Too Smart to Fall for a Phishing Ruse? Think Again!

Ever wonder how stupid or careless someone has to be to be fooled by a phishing scam? Well, according to research conducted by a group of German experts, virtually anyone can be fooled.

In their study “Unpacking Spear Phishing Susceptibility” the researchers showed that although email  phishing scams get more publicity, Facebook scams would appear to be more effective.

“By a careful design and timing of a message, it should be possible to make virtually any person click on a link, as any person will be curious about something, or interested in some topic, or find themselves in a life situation that fits the message’s content and context.”

The Goal of the Study

The researchers, sensing there was a dearth of research related specifically to spear phishing decided to create a study that would fill the gap. They constructed a study that would explore the differences in delivery medium effectiveness (Facebook vs. email) while at the same time quantify the personal motivations that led to people either clicking on the phishing link, or just as importantly, not clicking on the link.

The Phishing Scam

The selected participants were sent a phishing link either as part of an email or a personal Facebook message from fake, non-existing person. The message claiming the link led to pictures from a party.

Facebook Gets 2X Clickthrough Rate

As Table 2 shows, when the same phishing message is presented via Facebook as compared to email individuals are over 2X more likely to click on the link and begin the phishing process.

Source:  Zinaida Benenson, Robert Landwirth, Friedrich-Alexander-Universitat, Freya Gassmann, Universitat des Saarlandes


Why Did They Click?

Source:  Zinaida Benenson, Robert Landwirth, Friedrich-Alexander-Universitat, Freya Gassmann, Universitat des Saarlandes

Why Didn’t They Click?

Just as important to the researcher’s was attempting to understand why people didn’t click. Here is what they found.

Source:  Zinaida Benenson, Robert Landwirth, Friedrich-Alexander-Universitat, Freya Gassmann, Universitat des Saarlandes

How Can Konsultek Help?

Whenever humans are involved there are going to be errors in judgement and successful phishing. That’s why all of our custom security solutions take a holistic approach to network security using a proven model of intrusion prevention, detection and mitigation. When you are ready to take your network security to the next level, give us a call.


Cyber-Espionage Exploding in Education Services Sector

There has been a major shift in the type of breach incident happening in the education services sector according to the Verizon 2017 Data Breach Investigations Report.

Can you spot the shift in the graphic below?

Source: Verizon 2017 DBIR

Cyber-Espionage has exploded since mid-2012! That’s right, because of the cutting-edge research that happens at many colleges and universities they have become a target for state-sponsored hacking.

As Verizon puts it…

“So college isn’t just pizza and tailgates—research studies across myriad disciplines conducted at universities put them in the sights of state-affiliated groups.”

So while of course the personal information of students and faculty were commonly extracted during breaches (a little more than half of all breaches) intellectual property losses were tied to a little more than a quarter of all breaches.

Targeted or Random Acts of Unkindness?

The evidence is clear that state-sponsored hacking and some criminal, profit based hacking is specifically targeting the hallowed halls of our academic institutions.

How do They do it?

Good question. Here is the answer in a graphic from the Verizon report.

Phishing email was the predominant threat vector in the social category while the use of stolen credentials was the dominant hacking technique. One interesting thing to note is the number of incidents involving Social and one or more other vector.

How Would You Like to Get a Threat Vulnerabilty Education for FREE?

At Konsultek we believe an educated client is the best client. That’s why we offer a variety of free vulnerability assessments to help you determine both your risk exposure and the likelihood of that exposure in regards to the veracity of your current security measures. Who would you rather educate you, the good guys at Konsultek or the bad guys out in the wild? Well, what are you waiting for? Pick up the phone and give us a call today so we can get your vulnerability assessment scheduled ASAP!


Hacking Insights from Verizon

The 2017 Verizon Data Breach Investigations Report (DBIR) has been released and as always, it is chock full of fascinating facts about the current state of the hacking and cyber threat world. You can get the full report from Verizon for free here.

Who are the Perps?

According to this year’s DBIR the breakdown of who’s been doing the most hacking looks like this:

  • 75% Perpetrated by outsiders
  • 51% Linked to organized criminal groups
  • 25% Involved internal actors
  • 18% Starred state affiliated actors
  • 3% Featured multiple parties
  • 2% Involved partners

How Did They Do it?

  • 62% Of breaches featured hacking
  • 51% Involved Malware
  • 81% Leveraged stolen or weak passwords
  • 43% Were social attacks
  • 14% Were linked to errors or privilege misuse
  • 8% Involve physical actions

The above information is just a sneak peek at a portion of the summary data contained in the 2017 DBIR. Next week we’ll take a deeper dive into what industries were hardest hit and by whom as well as get into specifics of how these industries were attacked.




