The Background and Evolution of Phishing
Mimecast have just released a new report which reveals an 80% increase in impersonation or Business Email Compromise (BEC) attacks.
Mimecast inspected more than 142 million emails that have passed through organizations’ incumbent email security vendors. Latest results revealed 203,000 malicious links within 10,072,682 emails were deemed safe by other security systems – a ratio of one unstopped malicious link for every 50 emails inspected.
This is an increasing problem and one that is needs the proper attention of business leaders to help educate their staff on how to detect instances of suspicious eMails in whatever form they take.
We put this post together to help people understand the background to Phishing as well as the breath and nature of phishing attacks and how they have evolved over the past number of years.
What is Phishing?
Phishing is the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.
While there are multiple forms and classifications of Phishing attacks (including spear phishing and whaling, etc.), they all work on the premise that an email recipient can be tricked into inadvertent disclosure sensitive information or access to systems.
A recent report by Kaspersky Lab reveals that in 2017 their systems identified 246,231,645 attempted instances of phishing[i]: an increase of approximately 91 million over the previous year. On an individual basis, there is still much confusion around the subject of phishing and phishing attacks. In fact, over 1/3rd of UK adults don’t know what phishing is and practically all companies, regardless of size or industry, are faced with the threat.
A single successful attack point can allow unfettered access to data and company networks. And companies that don’t deploy effective protection against this form of modern attack are at risk of billions in pounds in damages.
The concept of phishing can be traced back to the 1990s, and an AOL group calling themselves “The Warez Community”. The group conducted rudimentary attacks at large corporate targets. In one example, they designed an algorithm that allowed them to generate random credit card numbers, which then allowed them to create AOL accounts once they hit upon a real credit card number. Once they had an account, they could spam other accounts and build the attack over time.
Since those pioneering days, phishing has become a much more sophisticated proposition, and the results impact millions globally and cost billions of pounds in losses to UK businesses and those abroad. Fortunately, there are manageable steps that companies, from the smallest local store to the large multinational, can take to safeguard their organisation against the latest threats.
97% of users are not able to identify a sophisticated phishing email.
– Intel Security
Fraudsters continue to engineer new ways to gain trust through online communications. For example, one new trend we’ll go into detail on later is “spear-phishing” in which an attacker uses private information gleaned from social media to conduct a personal attack. A single spear-phishing attack costs on average over 1.1m pounds ($1.6m).[ii]
The threat of phishing is evolving, both on the corporate and personal level, and companies must now take charge in mitigating this growing threat.
As we approach the question of “What is phishing?”, it’s important to note that the term doesn’t just describe one form of attack. The goal of a phishing attack is to gain access to private data via the use of a deceptive communication. The attacker will conduct their phishing attack to push the user to do one of the following:
- Provide sensitive information
The most basic of phishing attacks involves trying to get the user to provide their personal username and password, which the attacker can then use to breach their accounts. The classic scam involves the sending of an email designed to look like its origin is an authoritative source such as a boss or the IT department . or from an institution that holds the users sensitive information *e.g. a bank. The employee of the company then clicks the link and provides their information in a malicious webpage, which then collects the data for the hackers.
- Download malicious computer program (Malware)
In many cases, the goal of the phishing attack is to get access in the long-term to a particular computer or server. The attacker will send out an email, private message or social media communication that contains a link or attachment to malware. Attachments are often simple ZIP files which, when uncompressed, allow spyware and other malicious items onto a company’s computer. The attacker then has full insight into all events taking place on that system.As with any form of online criminal activity, phishing has evolved along with the most common technology used by its victims. While email attacks are still the predominant weapon for attackers, other technology has been the funnel through which the connection has been made. For example, in the early-to-mid 2000s, instant messenger was being used by billions to communicate around the globe.In May 2006, hackers sent out spam messages through instant messenger accounts. The recipient would see a message from someone they knew and click the link. The link would ask for the person’s email address and password. Once they provided the information, hackers could then access their account and send out the same link to their entire contact list. This was an automated process that impacted millions of IM users in 2006.
As attackers began to see the scale and potential returns from phishing scams grow, their schemes became more elaborate over time. In 2013 For example, a group of three men in the UK sent out spam emails and created websites that mimicked banking websites to customers in 14 countries. In total, the cyber criminals possessed full details on 30,000 bank accounts, 12,500 of which were in the UK. Fortunately, the men were caught and have since been given a heavy jail sentence. The police believe their operation prevented £59m in fraud costs. Three men, £59 million pounds.
