Hackers so far ahead of defenders it's not even a game Cybercriminals are way ahead of the game against defenders without having to try anything new, according to the latest edition of Verizon's benchmark survey of security breaches. The study shows that miscreants have no need to switch up, because the same old tactics are still working fine. Security defenders are still …
One of the dead give aways of a phishing email is often very bad grammar and spelling. Maybe more people are getting lured into opening phishing links is due to the declining competence in language skills.
And, of course passwords are weak! We're being told to change them 3x/day and I, for one, am not all that creative first thing in the morning.
One of the dead give aways of a phishing email is often very bad grammar and spelling
But not always.
I've had a bunch of phish emails lately which look *very* much like genuine LinkedIn invitations. And if they'd sent the emails to an address I'd ever given to LinkedIn, I might[1] have been taken in...
Vic.
[1] I wouldn't - but that's because I'm paranoid. If ever I get an email that wants such data from me, I always check the headers first. Most people don't, of course...
Maybe more people are getting lured into opening phishing links is due to the declining competence in language skills.
And counting upvoters that's five people who can't be bothered to look at the research. Well, that's hardly surprising.
For random phishing, implausible stories and non-standard language use improve the attackers' ROI, as Herley demonstrated years ago. What's more, many (possibly most) of the victims of random-phishing attacks are well-educated middle-class users who are perfectly capable of recognizing non-standard language when they encounter it. They're not deterred because they fall prey to greed and various cognitive fallacies - again, as various researchers have shown.
In any case, random phishing is a bottom-feeder attack, and not what we're primarily talking about here.
Spear phishing is usually what's used to gain access to internal networks, and those messages tend to be well-crafted, both in general usage and editing, and in referring to organizational specifics like employee names. And spear phishing has about a 90% success rate against a targeted organization with at least ten message recipients, according to some studies.
But, yes, blame the user. That'll fix the problem.
"Many victims have single-factor access into parts of their network even if they think otherwise"
I don't even think otherwise.
You know this will be so forever when you are in a C-level meeting about "IT problems and strategy" and the first that happens is that the CFO complains that his Windows is getting slower and no-one is upgrading his laptop.
"the CFO complains that his Windows is getting slower and no-one is upgrading his laptop."
Probably the best option would be to collect his laptop first thing every the morning for its daily update. The daily update would be so exhaustive that it would only be ready to return to him last thing at night.
"Cybercriminals are way ahead of the game against defenders"
Part of the problem is manglement thinking "cyber" means "something terrifying".
"without having to try anything new"
Part of the problem is manglement refusing to pay for anything newer than 1980.
"according to the latest edition of Verizon's benchmark survey of security breaches."
Ah, yes. Verizon. That benchmark of secure providers.
to be one of those people that opens attachtments (after taking some precautions) because i like to respond to the phising attempt with "real" details.
So if i get a "your Paypal account is locked" email, i will happily fill it in with real but false data.
Credit card number to pass the LUHN test are readily available from dark coding, a bank sort code is easily invented, as is an account number. A plausable name and address doesnt take much imagination to conjour up.
They must spend hours typing in the details just hoping that they made a small error inputting the data.
If all of us with the know-how did this, phishing attacks would not be worth the effort as they would drown under the deluge of seemingly real data.
Unsurprisingly, the conclusion from all this is that worrying about technology, arms races, and so on is completely pointless because by far the biggest problem remains the fact that people are stupid. It's all very well saying that hackers are ahead of defenders, but as long as people are desperate to throw all their credentials and personal information at anyone and everyone who asks for them, there's not really a lot said defenders can do.
Security defenders are still performing poorly in their attempts to defend against hacking or malware-based attacks. This isn't for a lack of trying or skills on their part, but almost completely down to the fact that the game is rigged against them.
Defending the indefensible and inequitable is always a rigged game which defenders are never ever going to win and the harder they attack the easier and the quicker they are securely defeated and disgraced. It is thus wise to try and understand what you are being contracted to defend, for the truth in right dodgy cases is never presented and always hidden from scrutinuous and inscrutable view.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
