Engagement 5 ⋅ Domain Authority 34 ⋅ Alexa Rank 865.5KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
38. HackeRoyale - Hacking and Penetration Testing Galore!Forty Fort, Pennsylvania, USAbout Blog HackeRoyale: a repository of information about hacking, penetration testing, and programming related topics. Frequency 4 posts / month Blog hackeroyale.com+ Follow
Twitter followers 211 ⋅ Instagram Followers 135 ⋅ Domain Authority 29 ⋅ Alexa Rank 758.5KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
39. Hack 2 World ®About Blog Articles on bash Script, Android, Bitcoin, Botnet, Cheatsheet and much more. Frequency 3 posts / week Blog hack2wwworld.blogspot.com+ Follow
Domain Authority 14 ⋅ Alexa Rank 1.2MView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
40. TechncyberIndiaAbout Blog A Blog for Cyber Techonology News Updates, Ethical Hacking Tutorials, Online Safety Tips, Latest tricks, Tutorials, Latest Gadget Reviews and Many More... Frequency 2 posts / quarter Blog techncyber.com+ Follow
Twitter followers 29 ⋅ Domain Authority 30 ⋅ Alexa Rank 941.3KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
41. Hacker's KingIndiaAbout Blog Learn Ethical Hacking, Termux Tutorials, Virus creation, Android tricks and Windows tricks for free. Frequency 1 post / week Blog hackersking.in+ Follow
Instagram Followers 4.5K ⋅ Domain Authority 3 ⋅ Alexa Rank 854.5KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
42. HacksLandAbout Blog Keep up with articles from HacksLand. Frequency 11 posts / quarter Blog hacksland.net+ Follow
Social Engagement 1 ⋅ Domain Authority 17 ⋅ Alexa Rank 1.5MView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
43. The Hacker Blog - Matthew BryantSan Francisco, California, United StatesAbout Blog A Hacker's Blog of Unintended Use and Insomnia. Matthew Bryant is a XSS Hunter author, security researcher, and caffeine addict. Blog thehackerblog.com+ Follow
Twitter followers 6.6K ⋅ Domain Authority 44 ⋅ Alexa Rank 1.5MView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
44. Pure Hacking blogsAustraliaAbout Blog Pure Hacking is a leading, highly-specialised penetration testing and information technology (IT) security consultancy. Blog purehacking.com/blog+ Follow
Facebook fans 88 ⋅ Twitter followers 6 ⋅ Domain Authority 45 ⋅ Alexa Rank 2.5MView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
45. Hackercool BlogHyderabad, IndiaAbout Blog This blog is dedicated for absolute beginners to learn hacking. That means there is no disabling firewall, turning of antivirus in articles Frequency 7 posts / year Blog hackercool.com+ Follow
Facebook fans 886 ⋅ Domain Authority 21 ⋅ Alexa Rank 4MView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
46. DefenseStorm BlogSeattle, Washington, United StatesAbout Blog Get the latest cyber security news and critical industry insights written by experts in DefenseStorm's Cybermind blog. Blog defensestorm.com/resources/i..+ Follow
Facebook fans 144 ⋅ Twitter followers 645 ⋅ Domain Authority 31 ⋅ Alexa Rank 1.3MView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
47. ToolsWatch.org - The Hackers Arsenal ToolsAbout Blog ToolsWatch is a Free, Interactive, Modern, Eye-catching service designed to help Auditors, Pentesters & Security Experts to keep their ethical hacking oriented toolbox up-to-date. Frequency 6 posts / year Blog toolswatch.org+ Follow
Facebook fans 850 ⋅ Twitter followers 19.3K ⋅ Social Engagement 7 ⋅ Domain Authority 40 ⋅ Alexa Rank 2.9MView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
48. Massive Alliance BlogUnited StatesAbout Blog Industry news, whitepapers and technical insight into cyber security, hacks and reputation management. Subscribe to get notified. Frequency 2 posts / week Blog massivealliance.com/blog+ Follow
Facebook fans 143 ⋅ Twitter followers 156 ⋅ Social Engagement 1 ⋅ Domain Authority 32 ⋅ Alexa Rank 3MView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
49. Hackercool MagazineHyderabad, IndiaAbout Blog Hackercool Magazine is a monthly magazine that is dedicated to all things ethical hacking and cyber security. Frequency 1 post / quarter Blog hackercoolmagazine.com/blog+ Follow
Facebook fans 195 ⋅ Twitter followers 106 ⋅ Domain Authority 7 ⋅ Alexa Rank 1.7MView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
50. Dark Hacker WorldIndiaAbout Blog Dark hacker world is a blog about Ethical Hacking, money-making, latest technology, programming, and many more things. Frequency 1 post / day Blog darkhackerworld.com+ Follow
Facebook fans 19 ⋅ Twitter followers 5 ⋅ Instagram Followers 991 ⋅ Domain Authority 7 ⋅ Alexa Rank 976.6KView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
51. Ethical Hacking Blog - Gus KhawajaMontreal, Quebec, CanadaAbout Blog Learn and enjoy new articles, posts about ethical hacking, cyber-security and more by Gus Khawaja. Frequency 1 post / week Blog ethicalhackingblog.com+ Follow
