Gone Phishing
Mon 30 Jan 2017 | Michael Mudd
When I was younger I used to like to dangle a rod and line in a river hoping to catch a small fish on a hook with a worm attached as bait. Today I fish off a friend’s trawler yacht in Hong Kong with an expensive rod and highly specialised lures for different kinds of fish. I tend to catch more – and bigger – fish today.
The art of casting and reeling in is where we get the term Phishing, a noun that describes the modern method of fraud to get people to part with something of value, in this case information and/or money. It’s an electronic form of vishing which is what the age old fraud of spoken social engineering (phone scams) is now called.
In the recent past this was mainly targeted to reveal personal information; passwords; bank and credit card numbers, usually within an email that purports to be from a well-known legitimate enterprise. Derivatives that are built upon this are more specific, hence the term ‘spear phishing’ which are targeted at specific individuals or companies: when it’s aimed at the C suite it’s called ‘whaling’. FACC, a European based aerospace supplier, suffered from a spear phishing attack in early 2016 that resulted in a fraudulent US$55 million money transfer: it wiped out their profit for the year. The CEO and CFO (the ‘whales’) are no longer with the company.
Phishing is rapidly evolving from attempting to just steal information to also be the vector of choice for ransomware. These are within messages, often targeting businesses, mainly notifications about bills, invoices or price lists that were supposedly attached to the email. The attachments actually contained a Trojan downloader written in JavaScript, and in most cases the malware loaded the Locky encryptor or a derivative, that can only be decrypted after paying a bitcoin ransom. The three most popular malware families remained unchanged from the previous quarter – Trojans.
Traditionally, the most commonly distributed emails are very small – up to 2 KB so are also easily downloaded onto mobile phones and tablets.
Spear phishing appears to have played a key role in the recent well publicised breach of the US Democratic National Committee (DNC) network, according to a 29 Dec 2016 U.S. government Joint Analysis Report. Organizations that have a strategic response plan and train their workforce to guard against spear phishing attacks will be better prepared to combat this type of threat.
The US based anti-phishing company PhishMe reported a dramatic increase in the number of phishing emails deploying ransomware payloads during 2016. During March, 93% of the phishing emails they collected intended to infect victims with ransomware. Over a third of the respondents to a recent survey by AlienVault reported their executives have fallen victim to a CEO fraud email, and over 80 percent believed their executives could fall for targeted phishing scams in the future.
According to 2016 data from Kaspersky Labs, Germany (14.69%) topped the ranking of countries targeted for Phishing, followed by China (13.61%) the fastest growing target country, then Japan
(6.42%). In Q2 2016, the Anti-Phishing system on the computers of Kaspersky Labs was triggered 32,363,492 times, China was the main target. In terms of sources of spam, most comes from India today followed by Vietnam and the US due to compromised PC’s (botnets) due to poor security hygiene. Phishing is the main vector used by cybercriminals as it bypasses most perimeter electronic defenses of a network by posing as legitimate email or messaging.
Many emails were badly written with spelling and grammar errors that any half educated reader could spot. But this has changed; cybercriminals today are more akin to professional marketers that can press the right buttons to get the target to open the mail, attachment or link. Events such as elections, major sporting events or high newsworthy features, both true and fictitious are used as bait. Indeed the recent US election and UK Brexit votes saw a spike in both fake news and phishing attacks, spurred on by the business model of ‘pay for clicks’ of the major social media sites.
According to research by Verizon in 2016 about 30% of phishing mails get opened. This is a worrying rate when you look at the average marking email gets opened less than 1% of the time, so how do you combat this?
Facebook users are often subjected to phishing attacks. For example, a video was used as bait. When an attempt was made to view it, the user was directed to a fake page imitating a YouTube page, and then the viewer was asked to download a browser extension. This extension requested rights to read all the data in the browser, potentially giving the cybercriminals access to passwords, logins, credit card details and other confidential user information. The extension also distributed more links on Facebook that directed to itself, but which were sent using the victim’s name.
Combinations of training and specific anti-phishing technologies are required. Interactive training aids such as from Wombat Security Technologies’ or PhishMe anti-phishing detection, training and testing can help teach employees how to avoid phishing traps. FraudWatch International and MillerSmiles publish common phishing email subject lines that are regularly updated. Email filter gateways can stop mass targeted phishing emails, but are less effective against spear phishing.
A sound social media and email/security training policy, combined with anti-phishing testing and monitoring technology, will ensure that your data – and money – has not ‘gone phishing’.
© 2017 APP.
About the writer. Mr. Michael Mudd is Managing Partner of Asia Policy Partners LLC an independent consultancy specializing in technology policy for security, privacy and trade related business. He is a member of the FinTech, Policy and Cloud computing SIG’s of the Hong Kong Computer Society. He is an appointed expert to JTC-1 of the ISO and the Government of Hong Kong’s Expert Group on Cloud Computing, specifically the Working Group on Cloud Security and Privacy and is on the senior advisory committee of OSAC in Hong Kong.
He may be reached at [email protected]
