July 22, 2008

Intrepidus Group Introduces PhishMe to Help Organizations Deal With Growing Pandemic of Spear Phishing

NEW YORK, July 22 /PRNewswire/ -- Intrepidus Group, a leading provider of information security services, today announced the release of PhishMe, a software solution that enables user awareness training to proactively thwart spear phishing attacks. The next-generation technology is an important weapon in the fight against the fast-growing and ominous threat of spear phishing and whaling attacks, a form of cyber crime that uses email-based "social engineering" to gain unauthorized access to corporate systems and confidential data.

Unlike mass-phishing perpetrators, who use spoofed emails to cast a wide net to fraudulently gather data from unsuspecting victims, spear phishing attackers target specific organizations and individuals. Unfortunately, this targeted and sophisticated technique has proven extremely successful in providing "hackers" access to financial data, corporate and military information, and trade secrets -- with the final goal, of course, financial or political gain.

"Emerging security threats to the corporate landscape put both the information and company as a whole at risk. Spear Phishing is a considerable danger as it is typically a non-random attack seeking specific confidential information," said Kenneth Tyminski, former CISO for Prudential Insurance Company of America. "The training-based approach of PhishMe helps to significantly reduce these targeted attacks through employee education, helping to safeguard sensitive networks from unauthorized access."

According to a recent report by iDefense Labs, a noted security and vulnerability research organization, there have been 66 distinct spear phishing attacks between February 2007 and June 2008, with the rate of attacks continuing to accelerate. The report goes on to say that spear phishing groups have claimed more than 15,000 corporate victims in 15 months, with victim losses exceeding $100,000 in some cases. Victims include Fortune 500 companies, financial institutions, government agencies, and legal firms.

"E-mail is critical to our business, but also a risk to the security of our network and information. Technical controls like firewalls and spam filters help, but only by making our employees part of our defenses can we be successful," said John Soltys, Information Security Manager at the Seattle Times Company. "By targeting our users in the same way attackers do and delivering an education message when the attack is successful we raise their awareness level and mitigate the risk. PhishMe's service simplified the administration of tests and provided more value than the in-house tests we've run in the past."

"Spear phishing groups are now incredibly sophisticated and, unfortunately, extremely effective," commented Robert Hansen (aka "RSnake"), a former member of the Anti-Phishing team at EBay and well-respected security blogger. "We're talking about experienced cyber criminals who have the skill and tools to pull off these schemes."

User Behavior Key to Defense

Several high-profile experiments have proven that user behavior provides the foundation for defense against spear phishing schemes. Mass-phishing campaigns are often caught by anti-spam or phishing filters. But spear phishing attacks, which are low-volume and closely resemble legitimate emails, often go undetected. That's why organizations have to rely on humans for detection and resistance.

"I often perform investigations for my clients where the initial point of entry into the victim's computer network comes from a phishing email," said Keith Jones, senior partner, Jones, Dykstra & Associates. "Phishme.com is a breakthrough service that provides corporate security teams with the ability to spread user awareness about this email plague by testing their own user base. Phishme.com provides the auditor with an extremely easy to use interface to conduct a phishing scenario and excellent reporting capabilities complete with summary graphics. I was able to complete a phishing scenario for our employees at Jones, Dykstra & Associates in less than 10 minutes of use. I will be highly recommending Phishme.com to my clients to help them continue their fight against phishing attacks."

In one experiment, New York's chief information security officer, William Pelgrin, and his team sent mock phishing emails to nearly 10,000 New York state employees. The messages appeared to be official notices asking them to click on Web links and provide passwords and other confidential information about themselves.

With the first run of the email 75 percent of employees opened the email, 17 percent followed the link, and 15 percent entered data. Pelgrin and his team let users who had proven vulnerable know they'd been scammed and then sent another mock spear phishing email. With the second run only 8 percent even opened the email. In an interview with the Wall Street Journal, Mr. Pelgrin said, "This is not a one-shot deal. I've got to reinforce that behavioral change to make it permanent."

And, in a study at Carnegie Mellon University, volunteers who had proven susceptible to mock phishing emails were presented embedded training materials, then sent another email. In the second run, the volunteers identified 64 percent of the phishing emails. This compares to a mere 7 percent identified by volunteers who had received teaching materials through other mechanisms.

Creating a Human Firewall

"Thinking like the attacker isn't natural for most people." says Aaron Higbee, CTO of Intrepidus Group, "Our job is to provide a do-it-yourself phishing framework with features real phishers can only dream about. Any phishing trend we see in the wild can be incorporated into PhishMe, only better." PhishMe is a software platform that lets organizations create a human firewall against spear phishing attacks by providing an easy-to-use system for facilitating the execution of mock phishing exercises and the delivery of user awareness training. Using PhishMe's built-in templates and WYSIWYG, (What-you- see-is-what-you-get) functionality, users can easily build real phishing attacks against employees within minutes, collect metrics on user behavior, and immediately present training material to employees that fall prey.

"Spear Phishing exploits human vulnerability. Thus our service focuses on the human element," said Rohyt Belani, CEO of Intrepidus Group. "We use techniques recommended by reputed bodies like SANS, and those found to be most effective by researchers at Carnegie Mellon University to train users in recognizing and thwarting targeted phishing attacks."

For more information, to view a demo or sign up for a trial account, go to http://phishme.com/.

About PhishMe

PhishMe is a software solution designed to help prevent damage, theft and loss caused by targeted (spear) phishing attacks. PhishMe facilitates and automates the execution of mock phishing exercises, provides clear and accurate reporting on user behavior, and most importantly provides targeted end user training. This method of delivering training materials is recommended by SANS and found to be most effective by researchers at Carnegie Mellon University.

About Intrepidus

Intrepidus Group is a leading provider of information security consulting services and software solutions. With offices in New York City and the Washington DC metro area, the company offers innovative solutions to help clients build employee awareness around common information security issues. Intrepidus Group's consultants conduct hands-on assessments of critical applications, networks and products to uncover vulnerabilities, and provide strategic and tactical recommendations to address identified issues.

Intrepidus and PhishMe.com are trademarks of Intrepidus Group. All other product and company names herein are or may be trademarks of their respective owners.

Intrepidus Group

CONTACT: Media, Sabrina Sanchez of Ventana Public Relations,+1-925-875-1968, [email protected], for Intrepidus Group

Web site: http://intrepidusgroup.com/http://phishme.com/