Facebook fans 3K ⋅ Twitter followers 1.7K ⋅ Domain Authority 12 ⋅ Alexa Rank 1.8MView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
52. The Ethicalhacking GuruAbout Blog The Ethicalhacking Guru features Hacking Tutorials For Beginners And Advanced Security Professionals Frequency 1 post / quarter Since Aug 2018 Blog ethicalhackingguru.com+ Follow
Domain Authority 8 ⋅ Alexa Rank 4.3MView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
53. Vinstechs | Geeks HangoverKarnataka, IndiaAbout Blog Vinstechs delivers in-depth knowledge and contents regarding new technology trends, Security Tips, Ethical Hacking Tips, How-To Tutorials, tips tricks and information about new Vulnerabilities and Ransomware. Frequency 29 posts / year Blog vinstechs.com+ Follow
Facebook fans 5.6K ⋅ Twitter followers 14 ⋅ Instagram Followers 450 ⋅ Social Engagement 4 ⋅ Domain Authority 16 ⋅View Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
54. SenseCy - Cyber Threat Insider BlogIsraelAbout Blog SenseCy is a Cyber Threat Intelligence (CTI) provider based in Israel. SenseCy enables continuous monitoring and early identification of cyber threats through a unique methodology called Virtual HUMINT coupled with strong dedicated technology. Frequency 2 posts / quarter Blog blog.sensecy.com+ Follow
Facebook fans 133 ⋅ Twitter followers 2.6K ⋅ Social Engagement 3 ⋅ Domain Authority 44 ⋅ Alexa Rank 9.6MView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
55. Tips For HackingAbout Blog Tips4Hacking Provide you the best tips for hacking and Its Short Message that Dont Hate the Hacker, Hate the Code. Visit Our website for latest news of Hacking and technology and Outstanding Code for Hacker. Frequency 2 posts / week Blog tips4hacking.com+ Follow
Social Engagement 2 ⋅ Alexa Rank 6.5MView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
56. Hacker NTIndiaAbout Blog Anyone can learn to hack in my blog for absolutely free. This is only for educational purpose Frequency 2 posts / year Since Nov 2019 Blog everythingnt.blogspot.com+ Follow
Domain Authority 3 ⋅ Alexa Rank 9.1MView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
57. Offensive Sec 3.0About Blog Security of Information, Hacking, Offensive Security, Pentest, Open Source, Hackers Tools, etc. Blog offensivesec.blogspot.com+ Follow
Twitter followers 54 ⋅ Domain Authority 17 ⋅ Alexa Rank 9.9MView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
58. Dancho Danchev's Blog | Mind Streams of Information Security KnowledgeAbout Blog Cybercrime Researcher Security Blogger Threat Intelligence Analyst. Dancho Danchev is the world's leading expert in the field of cybercrime fighting and threat intelligence gathering having actively pioneered his own methodology for processing threat intelligence throughout the past decade following a successful career as a hacker-enthusiast in the 90's leading to active-community participation and contribution as a Member to WarIndustries. Frequency 7 posts / month Blog ddanchev.blogspot.com+ Follow
Twitter followers 139 ⋅ Social Engagement 74 ⋅ Domain Authority 52 ⋅ Alexa Rank 4.4MView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
59. Basics of Ethical Hacking | Tutorials, Tips and TricksHoshiarpur, Punjab, IndiaAbout Blog Learn different Ethical Hacking techniques for beginner or intermediate with simple step by step tutorials and how to stay safe online. Blog basicsofhacking.com+ Follow
Facebook fans 83.1K ⋅ Twitter followers 203 ⋅ Domain Authority 15 ⋅View Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
60. Hacker Nucleus - Ethical Hacking, Hacker NewsNew Delhi, Delhi, IndiaAbout Blog Hacker Nucleus blog highlights the most recent Hackers News, ethical hacking tutorial, free Hackers ebooks and Tools for devoted students. Blog hackernucleus.com+ Follow
Twitter followers 65 ⋅ Domain Authority 13 ⋅View Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
61. Terry Cutler The Ethical HackerMontreal, Quebec, CanadaAbout Blog Terry Cutler is a government-cleared cybersecurity expert (a certified ethical hacker), and the Director of Cybersecurity at SIRCO Investigation and Protection, in Montral, Canada. For the general public, he developed an effective online learning program arranged in modules and updated regularly to keep up with the rapidly changing digital landscape. Blog terrycutler.com/blog+ Follow
Facebook fans 480 ⋅ Twitter followers 2.3K ⋅ Instagram Followers 684 ⋅ Domain Authority 27 ⋅View Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
62. Darknet | Hacking Tools, Hacker News & Cyber SecurityUnited KingdomAbout Blog Darknet is your best source for the latest hacking tools, hacker news, cybersecurity best practices, ethical hacking & pen-testing. Frequency 1 post / month Blog darknet.org.uk+ Follow
