ReadWriteWeb

By now, most folks have heard of phishing scams, and know to be on the lookout for fake PayPal and bank sign-ons. But what happens when your co-workers get a link to a site that looks just like the corporate intranet? Using the Simple Phishing Toolkit (SPT) you can find out.

The concept behind SPT is pretty simple: Most companies spend a fair amount of money on trying to secure their environment. How much do they spend on educating users? Very little, and in many cases nothing at all. As the saying goes, an ounce of prevention is much better than a pound of cure.

If you thought you had your online banking security situation under control, along comes this chilling blog entry from security vendor Trusteer about some really nasty stuff they observed over the holiday break. And especially for those of you that have chosen paperless statements, you want to read it carefully and understand the exploit.

A phishing attack aimed at new Mac users was launched the week after Christmas looking to obtain the credit card information of people signing up for a new Apple ID. The well-timed attack tries to redirect users signing up for an Apple ID to a phishing site designed to look like the Apple sign-in page asking users to update their account information.

If you are looking for a basic but solid course on how to teach your entire staff the essentials of good email security and how to avoid common phishing attacks, you might want to look at the education package offered by Wombat Security Technologies. The series can be accessed by any Web browser and has some solid pedagogy behind it.

The operating word here is basic: you aren't going to get any of the industry security certifications here. If you need to educate your mailroom and loading dock workers and even some aging executives about cyber security, then this is the program for you.

Last week, leading security company McAfee asked a question of the security industry, "are we really protecting our users?" A lot of evidence points to the contrary. As can be seen in a new mid-year threat report from firewall maker SonicWall, consumer and corporate networks are larger and more vulnerable than ever. Yet, the battle against malicious programmers is not lost. It is a matter of common sense and evolution in security practices that will help protect companies and users from those that would do them harm.

"The days of just buying and anti-virus or a firewall program and just putting it on a PC are over," said SonicWall's VP of corporate development Ed Cohen. Enterprises and small and medium business need a more layered approach to security. Yet, the layers need to be more sophisticated. With the growing complexity of corporate networks, a new approach is needed.

Who among us hasn't received an email recently telling us to click a link to update our email account info, provide corrected banking login details, update our credit card information on file, and what-have-you? Most of you are savvy enough to know that these are phishing scams and don't usually fall victim to clicking on these links or disclosing confidential information, but still stuff happens. According to SecureList.com, phishing messages accounted for 0.03% of all email messages this past April. And The Internet Crime Complaint Center reports nearly $556 million in losses to cybercrime in 2009, of which about half comes from phishing.

In February, Google announced a new security protocol for Google accounts holders by the way of "2-step verification." Essentially, 2-step verification is a layer of protection outside of the normal password layer of protection between the wild Web and your data, such as Gmail. The ingenuity of 2-step verification is that it effectively decreases automated password breaking attacks from the Internet.

Google announced today that this extra net of protection will be available to the rest of the world as 2-step verification is being released in 40 languages across the globe. This has a potential to be a boon for the security industry and Google account holders across the world that are perpetually under attack from malware and phishing attacks attempting to access sensitive information.

In case you hadn't noticed, spam and phishing attacks through the social networks has been on the rise. Security company Symantec released a report yesterday detailing socially-engineered attacks to determine where they are coming from and what techniques malware criminals are using to lure victims into their traps.

One of the most interesting trends that Symantec has noticed is that social spam and phishing has been cyclical, moving from network to network (see above graph). For instance, attacks will focus on Facebook for a period of time before falling off, then focus on Twitter or YouTube before coming back to Facebook. In the cat-and-mouse game that is malware verse security, these trends make sense as exploits are closed on one network and found another.

A new report of security company Symantec says that global spam is at its lowest levels since 2008. The geographic center of spammed accounts has also shifted from Russia to Saudi Arabia. Worldwide spam is now down to one in every 1.37 emails. In the United States, spam accounts for 73.7% of all emails.

Spam levels are now the lowest they have been since McColo, a California-based ISP spam control center, was taken down in 2008. That is, in part, due to the shutdown of the spam-sending botnet Rustock in March 2011. Spam, phishing, viruses and other types of malware are all still major problems in the Internet ecosystem but it looks like progress is being made against the botnets and those that control them.

The Department of Homeland Security will release a new guidance document today intended to make the software that runs the Web less susceptible to malicious hacks.

DHS has teamed with security and technology experts at the SANS Institute and Mitre to create a list of the top 25 programming errors that lead to the most serious hacks, according to The New York Times. The idea is to educate companies and organizations about the channels that criminal hackers use to gain access to confidential information and servers. These are often common software errors that can lead to "zero day" exploits.