“Phishing” is the Name of the Game
Intro to the Concept
Phishing is an Internet identity fraud that a malicious actor employs to dupe unsuspecting online users into revealing their confidential information. The term “phishing” originates from the analogy drawn with ‘fishing’. Here a digital net is cast (consisting of emails mostly), sometimes even with the size of a continent-wide trawl, ‘smeared’ with a special software bait, which is, generally speaking, a mush of content tricks designed to make victims rise to it without suspecting that anything wrong might happen. It seems to work well, as the Verizon DBIR: Ten Insights to Help You Get the Most out of the 2015 Report study shows that 10 phishing emails are sufficient to yield a greater than 90% probability of drawing a bead on a victim, with 1 out of 25 recipients of malicious messages getting caught in the net.
Email spoofing is making an email look as if it originates from another, usually trusted, source. Spoofing is facilitated by a technique widely known as “social engineering”. The latter is performed by accumulating information from available online sources – social media, news, publications, corporate directories, profiles, etc. – and drawing inferences based on what has been found.
Hackers are responsible for phishing attacks, but are they the only partly to blame for their success? Apparently, phishing is often the result of oversharing personal and corporate information. In addition to the oversharing problem, many user practices in social media are risky: not logging out after each session (39%), sharing their passwords with others (25%), and paling up with strangers (31%). All these things taken together result in the possibility of the social media profiles of some 210 million people being hacked or impersonated.
The Verizon report states that the anxiety of users to click on contagious attachments or malicious links fed at them with catchy lines plays its part as well. According to the telecom, more than 50% of the recipients open phishing emails within the first hour, 23% open such emails at some point, and as many as 11% open attachments.
“There are many factors that actually force a user to click on malware links. These mails are generally very well drafted and it becomes very hard to detect. We can’t blame a user for this but yes, they need to be cautious,” said a Verizon spokesperson in answer to a query after the release of the report. In addition, he claimed that a phishing campaign only takes 82 seconds to sting its first victim.
CEOs or Managers
Previous awareness trainings were dedicated to educating executives first and everyone else second. As a result, lower level staffers and middle managers are now at the gunpoint of cyber criminals, targeted with altered tactics that are able to bypass most email filters. Managers received more phished emails, doubled their clicks in total on a year-on-year basis, and did beat their superiors by having twice as many clicks as them.
Mark Wiley, who works as a training manager at Espion, explains this phishing phenomenon:
“Quite often non-management employees are easy prey because they are less savvy about phishing attacks and their potential to unleash havoc. They also receive high volumes of emails on behalf of their companies and rely on this form of communication between the company and its customers and partners.
This group is also targeted because of the ration of non-management-type employees compared with those in executive and middle management positions. The sheer volume of employees at companies who are considered “non-management” means they are indeed the most at-risk group.”
“Spear phishing” is a more targeted version of phishing, where the email sent appears to be of significant interest to the victim. It has a high success rate, circumventing conventional security measures and exploiting software vulnerabilities. Due to its targeted nature, spear phishing can provide villains with access to e-mail systems, banking details, social media, corporate log-in details and affect the overall corporate well-being.
As the KnowBe4 CEO Stu Sjouwerman concludes: “With 122 billion emails being sent every hour, opportunities for phishing or spear-phishing abound. It is becoming easier than ever to gather personal information and use this to tailor a spear-phishing email to a CEO or finance executive and use it to pilfer millions of dollars just using email.”
Rohyt Belani, the co-founder and CEO of the NY headquartered PhishMe, narrates a hypothetical story about how to target a high-profile employee:
1) The manager attends some professional initiative;
2) A couple of weeks after that he receives an email, which explains that the malicious author had met you at the conference and decided spontaneously to share with you some ideas for a future business project. The author may even try to leave this first mail benign in order to gain your trust; in saying that he is writing now from the phone and therefore not having the project at the moment, the swindler attempts to make the whole story look more realistic. The logic behind such a move is that a victim could expect an immediate attack, but would he anticipate a multi-stage “smoke & mirrors” action;
3) A few hours after the first email, a follow-up one arrives. This time it has a 5MB attachment, and it explains that this is the document referred to earlier. Of course the file is laden with malware;
4) To further emulate a conversation, the criminal may send another email in which to ask whether everything with the attachment was all right, ostensibly worrying about the bigger size of the infectious file;
In the context of this illustration, Belani further recounts a real-life situation: “In one targeted attack, I have seen attackers poison the websites of local golfing clubs to infect a particular golf-loving executive’s mobile device to access merger and acquisition data.”