Facebook fans 383.8K ⋅ Twitter followers 19K ⋅ Social Engagement 492 ⋅ Domain Authority 56 ⋅View Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
63. Professional Hackers On SecurityIndiaAbout Blog Professional Hackers provides single platform for latest and trending IT updates, business updates, trending lifestyle, social media updates, enterprise trends, entertainment, hacking updates, core hacking techniques, and other free stuff. Frequency 1 post / day Blog professionalhackers.in+ Follow
Facebook fans 3.7K ⋅ Twitter followers 675 ⋅ Social Engagement 3 ⋅ Domain Authority 18 ⋅View Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
64. DarkPloitIstanbul, TurkeyAbout Blog DarkPloit is a blog that aims to provide the latest updates on Hacking Tools, Exploits, Tutorials, and News bind to penetration testing and security. Frequency 22 posts / year Blog darkploit.com+ Follow
Facebook fans 1.2K ⋅ Twitter followers 14 ⋅ Instagram Followers 12 ⋅ Social Engagement 32 ⋅ Domain Authority 7 ⋅View Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
65. Hacking ArticlesDelhi, IndiaAbout Blog Hacking Articles is a very interesting blog about information security, penetration testing and vulnerability assessment managed by Raj Chandel. In this blog it's possible to find many resources and detailed tutorials about Ethical Hacking, Cyber Security. Frequency 1 post / day Blog hackingarticles.com+ Follow
Twitter followers 3.9K ⋅ Domain Authority 17 ⋅View Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
66. Hackingtutorials.inAbout Blog Want to learn Ethical Hacker with termux for free. Want Best tutorials to become a cybersecurity expert we will help you in becoming one. Frequency 7 posts / quarter Blog hackingtutorials.in+ Follow
Facebook fans 298 ⋅ Instagram Followers 14.3K ⋅ Domain Authority 1 ⋅ Alexa Rank 6.3MView Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
67. AnonhackAbout Blog The Blog, Anonhack.in is for the readers who find hacking interesting. Every Article on this blog has been written based on my experience. I started working on this blog in 2015. This blog will teach you how stuff actually work in the hacking arena. Frequency 1 post / month Blog anonhack.in+ Follow
Domain Authority 8 ⋅View Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
68. Ark Dots Hacking TricksArkansas, United StatesAbout Blog Ark Dots is tech blog for Learning Android Mobile Tricks, Computer Hacking Tricks, iPhone Tricks, Facebook Tricks and Hacks. A Blog About Hacking And Cracking Passwords Of WiFi And Social Media Networks. Blog arkdots.com+ Follow
Facebook fans 4.5K ⋅ Domain Authority 14 ⋅View Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
69. Hackshade BlogRaipur, Chhattisgarh, IndiaAbout Blog This is a descriptive blog about DIY, Electronics, Trending technology, Daily Hacks, Computer Tricks & Ethical Hacking Tutorials. Frequency 3 posts / week Blog hackshade.com+ Follow
Facebook fans 169 ⋅ Twitter followers 30 ⋅ Domain Authority 10 ⋅View Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
70. Superior Solutions Inc - Ethical Hacking and Penetration TestingHouston, Texas, United StatesAbout Blog Superior Solutions Inc blog is all about penetration testing, security vulnerability assessments, IT audit services, cyber security training, and CISSP, CISA, CISM, and CEH certification. Blog thesolutionfirm.com/blog+ Follow
Facebook fans 1.5K ⋅ Twitter followers 1.6K ⋅ Domain Authority 40 ⋅View Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
71. The Real HackersAbout Blog The Real Hackers offer you ALL your hacking needs. Our track record of success in Android spy, Whatsapp spy, Phone tracker etc makes our customers trust us. Frequency 7 posts / year Since Dec 2017 Blog therealhackers.com+ Follow
Domain Authority 9 ⋅View Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
72. HackAccessAbout Blog Hack Access is a one stop solution of all Ethical and Unethical Stuff. We are here to provide you best content and knowledge. Take a dive in the the world of unknown. Now all the expert hackers technique on your finger tips. Just browse to anything. Blog blog.hackaccess.com+ Follow
Facebook fans 1.1K ⋅ Twitter followers 59 ⋅ Domain Authority 9 ⋅View Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
73. Creed Sec | Best Ethical Hacking and Penetration TutorialsIndiaAbout Blog CreedSec is a blog about hacking, cracking, penetration testing, In CreedSec they post tutorials on hacking and penetration testing. Blog creedsec.net+ Follow
Twitter followers 128 ⋅ Domain Authority 10 ⋅View Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
74. ThreatNinja Improve AwarenessAbout Blog I'm a Security Enthusiast and a Security Writer. I'm also still learning a lot of thing especially related to Security. Frequency 5 posts / week Blog threatninja.net+ Follow