The Only Certainties in Life are Death, Taxes and Cybercrime!

Today is the last day to file your federal income taxes. And the looming 12:00 a.m deadline has thousands, if not millions of citizens stressing out and more susceptible to phishing scams than usual.

Every good cybercriminal knows this and they are working overtime churning out fake emails from the IRS and other taxing authorities in the hopes of snagging victims, stealing valuable information and ultimately,  making some money.

IRS Phishing PSA

For those of you who stumble across this blog post hoping to find a quick answer to the question “How do I know if this email from the IRS is real?” here is the quick answer.
The IRS will NEVER ask you to send along personally identifiable information such as your social security number or bank account details. So, if you are looking at an email that purports to be from the IRS and it is asking for this information it is a fake, phishing email and you should discard it ASAP!

IRS Issues Scam Warning

The prevalence of phishing scams this tax season prompted the IRS to issue a warning on March 17, 2017.
In the warning the IRS urged both tax professionals and taxpayers to be on guard against suspicious activity.Two scams were highlighted in the warning. In the first, which targets tax preparers, a fake email is sent to the preparer, (ostensibly from the client) asking the preparer to change the refund destination, often to a pre-paid debit card.The second scam targets users of tax preparation software or similar services. Users receive emails from these entities asking them to update their online accounts.Of course, those nostalgic for the good old days should be happy to know that telephone scams are still plentiful with the “IRS” robo-calling with urgent messages that require immediate action.

From Phishing to Malware

The purpose of these phishing emails is often not to directly collect account information but rather to install malware that can then access all the information stored on the infected device and even hijack the camera. That, according to

The Zscaler ThreatLabZ team has detected a rise in Java-based remote access Trojan variants — jRATs — which give attackers a backdoor into a victim’s system and can be capable of remotely taking control of the system once it’s infected. Malware authors are using numerous tactics to entice unsuspecting users to open infected attachments, which arrive as malicious JAR files. Most recently, we’ve seen filenames such as “IRS Updates.jar” and “Important_PDF.jar,” claiming to contain important tax deadline information from the IRS.

Security is a 24X7X365 Job

Today it’s tax filing, tomorrow the scam will focus on something else. It appears that cybercriminals never sleep and never take a day off. Somewhere in the world there is always someone or some bot attempting to fleece unsuspecting individuals and organizations. I think we have finally “progressed” as a society to the point when we can confidently say that the only things certain in life are death, taxes and cybercrime!

James Comey and Nigerian Spam

Woke up today to find this gem in the mailbox. Who knew that the FBI and the Central Bank of Nigeria would be looking for me!

This email is entertaining for a couple of reasons (at least!) beyond the alleged working relationship between Mr. Comey and the Central Bank of Nigeria.

Take a look at the portions highlighted with blue text! First a warning that “you should ignore any message that does not come from the above email address and phone number for security reasons.”

Next, look at Mr. Comey’s email address. I would have thought that after all the email scandals in Washington that Mr. Comey would not be using an AOL  email address for such important and sensitive business!

Re: Urgent January Notice…….

From: James B. Comey, Jr., <> 

Jan 18 at 12:37 PM




935 Pennsylvania Avenue, NW

Washington, D.C. 20535-0001. USA.

Attention: Beneficiary,After proper investigations, we, the Federal Bureau of investigation (FBI) discovered that your impending (over-due contract) payment with Central Bank of Nigeria is 100% legal and has been approved for release to you.

We recently had a meeting with the Executive Governor of the Central Bank of Nigeria, in the person of Mr Godwin Emefiele and other top officials of the concerned Ministries regarding your case and we were made to understand that your files have been held in abeyance pending on when you personally apply for the claim.

Investigations also revealed that a lady, by name Mrs. Joan B Melvin from New York has already contacted Central Bank of Nigeria with a power of attorney and some documents, which stipulated that you have mandated her to claim your fund of US$25,000,000.00 (Twenty Five Million United States Dollars) on your behalf due to your ill health.

In view of this, we have been urged to warn US citizens who have received information pertaining to their outstanding contract payment to be very careful and not to be a victim of ugly circumstance. In case you are already dealing with anybody or office of the Central Bank of Nigeria, you are strictly advised to STOP further communication with them in your best interest and thereby contact the real office of the Central Bank of Nigeria via the below information:



OFFICE ADDRESS: Central Bank of Nigeria,Central Business District,

Cadastral Zone, Abuja, Federal.