|Employee “tasked” to transfer large amounts of moneyOne multi-stage fraud with phishing elements directed towards the middle management is a case from February 2015 that took place in Omaha, Nebraska, within the premises of the commodities trader company The Scoular Co. A spoofed CEO’s email was sent to a lower manager while the CEO was travelling, asking the manager in question to transfer a huge amount of money out of the country to a Chinese bank. Here is some of text from the deceitful email:Apparently, whoever was behind this scam came prepared because Scoular was really looking to buy a Chinese company at that time. What’s more, a man answered the phone number provided for the manager in the email, identifying himself by the CEO’s name. And even though the emails did not come from the normal company email address of the CEO, the whole scheme was convincing enough for the manager to transfer the sum of $17.2 million to a Chinese bank in three installments.|
Most Affected Areas
On average, 900 phishing attempts happen per financial institution, whereas 9,000 such attacks are made per technology company. Google, Facebook, Yahoo, Apple and Dropbox are the top five tech companies impersonated by phishing websites.
Workers in banking and financial affairs are addressees of 41% more corrupt messages than the average. The higher demand for insurance cards and personal health records on the black market motivates hackers to go after institutions in insurance and health care.
Also, it is logical to conclude that personnel having professional duties to communicate with others, even with people they have never met before, for various reasons (providing assistance, for instance) are more prone to open a phishing email, contagious attachment, or click a link from unknown sender. Actually, the key word here is “unknown”, since under normal circumstances they would not see the sender as untrusted.
Whereas cyber attacks relying on phishing can be utilized to snatch intellectual property or intelligence data during merges and acquisitions, previously untouched sectors such as energy, construction, manufacturing, shipping and utilities might also be targeted with the intent to sabotage the normal work process. Phishing can be the first phase of a sizeable corporate cyber attack. Hacking attacks that rummage computer system memory about sensitive data, called RAM scraping, are the type of malware technique presented in several of the most-high profile retail breaches in the last years.
Scam email campaign after a data breach
The insurance company Anthem announced that their database had been hacked, which led to the data theft of as many as 80 million records for customers and employees. Although the vice president for Anthem, Kristin Binns, claimed that no financial or medical information was accessed, other personal data including names, Social Security numbers, birthdays, addresses, emails, and employment information (e.g., income data) were the hacker’s spoils.
What happened next is that the customers of Anthem, presumably those whose data was stolen, started to receive bogus emails encouraging them to click on a link for credit monitoring services. Obviously, stealing data can make a phishing campaign all the more effective. Not only did the Anthem leak allow criminals to target victims by employer or income, but they could draft in no time elaborate, personalized missives.
“Whereas someone who might be vigilant about a general email, if they get one that’s very targeted to them, they’re less likely to be aware that it might be a phishing email,” said Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse.
A campaign like this can have a devastating effect, as far an organization’s reputation is concerned. It has been estimated that 60% of all companies that undergo a data breach are doomed to go out of business within 6 months of the cybersecurity incident.
The majority of malicious clicks in 2014 took place outside of work; in a close connection to the previous point is the fact that most of these clicks happened outside the work place from mobile devices. When discussing the mobile system, it becomes evident that only 28% of Android applications are to be found trustworthy. The vast majority of phishing threats, 22 %, is made up of trojans.
The Proofprint report reveals that social media notifications and order confirmations, popular in the past, yielded ground in 2014 to phishing lures masked as communications, for example, e-faxes and voicemail alerts. Consequently, while the widespread focus of awareness training programs on common phishing lures – such as social media invites and general unsolicited messages – led to a year-over-year decrease of 94% in the number of successful phishing campaigns of this kind, the attackers decided to switch tactics, as they will always concoct a new scam to stay at least one step ahead of everyone else.
Verification Phishing (Credential-harvesting)
In April 2015, the Criminal Investigation Bureau (CIB) in Taiwan issued a statement concerning the recent boom of people who received fake emails to their Gmail accounts. The messages claimed that an entity from a specific IP had attempted to log into their accounts. Then the phishing emails prompted the users to reset their passwords by clicking a link displayed in the email. According to CIB, those fake notification lead the users to a phishing sites where their credentials were being appropriated. Emails of this kind could be really confusing because Google actually sends such notifications when suspicious log-in activities are detected.
A similar story happened in the U.S. in March 2015. Some of the customers of American Express bank received an email with the subject line: “Unusual activity in your American Express card”.
The following things are important here:
1) The emails used the impersonal “Dear Customer” – it should ring the alarm bell since the banks know the names of their customers.
