Friday, April 15, 2011

Is Your Website Sending Spam?

I just saw an updated story on how a number of Higher Ed and government sites have been hijacked by spammers. The sites are used to redirect people to fake online stores.

Are you on the list?

According to the original post at Zscaler there seem to be about a hundred schools that have been compromised including (according to them):
  • UC Berekely
  • Harvard
  • Purdue
  • Oklahoma State, and
  • Australian government
The fake stores claim to sell discounted Microsoft and Apple software. Heaven only knows what they are really doing, but the point is that you don't want your institution being part of it.

And the QSA in me has to wonder if parts of the institution's website has been compromised, what about the rest of the site? For example, are you sure your campus merchants who re-direct customers to third-party hosted order pages are really sending them there and not to badguys.com?

Thursday, April 7, 2011

Get Ready for Increased Phishing Attacks on Campus

If the phishing season were not already open, the Epsilon data breach certainly opened it. I recommend two recent articles that you should read and digest.

Over at Threatpost, there is an interview that highlights the vulnerability of higher education institutions. An excerpt is:

Threatpost: What trends are you seeing in the phishing arena these days?

Aaron Higbee: We’re seeing a lot of attacks aimed at verticals like government, financial services, insurance, health care and especially education. You wouldn’t have thought that education would be on that list, but we see a lot of universities targeted.

Threatpost: Why is that?

Aaron Higbee: Students are vulnerable. They’re required to put their Social Security Number into different forms, so they’re susceptible to being phished.

For the best summary of what to expect, surf over to the always informative and insightful blog by Brian Krebs. In this post he assesses the situation and offers some good advice and warnings for your users, particularly staff. This is required reading.

If you ever doubted why PCI requires you segment (read: isolate) your payment environment from other applications and systems in your environment, the Epsilon and RSA data breach should make the wisdom of that requirement clear.

Have a read, then take a look at your own training to make sure you minimize the possible risk to your institution from the expected surge in phishing scams.