Domain Authority 10 ⋅View Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
75. Hacking TutorialsAbout Blog Keep up with the articles from Hacking Tutorials. Frequency 9 posts / quarter Since Jun 2020 Blog anonymousvkhk.blogspot.com+ Follow
View Latest Posts⋅Get Email Contact
Follow on Feedspotⓘ
76. The Hacking Press - Latest Cyber Security, Infosec and Hacking NewsAbout Blog The Hacking Press is a Cyber Security News Platform dedicated to provide readers with top of the shelf news about hackers & the hacked, the leakers & the leaked, surveillance & privacy issues to keep you informed and secure. Blog https://hacked.press/+ Follow
Domain Authority 18 ⋅View Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
77. My Hacking Tricks | Android and Linux HackingDelhi, IndiaAbout Blog This Blog helps in learning RHEL, ethical hacking, Python programming, using different kali Linux tools, using termux as a hacking device, Insta, FB hacking, Android hacking, Website hacking, admin page hacking, and database hacking. Blog https://www.myhacktricks.com/+ Follow
Domain Authority 3 ⋅View Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
78. EiQ Networks BlogBoston, England, United KingdomAbout Blog Read up on how to proactively identify, prioritize, and combat modern security threats using EiQ Networks' true situational awareness solutions. Frequency 2 posts / year Blog https://blog.eiqnetworks.com/blog+ Follow
Twitter followers 2 ⋅ Domain Authority 36 ⋅ Alexa Rank 8.6MView Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
79. HakerinAbout Blog Hakerin is web portal for all computer enthusiasts. We provide professional and interesting news feed about Hacking, Coding, Tech News and more. Blog http://hakerin.com/+ Follow
Facebook fans 32.2K ⋅ Domain Authority 5 ⋅View Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
80. Hackarma The cause and effect of high profile hacksAbout Blog Hackarma brings you the cause and effect of the worlds most high profile hacks. We publish the latest news with one common theme, cause and effect, what caused the hack and what effect is has had on the targeted organisation. The format of our content is designed to provide you with a quick and simple overview, as and when the stories emerge. Blog http://www.hackarma.com/+ Follow
Domain Authority 6 ⋅View Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
81. Shouthacker - Hack Begins HereAbout Blog Shouthacker blog will give knowledge of everything about hacking, hacking Ebook, Tutorials, Hacking Forum, Ethical Hacking, Hacking Tools. Blog https://www.shouthacker.com/blog+ Follow
Facebook fans 99 ⋅ Domain Authority 5 ⋅View Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
82. Gray Hat HackersAbout Blog Learn hacking/security skills, follow tutorials, get to a CEH level, and take on challenges. Free tools and resources are available. Blog https://grayhathackers.com/+ Follow
Domain Authority 7 ⋅View Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
83. Ultimate HackersNew York, United StatesAbout Blog Ultimate Hackers are the people having vision of making hacking community a better place by helping each other by learning and sharing. They emphasis on basics and how things work so you can learn the deep concepts in this field. Frequency 2 posts / month Blog http://teamultimate.com/+ Follow
Facebook fans 2.8K ⋅ Twitter followers 599 ⋅ Domain Authority 9 ⋅View Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
84. Ethical Hackers ClubMumbai, Maharashtra, IndiaAbout Blog Ethical Hackers Club Provides Free Support to Victims Facing Cyber Crime, Cyber Bullying and other such activities. Learn Ethical Hacking and get Certifications. Frequency 3 posts / year Blog http://www.ethicalhackersclub.com/+ Follow
Facebook fans 2.2K ⋅ Twitter followers 158 ⋅ Domain Authority 6 ⋅View Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
85. FH-Team - Penetration Testing | Ethical HackingMaharashtra, IndiaAbout Blog This is official blog of fukreyhackers.in which provides solution on Linux, Windows as well as networking and hacking tricks. Blog http://fukreyhackers.com/+ Follow
Twitter followers 62 ⋅ Domain Authority 4 ⋅View Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
86. The Hacker JournalLahore, Punjab, PakistanAbout Blog The Hacker Journals mission here is to raise awareness and prevention related to cyber crimes such as scamming, phishing, hacking, spying to groom public for their welfare. Frequency 22 posts / month Blog https://thehackerjournal.com/+ Follow
Facebook fans 224 ⋅ Twitter followers 25 ⋅ Domain Authority 4 ⋅View Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