2) The purported purpose of this email was to caution the bank card users about possible fraudulent use of their American Express card. There were two links on which the recipient can click, “VIEW ACCOUNT ACTIVITY” and “americanexpress”, and they both lead to a fake American Express web page, but the anchor text in the second link also adds some extra authenticity.
3) “Your prompt response regarding this matter is appreciated” is a phrase equally polite and demanding of the user to act on the spot.
Security pundits advise all bank holders to exercise extra caution when they are asked to disclose banking details. Experts further warn that the card’s number, expiry date and CVV (card verification code) would be enough for making online purchases.
Bitdefender, an IT security firm, recently warned Apple users to be on the alert for phishing scams targeting these products. Symptoms are the same as the ones already mentioned before – users receive a message with a “reset page” link to click on in order to verify their billing information out of some undisclosed security concerns. There are information fields on the page designed to collect Apple ID credentials along with payment card details, that is, the standard set (user’s full name, address, bank card number and its expiry data and CVV) plus the password for 3D Secure. The last item is a secure password introduced by some banks as an additional security layer to stop fraud, which has been implemented by various online retailers as well. Curiously, in completing the “verification” process, the victim is shown a reassuring message that his two-step-verification security has been activated for his Apple ID.
Finally, Bitdefender draws our attention to the fact that the URL belongs to a domain name not at all related to Apple, nor does the email address of the sender look credible.
Unfortunately, this is not the first time Apple users have become a subject of attack since the beginning of 2015. The security firm Sophos revealed in February that hackers sent phishing emails to customers of Apple iCloud with the intention to steal their financial information.
Not long ago, the security experts Brian Wallace and Stuart McClure contended that the Sony hack began as a targeted phishing strike against several system administrators working at Sony. Not only that, but “[i]t was a well-crafted set of spear phishing attacks, centered around Apple ID verification,” McClure confided in eWEEK. Apple ID is an identification system that enables users to access services like the Apple Store and iCloud. In the verification attack – the first stage of what was about to be known as the Sony data breach – the criminals sent out forged Apple ID verification emails to deceive the Sony employees into entering their Apple ID and password on a malicious web page to which there was a link posted in the emails. While the phishing page deliberately displayed an error message that the password was not accepted, the attackers were intercepting the victims’ credentials. “The Apple ID verification looked very convincing and was spot on for what users would normally expect to see, except of course that it’s completely phished and fake” McClure said. The Sony hackers then analysed the captured data and combined it with employees’ LinkedIn social media profiles info in order to figure out the password and the user name, respectively, for their Sony accounts, in hope that they will coincide.
Let’s not forget also the theft of celebrity photos from iCloud in the late summer of 2014. Although the stimulus for this phishing attack was not directly monetary, it had direct effect on the reputation of Apple, and reputation today is money.
From the criminals’ point of view, Apple IDs are popular phishing targets because “[o]nce stolen, these accounts may be used to send iMessage spam or to remotely take control of iPhone and iPads. The attacker may use the “Find my iPhone” feature to remotely lock the device, and then demand the victim pay a ransom to regain control.”
A link to a Dropbox-hosted page
A Dropbox phishing email copied the same verification scheme. “However, the link [in the message] opens a fake Dropbox login page, hosted on Dropbox itself,” posted Symantec’s Nick Johnson in a blog. By hosting the fraudulent login page on Dropbox, the criminals used the natural looking way of the digital environment to their advantage; namely, the phishing page was included in Dropbox’s user content domain and most of the elements of the phishing page were served over SSL (without a doubt, encrypting the communications exchanged between a customer and a server made the ruse all the more convincing).
LinkedIn support email includes an HTML attachment
An appropriate example of phishing done via malicious attachment was the “LinkedIn support” scam. Victims received emails for the already banal “irregular activities” on their account, accompanied with an HTML file that purported to be a special form through which an update was to be made. In fact, the HTML file was a real copy of the website and login page of LinkedIn, but with a modified website code. Thus, when a user logged in, his credentials were transferred to the scammers.
Evidentially, “the most important technique used here is the HTML attachment. This method bypasses browser blacklist that often flag suspicious websites to help prevent users from being phished,” according to Satnam Narang, a senior security manager with Symantec.
A data breach catastrophe is avoidable in this particular case by simply enabling the two-step verification available on LinkedIn accounts. Pursuant to this procedure, a one-time passcode received over SMS on the user’s phone is required to successfully log into his account.