Capital Territory, Nigeria.


NOTE: In your best interest, you should ignore any message that does not come from the above email address and phone number for security reasons. And to enable the Central Bank of Nigeria to process and release the fund to you, you are required to re-confirm your full details such as

FULL NAMES: __________________________________

CITY: _________________________

STATE: __________________________________

ZIP: ______________COUNTRY: _______________________

SEX: _______________AGE: __________________

TELEPHONE NUMBER: _____________________

Ensure that you follow the Central Bank of Nigeria due process as enshrined in the International Banking Secrecy Act to avoid any form of discrepancy, which may hinder your fund transfer.Thanks for your understanding and cooperation as we earnestly await your urgent response.

Best Regards,

James B. Comey, Jr.,

Federal Bureau of Investigation

J. Edgar Hoover Building,

935 Pennsylvania Avenue,

NW Washington, D.C



Most Americans Don’t Trust Social Media Security… Do You?

An update to a 2014 poll regarding the trustworthiness of Social Media was recently released with some interesting results.

To summarize, while the use of social media is increasing (80% of the 2016 respondents indicate they use social media) the overall level of trust in the security of social media is decreasing.

One can only assume that most respondents feel that the rewards presented by social media participation outweigh the perceived increase in information security risk.

It is also interesting that when questioned about specific security threats the results indicate a flat to decreasing sense of risk.

Do you feel more or less secure in the world of social networking?

Image courtesy of

Proofpoint 3rd Quarter Threat Report Reveals Rampant Rise in Malware

Our partners at proofpoint just released there 3rd Quarter Threat Summary which you should grab here.

Here is a quick overview, by category, of what’s been trending in the way of information security threats over the past 3 months.

Email and Exploit Kits

  • Volume of malicious email that used Java scripts increased 69% vs Q2
  • The most popular malicious attachment was the ransomware Locky
  • The variety of ransomware introduced increased by 10X
  • Cybercriminals continue to hone their skills in regards to exploiting business email
  • Banking Trojans have diversified and become personalized
  • Exploit kit activity, while still rampant, fell 65% from Q2
  • PokemonGo spawned malicious counterfeits
  • Mobile exploit kits and zero days continue to haunt both iOS and Android
  • Negative and damaging content is up 50%
  • Social phishing has doubled since Q2
  • Cross-pollination between mobile and social accelerates.


  • PokemonGo spawned malicious counterfeits
  • Mobile exploit kits and zero days continue to haunt both iOS and Android
  • Negative and damaging content is up 50%
  • Social phishing has doubled since Q2
  • Cross-pollination between mobile and social accelerates.

Social Media

  • Negative and damaging content is up 50%
  • Social phishing has doubled since Q2
  • Cross-pollination between mobile and social accelerates

How Konsultek Protects Clients

By integrating advanced threat protection from proofpoint, Carbon Black, Forescout and others, Konsultek develops customized security plans for clients all industries and all sizes. If you are ready to proactively secure your organization, give us a call to discuss your unique situation.


US Government Advocates “Locking Down Your Login”

President Obama is partnering with the National Cyber Security Alliance (NCSA) to kick-off October and  National Cyber Security Awareness Month with a  public awareness campaign they call “Lock Down Your Login.”

Anchored by a corny video with a good message the campaign advocates that individuals move beyond simple usernames and passwords to secure their accounts by adding a second layer of authentication such as fingerprint or facial recognition.

According to figures provided by the White House upwards of 62% of successful data breeches might have been prevent by the application of a second layer of authentication such as the afore mentioned biometrics or other forms of dual-authentication.

Have you added a second layer of authentication to your accounts? If not, hopefully this video will convince you to!


Tempering Human Factors Vulnerabilities

Harvard Business Review recently published a very insightful piece I highly recommend you read in its entirety called “Cybersecurity’s Human Factor: Lessons from the Pentagon” .

For those of you who just want the highlights, here is a quick synopsis of what I found to be the most fascinating aspects of the article.

From Bumbling Colossus to Nimble Defender

In the not-so-long-ago dark days of network security, the US military struggled to identify and defend against threats.  All that has changed and from September 2014 to June 2015 the military rebuffed 30 million malicious attacks! Still a few got through but only 0.1% compromised systems in any way. An impressive record given the State sponsored adversaries the military must repel day in and day out.

While technical fortifications are important, what has really set the military on its trajectory to invulnerability has been its focus on eliminating human error. If you have read this blog for any length of time you know that we consistently emphasize not only the best technology but also the best in processes for this very reason.