A Change in Strategy
Social media phishing attacks jumped by a massive 500% in Q4 2016
– InfoSecurity Magazine
Starting around 2016 and with the growth of social media, a new form of phishing attack emerged. Criminals began using Twitter and other social media platforms to spoof business accounts and gather customer data. Sophisticated operations would mimic the communications style and branding of major banks and their employees online. Attackers would create a real-looking spoof customer service account and then wait for contact from a customer. In many cases, customers and employees would contact the spoof account and the account would respond with links sent from a fake support page. These scams became highly profitable as they allowed easy, quick and almost untraceable access to bank accounts for cybercriminals.
The threat from phishing attacks is such that recent cost figures have tripled in the space of a year or more. In fact, recent data shows that phishing attacks cost UK companies £5.9billion a year [iv].
When examining the cost of phishing, it’s important to look at the broader impact that phishing events have on the company and those working within the firm. A phishing attack causes doubt. For example, if a company finds out one of their employees has been the victim of an attack, and allowed attackers access to company data, that employee then becomes the focus for others. This creates an atmosphere in which employees might become suspicious of one another.
According to a Ponemon report, one of the largest overlooked costs of phishing is the disruption to employee productivity[v]. The cost from the loss of time was almost equal to the financial loss of phishing This means that the direct impact on employees and in-house activities was as impactful than the data loss and the compromised accounts.
2016 would end with what was perhaps the most consequential phishing attack in history to-date when hackers managed to use phishing techniques to access the Gmail account of Hilary Clinton campaign chairperson John Podesta. Private communications between campaign staffers were then sent to local press groups and to opposing parties, who then used the information revealed to sway public opinion in favour of the then Republican Nominee Donald Trump. The event was not only historic in terms of its impact on U.S. politics and the election cycle, but also in terms of what it meant for online security and the power yielded by those who could access private data.
Details from Accenture’s 2017 Cyber Threat-scape Report show that phishing attempts have continued to grow in 2017, and end-users still pose a huge threat when not trained to identify and report phishing[vi]. But while the old financial wire transfer, shipping and invoice lures were still just as prevalent as past years, new more sophisticated spear phishes were also observed. In fact, according to Symantec, 71% of all cyber attacks in 2017 began as spear phishing.[vii]
The online security marketplace is changing rapidly. The methods of attack are switching as cyber criminals adapt to new technology and new opportunities. Companies must begin to learn more on the types of phishing attack being used by today’s criminal. Learning from specialists and building in-house knowledge on phishing strategies is the best way to guide employees and craft the formidable foundation to safeguard the organisation for the coming years.
The volume of spam emails increased 4x between 2015 and 2016.
– IBM Threat Intelligence Index 2017
By learning to recognise a phishing scam before it begins, employees can make more effective decisions for the security of the company. As we’ve discussed previously, phishing scams have evolved significantly since their early incarnations. Let’s look at a few of the most common phishing strategies typically deployed by today’s cyber criminals:
- Deceptive Phishing
By far the most common means of attack used by cyber criminals, deceptive phishing involves impersonating another company or another individual for the purposes of extracting information from a target.One variety of this scam is the common PayPal deceptive phishing email in which the attacker sends a PayPal user an email designed to look like it comes directly from PayPal. The email will tell the target something is wrong with their account, and they must click the link to resolve the issue. Once they click the link, the attacker has all their PayPal and banking details and can extract money from their account.
- Spear Phishing
95 percent of all attacks on enterprise networks are the result of successful spear phishing.
– SANS Institute
One of the newest forms of phishing, spear phishing involves the same goal as deceptive phishing – to gain access to data and login credentials – but with a different methodology. Using the spear phishing method, cyber criminals will use specific details about the person, including their work phone number, employee number, or position in the company to appear familiar. This leads to the target believing the attacker more readily, and simply following the instructions as directed. The newest forms of spear phishing attack are exceptionally believable, and further the need for employee training on security awareness.