Microsoft’s Volume License – Personalized Phishing with an Elusive Trojan
Microsoft gives out licenses for their products Windows and Office in volume to corporate users. The license comes usually in the form of an activation code which is then used on Microsoft Volume Licensing Service Center (VLSC) where customers can obtain their licenses. According to Cisco, criminals seem to be targeting access to corporate IT systems with a new phishing campaign using messages purporting to be from VLSC. More details:
phishing emails that mimic legitimate notifications from VLSC
a personalized greeting
the email address of the sender is hidden in a fake Microsoft.com link. When one hovers with the pointer over the link, the real link becomes visible.
once installed, the malware puts itself into sleep for 30 minutes to evade automatic sandbox analysis.
it can copy “itself under another file name only to return to its original name” in order to sidestep sandbox systems completely.
malware’s Command and Control Servers are in the Tor network and the connection is made with the Tor2Web software directly through a web browser. Logically, detection would be difficult and even more challenging would be tracing the exfiltration of victim’s data.
End-user Security Awareness Training: Simulated Phishing Attacks
The idea to confront managers with a sham phishing campaign was inspired by a real life case. A government minister became all of a sudden a big advocate of cyber security initiatives in the aftermath of his personal email being hacked. According to one security expert, “[t]he minister’s attitude completely changed because cyber attacks were no longer theoretical, but something real that had impacted his personal life.”
Approximately two-thirds (66%) of corporations conduct security awareness training for their staff or user to be able to cope better with the hidden dangers of phishing scams. Nevertheless, only one-third of them decided to try to train them with simulated phishing attacks.
Belani advises that the training should be used always in conjunction with simulated phishing emails, otherwise the simulation might not make sense to the trainees. Therefore, such simulated phishing attacks should not be per se non-contextual: “By providing training immediately after a person falls for a simulated phish, you’re providing that training within the context of the situation.”
The security expert warns that in order for a phishing simulation to work, the manager needs to leave aside the fact that everything is a put-on and be in the position to cope with the stress factor that last at least 45 minutes. In other words: “Make it real, make it personal, and then follow up it with a detailed debrief to ensure top managers understand what happened, why it happened, and the consequences of their decisions,” Belani explains.
In practice, simulations cause managers to identify their firm’s or department’s most valuable data assets for the very first time and immediately after that to address the potential risks to these assets. Moreover, the exercise can provoke overall improvement in the behaviour of the tested manager staff.
Most recent trends in the phishing attacks show a slight shift from consumers to businesses. The criminals try to take advantage of the fatigue of middle managers whose email inboxes are normally overflown with spam, among other things. Relentless determination demonstrated by cyber crooks and sophisticated phishing attacks make up a very powerful combination against which many will fail to resist.
What is typical for phishing is that it rests on the human factor, rather than specific system vulnerabilities. No one is insured against opening a fake email. No one can be 100% sure that he will be able to weed out perfectly all the malicious messages, unless that person has an infallible intuition. Yes, indeed; an infallible intuition that will help a person to perceive the threat is what is needed here. The story of two vendors who managed to spot an unusual-looking parked car that turn out to be a car-bomb in the middle of Times Square can illustrate the point: “Human sensors” should be the outer layer of every firewall.
Ashford, W. (2014). Cyber attack simulation key to get top management buy-in. Available at http://www.computerweekly.com/news/2240230250/Cyber-attack-simulation-key-to-get-top-management-buy-in
Barker, I. (2015). Cybercrime gets smarter and more complex. Available at http://betanews.com/2015/04/22/cybercrime-gets-smarter-and-more-complex/
Bisson, D. (2015). Sony Hackers Used Phishing Emails to Breach Company Networks. Available at http://www.tripwire.com/state-of-security/latest-security-news/sony-hackers-used-phishing-emails-to-breach-company-networks/
Deka, J. (2015). User mistakes behind most phishing-attacks: Study. Available at http://timesofindia.indiatimes.com/tech/tech-news/User-mistakes-behind-most-phishing-attacks-Study/articleshow/46931993.cms
