Phishing is one of the easiest ways an attacker can infiltrate malware into an organization or trick victims into going to a fake Website, with one vendor saying it found onr million confirmed malicious phishing sites in 2015. Unfortunately, the strategy also gives truth to the old adage that people are the weakest link in security.
Two reports released by vendors on Thursday hope to give CISOs a little more insight into phishing attacks.
One, from PhishLabs, says it is currently tracking more than 90 threat actor groups that use spear phishing, with experience ranging from novice cybercriminals to advanced nation-state cyber operations. The number of organizations targeted with the co-called Business Email Compromise (BEC) spear phishing attacks– aimed narrowly at senior officials, with the phishing mail impersonating an executive — grew tremendously in 2015, it adds.
“Phishing attacks are cheap, easy to execute and difficult to stop,” it says. “People will continue to fall for phishing attacks. No security tool or training regimen will prevent that from happening. But by detecting phishing attacks early, when they are launched and as soon as they reach inboxes, it is possible to stop the attack and prevent the consequences even if someone does initially fall victim.”
Other significant findings include:
- 90 per cent of consumer-focused phishing attacks targeted financial institutions, cloud storage/file hosting sites, webmail and online services, e-commerce sites, and payment services’
- Gmail is used for more than half of all data drop email accounts, making it the top webmail service used by attackers to receive credentials stolen in phishing;
- Social media is a primary promotion and distribution channel for consumer-focused phishing kits and related goods or services.
- Techniques to evade your automated detection of phishing attacks and to prevent analysis of attack components are becoming more commonplace, even among less sophisticated threat actors.
The other report, from Easy Solutions, which makes fraud detection software, performed a data and clustering analysis to 3,000 phishing attacks committed against a top 25 U.S. financial institution to put phishing sites into three groups.
The first are fake sites that neither resemble nor reference the original sites they’re targeting; a second– the most common — are fake sites that are copies of the target sites, with all page content hosted by the attackers themselves, while the third are fake sites that are copies of the target sites and reference most of the content on the original site.
Within each group there are sub-groups with more complexity in their disguised sites than others. Some, for example, use embedded images to display words like ‘password,’ ‘user name’ and ‘credit card number’ to bypass phishing detection systems that use semantic analysis of site content. Some sites specialize in exploiting WordPress vulnerabilities. Those that include a link to a fake site have sophisticated ways of fooling users into filing out forms for their name, login/password and credit card numbers, including challenge questions.
Phishing attacks pose a problem to organizations: On the one hand firms want to appear to be open to customers and partners by listing executives, photos and contact information. However, this information is used by attackers to craft attacks.
PhishLabs notes that 2015 saw the risk of targeted executive phishing ploys that used phony merger or acquisition lure (for example, the message is something like “We’re close to completing negotiations for an acquisition and need you to wire a payment for a deposit.”). The sender field of the email spoofs a real executive.
In any case, experienced CISOs know that one of the best strategies to meet the phishing challenge is regular education of staff to be careful with messages with attachments. Those who don’t are fishing for trouble.