The full cost of spear phishing attacks has been proven in various cases around the globe. Consider for example the case involving a small American network technology company, Ubiquity Networks, Inc. In 2015, the company lost $46.7 Million as a result of a single spear phishing email[viii]. The attack was completed through a process of employee impersonation, in which an outside entity targeted the firm’s finance department. After receiving an in-house request, the department sent $46.7 Million from a subsidiary and deposited in third-party accounts overseas. The story highlights both the simplicity and the scale of these types of operations.
Another newer form of phishing is the process of pharming. In this technique attackers forgo trying to bait the victim into clicking a link or filling in forms. Instead, they take advantage of the DNS process which converts a website name into an IP address. Within a typical pharming attack, the criminal will change the IP address associated with a website name. The process then allows the attacker to simply re-direct all traffic to their own website, even if the target clicked on the real and official site. It’s why many are now guiding their employees to only fill in login details in sites that feature HTPPS protection. This extra layer of protection can help to prevent such pharming attacks.
Derived from the term phishing, a whaling attack, as you might have already determined, involves the targeting of a high-profile individual within a phishing attack. Whaling is also known as CEO Fraud attacks and Business Email Compromise scams (BEC).As with most phishing attacks, the target is fooled by a spoof webpage or email written to seem as if it came from a colleague. The email might look as if it came from within the company’s IT department, asking them to install a specific product on their system.These types of attack are becoming more common as CEOs and other high-profile employees within companies place their information on sites such as Facebook, Yammer, and LinkedIn, giving attackers ammunition for their whaling strategies.
Once an email is taken over or spoofed, it can further be used to commit fraud and manipulate other corporate employees or business partners. Since 2015 they’ve seen a meteoric increase of 1300%, and cost businesses $3.1 billion USD.[ix]
- Malware-based Phishing
Malware based phishing remains another of the most common forms of phishing attack simply due to the level of success that past attackers have been able to achieve with this methodology. The process involves the attacker sending an email or instant message with a downloadable document. Their goal is to get the recipient to download the attachment, which will then install malicious software on the victim’s computer.
1 in 131 emails contain malware.
– Symantec Security Response
Malware might include a computer virus that installs a keylogger on the person’s computer, which then monitors the keys they use when writing their username and password. In other cases, the malware might be a virus that shuts down an entire computer network, costing the company millions of pounds in lost productivity.
- Drive by Download
Content injection occurs due to an exploit at the back-end of a website. An attacker might take control over the web domain for a short period of time, and then insert a malicious code into the content. Content injection is usually the result of weak site security. And so, it’s important that companies take the time to educate their staff on the issue of content injection and on how to ensure the site they’re visiting is completely secure.
SMS social engineering messaging, also known as Smishing, is in many ways similar to email phishing. A Smishing target will receive a counterfeit message on their mobile device, containing a link or attachment that is meant to entice them. These messages can come laced with malicious software, links to fraudulent sites, or even phone numbers, all meant to victimise the recipient.Beyond simply a direct attack, Smishing is also known to be used in parallel with other social engineering techniques, bolstering the claims to legitimacy by the fraudsters. A phishing email may arrive simultaneously with an SMS text heightening the sense of urgency (for example a bank fraud alert with an SMS text and phone number to immediately confirm a pending charge). Due to their success, these types of multilayered attacks are on the rise, and require our swift action to raise preparedness.
Yet another relatively new form of phishing is vishing. Vishing is the process of phishing use voice technology. The goal of those undertaking a vishing attack is to get the personal information on the victim through the victim pressing numbers via their phone. This has been used in successful attacks in the past to gain banking information and national insurance numbers.Both the extent and the variance in phishing attacks continues to grow, and companies are now arriving at a point where they must take a proactive stance on in-house asset protection. Training employees is the next important step in this process. Employees will be the eyes of the company looking for potential phishing attacks and stopping them at their source.
This is an evolving and increasing threat to businesses large and small. Criminals now have access to industrial strength services on the dark web which has resulted in escalating volumes of these phishing eMails and more worryingly they are improving in ‘quality’ so are harder to detect. Technical defences simply can’t stop all of these coming through to your staff.
Business Leaders have to recognise this is a significant threat and staff need help in order to be able to detect these eMails and report them. There is no shortcut here except to deploy the best available Security Awareness Training capability available, that way instead of having your staff fall victim to these attacks have them as part of your Human Firewall. You need a partner capable of keeping you up to speed with this evolving threat.