Dimov, I. (2013). Phishing Techniques: Similarities, Differences and Trends – Part I: (Mass) Phishing. Available at https://resources.infosecinstitute.com/phishing-techniques-similarities-differences-and-trends-part-i-mass-phishing/
Dimov, I. (2013). Phishing Techniques: Similarities, Differences and Trends – Part II: Targeted Phishing. Available at https://resources.infosecinstitute.com/phishing-techniques-similarities-differences-and-trends-part-ii-targeted-phishing/
Espion (2014). Preventing Phishing Attacks: Espion says Staff Should be Trained Not Punished. Available at https://www.espiongroup.com/news/press/preventing-phishing-attacks-espion-says-staff-should-be-trained-not-punishe
Ferrara, J. (2014). Phishing Scams at All-Time High, Employee Training Not Keeping Pace. Available at http://www.wallstreetandtech.com/security/phishing-scams-at-all-time-high-employee-training-not-keeping-pace/a/d-id/1306866
Grant, K. (2015). Anthem victims’ first hack symptom: Phishing scams. Available at http://www.cnbc.com/id/102405416
Green, C. (2014). The top 3 phishing trends to look out for. Available at http://www.information-age.com/technology/security/123458693/top-3-phishing-trends-look-out
Haferkamp, R. (2015). Spear Phishing: Your Company Can’t Rely on Email Like It Used To. Available at http://www.cnbwaco.com/blog/spear-phishing-company-cant-rely-email-like-used/
Hine, M. (2014). Interview: Rohyt Belani, CEO PhishMe. Available at http://www.infosecurity-magazine.com/interviews/interview-rohyt-belani-ceo-phishme/
Hubbard, R. (2015). Impostors bilk Omaha’s Scoular Co. out of $17.2 million. Available at http://www.omaha.com/money/impostors-bilk-omaha-s-scoular-co-out-of-million/article_25af3da5-d475-5f9d-92db-52493258d23d.html
James, M. (2014). Phishing Isn’t Always about the Dollars. Available at http://www.theemailadmin.com/2014/10/phishing-isnt-always-dollars/
Kerner, S. (2015). Sony Hackers Used Apple ID Phishing Scheme, Researchers Claim at RSA. Available at http://www.eweek.com/security/sony-hackers-used-apple-id-phishing-scheme-researchers-claim-at-rsa.html
Kirk, J. (2014). Dropbox used for convincing phishing attack. Available at http://www.computerworld.com/article/2835166/dropbox-used-for-convincing-phishing-attack.html
Kirk, J. (2015). Ham-fisted phishing attack seeks LinkedIn logins. Available at http://www.computerworld.com/article/2868830/ham-fisted-phishing-attack-seeks-linkedin-logins.html
Korolov, M. (2015). Omaha’s Scoular Co. loses $17 million after spearphishing attack. Available at http://www.csoonline.com/article/2884339/malware-cybercrime/omahas-scoular-co-loses-17-million-after-spearphishing-attack.html
Leyden, J. (2015). It’s official: David Brents are the weakest link in phishing attacks. Available at http://www.theregister.co.uk/2015/04/22/proofpoint_phishing_study/
Martin, A. (2015). Microsoft phishing email targeting corporate networks with ‘neurotic malware’. Available at http://www.welivesecurity.com/2015/02/10/microsoft-phishing-email-targeting-corporate-networks-neurotic-malware/
Nystrom, M. (2015). Fake Volume License Trojan Targets Corporate Users and Evades Sandboxes. Available at http://blogs.cisco.com/security/fake-volume-license-trojan-targets-corporate-users-and-evades-sandboxes
Ragan, S. (2015). RSA Conference 2015: Criminals targeting gaps in user awareness training. Available at http://www.csoonline.com/article/2910940/social-engineering/rsa-conference-2015-criminals-targeting-gaps-in-user-awareness-training.html
SBO Magazine (2015). Phishing Is Top Concern. Available at http://www.sbomag.com/2015/03/phishing-top-concern/
Scamagazine (2015). Microsoft phishing emails target corporate users, deliver malware that evades sandboxes. Available at http://www.scmagazine.com/microsoft-phishing-emails-target-corporate-users-deliver-malware-that-evades-sandboxes/article/397995/
Spamfighter (2015). Users of American Express Targeted in Phishing Scam. Available at http://www.spamfighter.com/News-19551-Users-of-American-Express-Targeted-in-Phishing-Scam.htm
Spamfighter (2015). Bitdefender – Users of Apple Become Victims of Phishing Emails Again. Available at http://www.spamfighter.com/News-19547-Bitdefender-Users-of-Apple-Become-Victims-of-Phishing-Emails-Again.htm
The China Post (2015). CIB warns of Gmail fake notification scam luring netizens to phishing sites. Available at http://www.chinapost.com.tw/taiwan/national/national-news/2015/04/20/434084/CIB-warns.htm
Wheatley, M. (2015). Cyberattackers go ‘phishing’ for corporate victims. Available at http://siliconangle.com/blog/2015/04/22/cyberattackers-go-phishing-for-corporate-victims/
Wilson, T. (2013). Study: Enterprises Fail To Test End User Awareness Training, Password Policies. Available at http://www.darkreading.com/risk/study-enterprises-fail-to-test-end-user-awareness-training-password-policies/d/d-id/1140487?
—Links accessible on 03/05/2015—