Come on down: the Phishing’s good and getting better

“Phishing is a discipline in the equality of men—for all men are equal before phish.”[1]

Most of us are so inundated with words like phishing, hacking, data theft, security breach and other similar terms that we forget that barely 20 years ago—even 10 years ago—these ideas and certainly their incidence were non-existent or just in their infancy. Today, though, even average household technology has firewalls and multiple passcodes, not to mention parental controls, to protect and defend from unwanted e-intruders. Concentric layers of protection exist to assure the security of networks and personal computers that instead bog down technologies, telecommunications, and transportation systems. They do not work. The capacity of invention for e-thieves to hack, snatch and mal-direct electronic signals can take our breath away—and it should. Their full potential for harm is still unrealized. As just one terrifying example, Target’s massive 2013 credit card security breach has cost some $300M to date—and still counting—not to mention the loss of its CEO and consumer confidence.[2] The reach of e-thieves is frighteningly long and growing at cancerous rates.

Big Brother cannot save us

Companies can no longer hold the naïve belief that any watchdog can protect them from clever e-thieves bent on gaining access to their systems. Despite the creation of national and international levels of security, breaches continue to occur in shocking ways and unanticipated places. Think Hilary Clinton’s presidential campaign. Breaches can also be stunning for their numbers. Yahoo’s third and final (?) security breach in 2013 hit three billion user accounts, if not unique users. That breach sent the purchase price of the company spiralling downward by $350M, and brought on yet another class action suit, now numbering more than 40 against the company.[3]

Breaches hurt everyone

Hackers hurt all of us. Not only because they shake our belief that we are not safe—most of us know that now—but because they reveal the depth, breadth, and immediacy of our vulnerability. It’s a tactical invasion that turns us into the unwitting releasers of malware that robs or destroys a system we may depend on to provide us with jobs, services or goods. So what’s a company to do?

Changing tactics: from systems to someones

Until late 2015, hackers focused on breaking into systems and software; now, they are using people to do their dirty work for them. That’s what phishing is all about: preying on human emotions of curiosity, fear and urgency to convince their victim to click that attachment and release malware or go to that website and give up a user name and passcode.[4]

The rod and reel of phishing

Phishing uses well-crafted emails made to convince the recipient of their legitimacy so the victim does what the email instructs. Attacks have become so sophisticated they are even sent on Tuesdays and Thursdays, days marketers have identified when click-through rates are higher.[5] The sender may use a number of convincing methods that assure the user of the validity of the email. For example, the infiltrator may send two emails, the first one to establish trust with their intended target and containing nothing while the second email contains malware. Or, the victim receives a message to go to a website and input their user name and passcode. The website address—a fake one—looks enough like a legitimate one the user might use that they don’t notice the difference and give up user names and passcodes. In a more worrisome attack, the perpetrator gathers personal information about their victim from public websites including facebook, instagram and others, then includes these details in the email. The details convince the victim that their sender is legitimate. Breached.

Security Awareness

Fighting back

  1. Knowledge and understanding has never been so critical. Employees—including senior executives and the C-suite—must be trained to recognize the tell-tale signs of a scam email.[6] Senior management are so often attacked they have their own descriptor: whale phishing. And emails were the source of 74% of cyberattacks in 2017 (SANS survey).
  2. Implement two-factor authentication where possible.
  3. Mobile devices need security that matches in-house standards, and passcodes need to be frequently updated, unique to the device, and good enough to not be easily cracked.
  4. Employees need to be convinced to leave less information on their personal pages that could later be used against them in a phishing email.
  5. Automate systems to remove the human factor. Phishing now leans on social engineering tactics that manipulate human emotions so people click on the email or its attachment. Machines cannot be seduced or manipulated through personal details—at least not yet.
  6. Networks need to have internal checks against hackers, and internally-generated attacks on themselves to spot weaknesses, back doors and other security issues before infiltrators do.
  7. Default settings and code words on system updates or new software must be reset.
  8. Monitoring is imperative, and sufficient funds made available for IT training and necessary software and hardware to keep the system secure.

A dedicated IT team, up-to-date protection software, an informed and well-trained staff, and continual monitoring are some of the ways to ensure that the system you use remains safe from cyber-attacks.

 

Footnotes

[1] The original quotation: “Fishing is a discipline in the equality of men—for all men are equal before fish.” Herbert Hoover.

[2] Editors. 26 May 2017. Cost of 2013 Target Data Breach Nears $300 Million. Downloaded 15 January 2018 from https://www.thesslstore.com/blog/2013-target-data-breach-settled.

[3] Garun, Natt. 3 October 2017. Yahoo says all 3 billion user accounts were impacted by 2013 security breach. Downloaded 15 January 2018 from https://www.theverge.com/2017/10/3/16414306/yahoo-security-data-breach-3-billion-verizon.

[4] Neely, Lee. August 2017. 2017 Threat Landscape Survey: Users on the Front Line, A SANS Survey. Downloaded 8 January 2018 from https://www.sans.org/reading-room/whitepapers/threats/2017-threat-landscape-survey-users-front-line-37910.

[5] Proofpoint. 2017. The Human Factor 2017: how today’s threats prey on the human factor. Downloaded 11 January 2018 from https://www.proofpoint.com/us/resources/white-papers/human-factor-report.

[6] IBID. pg. 22. This report is unequivocal: “Focus your security efforts on the leading vector for threats entering your organization: email.”

Be Safe

Section Guide

Ryan
Fahey

View more articles from Ryan

SecurityIQ has published a number of videos on social engineering and phishing. You can sign up for a free account to browse their resources and test how phishing savvy you really are.

Section Guide

Ryan
Fahey

View more articles from Ryan
[i]
[i]
[i]
[i]
[i]
[i]
[i]
[i]
[i]
[i]
[i]
[i]
[i]
[i]
[i]
[i]
[i]
[i]
[i]
[i]
[i]
[i]
[i]
[i]