87. Hacker GeneralAbout Blog This blog is all about my hacking experience. The post are related to my thoughts on hacking and getting started with it. Since May 2017Blog https://thehackergeneral.blogspot.com/+ Follow
Facebook fans 59 ⋅ Domain Authority 3 ⋅View Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
88. Top Hacking NewsAbout Blog Top Hacking News is an blog that you can read Hacking news, cyber attacks, security news from around the world. Blog http://top-hackingnews.blogspot.com/+ Follow
Domain Authority 7 ⋅View Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
89. kk news indiaAbout Blog Get updates from kk news india Frequency 30 posts / year Blog https://kknewsindia.blogspot.com/+ Follow
Domain Authority 3 ⋅View Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
90. Technology TodayAbout Blog Technology Today is a blog with small tricks and hacks. Blog https://technologyshouri.blogspot.com/+ Follow
Domain Authority 3 ⋅View Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
91. DARKCYBERSOCIETYMumbai, Maharashtra, IndiaAbout Blog Darkcybersociety is the online Hacking education organization company. Blog http://www.darkcybersociety.com/+ Follow
Domain Authority 6 ⋅View Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
92. thelearninghackingIndiaAbout Blog Learn Ethical Hacking from this site. Blog http://thelearninghacking.com/+ Follow
Domain Authority 12 ⋅View Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
93. Hack The WorldAbout Blog Learn free all about hacking with written post and hacking video tutorials. Frequency 3 posts / year Blog https://htwhacker.blogspot.com/+ Follow
Domain Authority 3 ⋅View Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
94. Kamran Mohsin - Cyber Security, Hacking BlogPakistanAbout Blog This blog delivers best of its resources to the end readers. Blog data includes daily cyber news, hacking directives, their prevention, technology posts, WordPress etc. Frequency 2 posts / year Blog https://www.kamranmohsin.com/+ Follow
Facebook fans 2.1K ⋅ Twitter followers 842 ⋅ Domain Authority 17 ⋅View Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
95. Manish Bhardwaj BlogGurgaon, Haryana, IndiaAbout Blog Manish Bhardwaj is an Ethical Hacker, Penetration Tester & Blogger. Blog https://manishbhardwajblog.wordpress.com/blog/+ Follow
Twitter followers 291 ⋅ Domain Authority 7 ⋅View Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
96. Enjoy HackingAbout Blog Learn about Hacker, Ethical Hacking, Hacking tools, CEH, Hacking Tricks, Latest Hacking News, Proxy Website, Hacking Simulator. Frequency 3 posts / year Since Jan 2014Blog https://wholovehacking.blogspot.com/+ Follow
Twitter followers 235 ⋅ Social Engagement 8 ⋅ Domain Authority 5 ⋅View Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
97. HackingTutorials.inIndiaAbout Blog Want to learn Ethical Hacker with termux for free. Want Best tutorials to become a cybersecurity expert we will help you in becoming one. Frequency 30 posts / year Blog https://www.hackingtutorials.in/+ Follow
Domain Authority 1 ⋅View Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
98. KNOWLEDGE UNLIMITEDAbout Blog Get latest tips & tricks about technology and hacking be safe from hackers. This blog is written to update you about new thing of hacking &technology Frequency 3 posts / quarter Since May 2020Blog https://knowledgeunlimited76.blogspot.com/+ Follow
View Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
99. HackerzzAbout Blog A blog about Cyber Security and Ethical hacking. In this blog i will give you tutorials, tricks and information about hacking tools. Frequency 1 post / quarter Blog https://hackerzz01.blogspot.com/+ Follow
View Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
100. Hacking Tutorials - The best Step-by-Step Hacking TutorialsAbout Blog Follow this blog for step-by-step Hacking Tutorials about WiFi hacking, Kali Linux, Metasploit, exploits, ethical hacking, information security, malware analysis and scanning. Frequency 1 post / year Blog https://www.hackingtutorials.org/+ Follow
Twitter followers 38.6K ⋅ Domain Authority 40 ⋅ Alexa Rank 328.5KView Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
101. Effect Hacking - Learn To Hack and ProtectUnited StatesAbout Blog A dedicated blog for hackers. A blog to learn about internet security, hacking, security tools, and etc. Frequency 17 posts / year Blog http://www.effecthacking.com/+ Follow
Twitter followers 205 ⋅ Domain Authority 41 ⋅ Alexa Rank 2.6MView Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
102. Freedom Hacker - Hacking News, Security News & Everything CyberUnited StatesAbout Blog A leading source for security and hacking news. The latest on privacy, DDoS attacks, malware, NSA revelations and cyber crime related news across the web. Frequency 1 post / year Blog https://freedomhacker.net/+ Follow