Learning from the Admiral Himself

The US Navy Nuclear program has long been the quintessential example of a well-run, mistake free organization, what is nowadays referred to as an HRO or High Reliability Organization. The fundamental principles of the Navy Nuke program have since been transferred to other industries such as airlines, air traffic control, space flight and others. Admiral Hyman Rickover, the “Father of the Nuclear Navy” demanded excellence and adherence to process and for the span of his career personally interviewed all applying Officer Candidates.

Six Principles Every Organization Should Adopt to Ensure Security

1. Integrity – Never depart from protocols and report errors immediately

2. Depth of Knowledge – Fully understand the system’s you are responsible and their vulnerabilities

3. Procedural Compliance – Follow protocols to the letter

4. Forceful Backup – All critical activities should be closely monitored

5. A questioning Attitude – While unquestioning compliance to procedure is necessary questioning things that appear outside of the norm is equally important

6. Formality in Communication – Familiarity and slang lead to miscommunication, Formality in communication eliminates these misunderstandings.

Examples of Cyber Security Failures and the Policies that Were Violated

What the authors have found is that Cybersecurity breaches caused by human mistakes nearly always involve the violation of one or more of these six principles.  As you read them you will undoubtedly recognize some of the same behaviors in your own organization or at least easily imagine that they might very well be happening without your knowledge.

Here’s a sample of some the Defense Department uncovered during routine testing exercises:

  • A polite headquarters staff officer held the door for another officer, who was really an intruder carrying a fake identification card. Once inside, the intruder could have installed malware on the organization’s network. Principles violated: procedural compliance and a questioning attitude.
  • A system administrator, surfing the web from his elevated account, which had fewer automatic restrictions, downloaded a popular video clip that was “viral” in more ways than one. Principles violated: integrity and procedural compliance.
  • A staff officer clicked on a link in an e-mail promising discounts for online purchases, which was actually an attempt by the testers to plant a phishing back door on her workstation. Principles violated: a questioning attitude, depth of knowledge, and procedural compliance.
  • A new network administrator installed an update without reading the implementation guide and with no supervision. As a result, previous security upgrades were “unpatched.” Principles violated: depth of knowledge, procedural compliance, and forceful backup.
  • A network help desk reset a connection in an office without investigating why the connection had been deactivated in the first place—even though the reason might have been an automated shutdown to prevent the connection of an unauthorized computer or user. Principles violated: procedural compliance and a questioning attitude.

A Holistic Approach

At Konsultek we don’t just slap in “black boxes” and hope that security happens. Sure we build custom technical solutions that utilize the best technology available, but we also work outside the IT department to make sure that the business processes are in place to limit the impact of human error on the security of your information and network. If you are looking to upgrade your security, give us a call and begin a dialogue with us.


Gartner Chimes in on Prevention Vs. Detect and Respond

It is always heartening to see a respected organization such as Gartner espousing the same security philosophies as we have here at Konsultek. In a recent blog post, Gartner’s Oliver Rochford points out that the most robust security solutions combine both prevention AND detect and respond approaches.

If you’ve been following this blog for any length of time you’ll know that this is exactly how we approach all of our information and network security engagements.

An Ounce of Prevention – Still Worth a Pound of Cure

Despite what some might say, prevention is far from being a dying or dead approach. A properly executed prevention strategy that utilizes advanced firewall and access control technologies can help mitigate the impact of old school hacking. When outsiders who don’t have proper credentials attempt to access your network with a variety of tools and tricks they are simply shut out.

But what if they pierce the protective veil of your prevention strategies? Password theft, cracking weak passwords and social engineering are just 3 ways ne’er do wells can compromise the best developed prevention strategies. And when that happens you better hope that your security provider has also included that latest in detect and respond technologies or your system and your information will be instantly at risk.

Detect and Respond

As the name implies, detect and respond approaches can sense when things in your network are not quite right and take action to contain the unusual activity before significant damage can occur. For example, when the credentials of your summer intern suddenly are used to access the network and attempt to explore portions that he or she has no business even thinking about let alone accessing.

The Konsultek Approach

At Konsultek we approach every client’s security engagement as an opportunity to develop a best fit approach. You’ll never find us espousing one-size-fits-all, cookie cutter approaches to information security. When you call, we’ll listen and when our engineering team develops your security solution you can bet it will be based upon delivering the most security value for the money. So give us a call today. We look forward to hearing from you.

© Copyright 2018 Konsultek