Facebook fans 1.4K ⋅ Twitter followers 1.4K ⋅ Domain Authority 43 ⋅ Alexa Rank 634.1KView Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
103. Ethical Hacking - Your Way To The World Of IT SecurityUnited StatesAbout Blog Ethical Hacking is the best place to learn and practice hacking in ethical way. Learn about IT security with some tips and tricks including various operating system. Frequency 8 posts / year Blog https://www.ehacking.net/+ Follow
Facebook fans 241.5K ⋅ Twitter followers 19.4K ⋅ Social Engagement 38 ⋅ Domain Authority 45 ⋅ Alexa Rank 119.5KView Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
104. IbnshehuKaduna, NigeriaAbout Blog I'm Abubakar Shehu. I am a CyberSecurity Engineer, Bug Hunter, Full Stack Developer, and a Part Time Blogger working at the intersection of security, technology, and people. CEO at SUUMAB Enterprise, CybserSecurity Engineer at KAD ICT Hub. I guide passion-fuelled people out of fear and uncertainty, and into lives, blogs and businesses they love (and truly desire). Frequency 2 posts / year Blog https://ibnshehu.com/+ Follow
Twitter followers 6K ⋅ Instagram Followers 2.4K ⋅ Domain Authority 12 ⋅View Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
105. Netragard BlogBoston, Massachusetts, United StatesAbout Blog Netragard, Inc is a research driven Network Penetration Testing firm. Their penetration testing deliverables are guaranteed to be free of false positives and the product of expert driven research. Frequency 1 post / year Blog https://www.netragard.com/blog+ Follow
Facebook fans 488 ⋅ Twitter followers 939 ⋅ Social Engagement 28 ⋅ Domain Authority 47 ⋅ Alexa Rank 2MView Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
106. Hackers Arise BlogAbout Blog Hackers Arise was developed solely to help those who are interested in a career in cyber security. They will have tutorials on all forms of hacking, digital forensics, Linux, information security and just about any subject related to cyber security. Frequency 2 posts / month Blog https://www.hackers-arise.com/+ Follow
Twitter followers 62.4K ⋅ Domain Authority 33 ⋅ Alexa Rank 441.6KView Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
107. DefCamp BlogRomaniaAbout Blog DefCamp is the most important annual conference on Hacking & Information Security in Central Eastern Europe that brings together the world's leading cyber security doers to share latest researches and knowledge. Blog https://def.camp/blog/+ Follow
Facebook fans 5.2K ⋅ Twitter followers 1.3K ⋅ Social Engagement 49 ⋅ Domain Authority 37 ⋅ Alexa Rank 5.2MView Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
108. Cryptohackers | Hacking News & Guide on How to HackAbout Blog We provide hackers for hire and cyber investigation services find email hackers, phone hackers, facebook hackers, also hire a hacker at Cryptohackers. We specialize in cell phone hacking and remote mobile monitoring of iPhones and Android devices. Learn how to hack and learn how to hack remotely with mobile devices, computers, cellphones, and more. We provide you with full on guides and tutorials on how to hack. Blog https://cryptohackers.com/news/+ Follow
Domain Authority 22 ⋅ Alexa Rank 1.8MView Latest Posts⋅Get Email ContactFollow on Feedspotⓘ
109. CSO Online Salted Hash-Top security newsFramingham, Massachusetts, United StatesAbout Blog CSO offers the latest information and best practices on business continuity and data protection, best practices for prevention of social engineering scams, malware and breaches, and tips and advice abut security careers and leadership. Blog https://www.csoonline.com/blog/salted-hash-top-security-news/+ Follow
Facebook fans 16.8K ⋅ Twitter followers 56.2K ⋅ Domain Authority 81 ⋅ Alexa Rank 26K
Are Your Accounts Safe from Social Media Hacking?
As a social media manager, you have a million things to think about every day. Creating campaigns, organizing graphics, responding to fans and of course posting, tweeting and uploading.
Unfortunately, when it comes to social media hacking and account security, you will probably only think about it when it’s too late.
A hacked account can cause massive embarrassment to your brand, lose you followers, get you banned from networks, and even land you in legal trouble. That’s because you are responsible for the information you put out from your channel.
Before you say, “it won’t happen to me”, keep in mind that the last few years have seen cyber attacks rise and target well known figures and brands.
Three Recent Cases of Social Media Hacking1. Game of ThronesThe popular TV series Game of Thrones on HBO has nearly 7 million followers on Twitter — making it ripe for the picking where hackers are concerned. In August of 2017, a group called OurMine appeared to take control of the main HBO accounts, including the Game of Thrones feed.
OurMine has a reputation for hacking high profile Twitter accounts. In fact, it recently hacked Facebook co-founder Mark Zuckerberg, Netflix, Google chief executive Sundar Pichai and Wikipedia co-founder Jimmy Wales.
2. Amnesty InternationalWhen it comes to social media hacking, there are many reasons someone may take over your corporate account. Some hackers are motivated for monetary gain, others as a personal vendetta or mischief — or some for political reasons, as in the case with Amnesty International.
Recently, several high-profile Twitter accounts were hacked by an anonymous group. Accounts such as The European Parliament, Forbes and Amnesty International fell victim. Amnesty International and Unicef USA saw their social media accounts tweet a message in Turkish that read:
“#NaziGermany #NaziNetherlands, a little #OTTOMAN SLAP for you, see you on #April16th.”
3. United Stated Central CommandIf there’s one account you don’t expect to fall victim to social media hacking, it’s The United States Central Command!
The US Military Central Command were hacked by CyberCaliphate, a group supporting ISIS. The hack consisted of two videos which were uploaded to the official YouTube channel entitled “Flames of War Isis Video.” And “O Soldiers of truth go forth.”
On an even more serious note, documents were also released via the Twitter account which, although deemed “non-classified,” still had the potential to damage national security. Whilst the account was eventually recovered, it was still an embarrassing slap in the face for the Pentagon.
If social media hacking can happen to them, it can happen to you.
So, let’s take a look at how you can prevent social media hacking on your own brand account.
Steps to Take to Protect Your Social Media Accounts1. Get Alerted About Suspicious ActivityAs a social media manager, you need to have eyes in the back of your head and not just for fan comments and media monitoring.
You need to keep tabs on suspicious logins and get an early detection on anything suspicious. Consider installing intrusion detection apps on your phone. These apps will detect suspicious activity and unauthorized access to your online accounts.
One app to try is LogDog which serves as a security system for your personal and company accounts.
LogDog checks for suspicious activity and sends an alert to your phone so you can take back control of compromised accounts. The app currently monitors Facebook, Yahoo, Twitter, LinkedIn, Gmail, Evernote, Slack and Dropbox.
2. Control the Access to Your Social Media AccountsThis is a big one and something that costs you nothing to implement.
I’ve worked with brands who leave social media passes on desks, written on whiteboards and even shared on uncontrolled servers. This is a big fat NO because the more people who have access to your accounts, the greater the risk of social media hacking.
Remember too that current employees might not hack your social media accounts, but ex-employees might! By using a social media management tool like Agorapulse, you can grant specific employees access to specific accounts. You can easily add or remove them, assign roles and change passwords easily if you need to.
On the subject of controlling social media access, employees should always use a work email address when signing up for company social media accounts. Trying to gain back control when an ex-employee owns the account on his or her Gmail is hard!
2. Pay Attention To RisksAs a social media manager, you need to be aware that the risks of social media hacking are all around you and you can prevent most of them.
For example:
4. Create a social media policyWorking with well-known brands (as well as my own) has taught me that you need a social media policy in place. Before you sigh that this is yet another thing you need to do… relax. This is not a lengthy process.
Social media policies are a way to ensure that your whole team is following the rules. Your policy may include any of the following points:
We usually look at examples of big brand fails and discuss ways they could have been prevented.
5. Run Regular Security ChecksRunning regular security checks on your accounts is a great way to stay on top of your social media security. I like to do this monthly for all my social media accounts and the ones I’m managing for other brands.
Again, this doesn’t need to take hours, but you may find flaws in your security that you didn’t know existed.
Here are some of the things you should be checking for:
Unfortunately, when it comes to social media hacking and account security, you will probably only think about it when it’s too late.
A hacked account can cause massive embarrassment to your brand, lose you followers, get you banned from networks, and even land you in legal trouble. That’s because you are responsible for the information you put out from your channel.
Before you say, “it won’t happen to me”, keep in mind that the last few years have seen cyber attacks rise and target well known figures and brands.
Three Recent Cases of Social Media Hacking1. Game of ThronesThe popular TV series Game of Thrones on HBO has nearly 7 million followers on Twitter — making it ripe for the picking where hackers are concerned. In August of 2017, a group called OurMine appeared to take control of the main HBO accounts, including the Game of Thrones feed.
OurMine has a reputation for hacking high profile Twitter accounts. In fact, it recently hacked Facebook co-founder Mark Zuckerberg, Netflix, Google chief executive Sundar Pichai and Wikipedia co-founder Jimmy Wales.
2. Amnesty InternationalWhen it comes to social media hacking, there are many reasons someone may take over your corporate account. Some hackers are motivated for monetary gain, others as a personal vendetta or mischief — or some for political reasons, as in the case with Amnesty International.
Recently, several high-profile Twitter accounts were hacked by an anonymous group. Accounts such as The European Parliament, Forbes and Amnesty International fell victim. Amnesty International and Unicef USA saw their social media accounts tweet a message in Turkish that read:
“#NaziGermany #NaziNetherlands, a little #OTTOMAN SLAP for you, see you on #April16th.”
3. United Stated Central CommandIf there’s one account you don’t expect to fall victim to social media hacking, it’s The United States Central Command!
The US Military Central Command were hacked by CyberCaliphate, a group supporting ISIS. The hack consisted of two videos which were uploaded to the official YouTube channel entitled “Flames of War Isis Video.” And “O Soldiers of truth go forth.”
On an even more serious note, documents were also released via the Twitter account which, although deemed “non-classified,” still had the potential to damage national security. Whilst the account was eventually recovered, it was still an embarrassing slap in the face for the Pentagon.
If social media hacking can happen to them, it can happen to you.
So, let’s take a look at how you can prevent social media hacking on your own brand account.
Steps to Take to Protect Your Social Media Accounts1. Get Alerted About Suspicious ActivityAs a social media manager, you need to have eyes in the back of your head and not just for fan comments and media monitoring.
You need to keep tabs on suspicious logins and get an early detection on anything suspicious. Consider installing intrusion detection apps on your phone. These apps will detect suspicious activity and unauthorized access to your online accounts.
One app to try is LogDog which serves as a security system for your personal and company accounts.
LogDog checks for suspicious activity and sends an alert to your phone so you can take back control of compromised accounts. The app currently monitors Facebook, Yahoo, Twitter, LinkedIn, Gmail, Evernote, Slack and Dropbox.
2. Control the Access to Your Social Media AccountsThis is a big one and something that costs you nothing to implement.
I’ve worked with brands who leave social media passes on desks, written on whiteboards and even shared on uncontrolled servers. This is a big fat NO because the more people who have access to your accounts, the greater the risk of social media hacking.
Remember too that current employees might not hack your social media accounts, but ex-employees might! By using a social media management tool like Agorapulse, you can grant specific employees access to specific accounts. You can easily add or remove them, assign roles and change passwords easily if you need to.
On the subject of controlling social media access, employees should always use a work email address when signing up for company social media accounts. Trying to gain back control when an ex-employee owns the account on his or her Gmail is hard!
2. Pay Attention To RisksAs a social media manager, you need to be aware that the risks of social media hacking are all around you and you can prevent most of them.
For example:
- Always log out of your social media accounts after use.
- Clear your cache regularly.
- Put a screen lock on any phones with social media access.
- Don’t leave your phone lying around in cafes, bars, or public spaces.
- Be careful when clicking on unknown links.
- Train your employees to prioritize social media account security.
- Always remove ex-employees from your accounts and change passwords – even if they parted on amicable terms.
4. Create a social media policyWorking with well-known brands (as well as my own) has taught me that you need a social media policy in place. Before you sigh that this is yet another thing you need to do… relax. This is not a lengthy process.
Social media policies are a way to ensure that your whole team is following the rules. Your policy may include any of the following points:
- The tone and style of your brand on social media
- Who is responsible for answering/posting/updating accounts
- How to effectively monitor the accounts
- Ways to avoid spam, phishing attacks, and social media hacking
- What to do if your account is hacked or compromised
- Who to contact in the event of a PR crisis or account compromise
- The name of the spokesperson for PR crisis management
- How to protect social media accounts from hacking
We usually look at examples of big brand fails and discuss ways they could have been prevented.
5. Run Regular Security ChecksRunning regular security checks on your accounts is a great way to stay on top of your social media security. I like to do this monthly for all my social media accounts and the ones I’m managing for other brands.
Again, this doesn’t need to take hours, but you may find flaws in your security that you didn’t know existed.
Here are some of the things you should be checking for:
- Connected Apps – check which apps are connected to your Twitter or other social accounts. Did you connect them and are they reputable?
- Users – Are you happy with all the admins on each account or are any of them ex-employees or agencies you don’t work with anymore?
- RSS – If you have an RSS feeder linked to your Twitter, run a quick check to ensure that the feeds are all coming from reputable sources.
- Fake Accounts – Run a quick search to ensure that your brand is not being impersonated by another account. If you find anything suspicious, report it to the site.
- Check your Agorapulse user panel – Log in and look at the users to ensure that the team is still correct for each brand you manage.
- Change passwords – Changing passwords on a regular basis is important. You should also avoid using anything obvious like the name of your brand, your name or the usual “Twitter123”. You know who you are!