Lately it seems like I’ve been getting more than the usual number of emails that give me pause. Could this one be a phish, I wonder? What about that one? Even my husband and fellow blogger Brian showed me a curious email the other day. It certainly looked legitimate, appearing to come from a bank we do business with, but we concluded that the bank wouldn’t send him an email for this particular matter. The note went in the digital trash bin.
Given that we research and write about IT security, we tend to err on the side of caution and delete the emails that make us uneasy. We figure if the email message was indeed legitimate and the matter is important, the sender will find a way to reach us.
Brian and I aren’t unique in getting these apparent phishing messages. Far from it, unfortunately. According to the Anti Phishing Working Group, phishing is on the rise. For the first half of 2012, at least 93,462 unique phishing attacks were reported to the APWG—an increase of 12% over the 83,083 unique attacks of the previous 6 months. And this is just what was reported. Who knows how many other unreported phishes are circulating among us?
Criminals are getting smarter with their phishing campaigns, moving into the realm of spear phishing. They are attacking fewer targets but focusing their attacks on larger, more prominent targets. For example, the financial (34.4%) and payment services (32.1%) industries were most often targeted by phishing campaigns. If just a few people in these industries take the bait, the data breaches that could result from the attacks would be far more lucrative for the criminals and devastating for the victim companies.
Spear phishing is being fueled by our penchant for sharing personal information via social networks like Facebook and LinkedIn. Spear phishing involves gaining the confidence of a specific person or someone in a specific organization such as an IT or accounting department. How better to do that than to learn a bit about that person from reading his/her LinkedIn profile? Imagine how easy it would be to target a network administrator at a major energy firm with a personalized note like this:
Joe, I’m the membership chairman for the CIO Advisory Council in Houston. We would like you to join our select group of networking professionals to help develop a set of industry best practices for BYOD management. Your knowledge on this subject is highly regarded by the CIOs from our member companies like BP America and Noble Energy. Our next meeting is on March 20, so please confirm your participation today. Visit www.HoustonCIOAdvisoryCouncil.org to get the agenda and details for our next meeting.
A message like this has all the hallmarks of good spear phishing bait: familiarity (knowing what the person does for a living); play on ego (“your knowledge is valued”); a dose of reality (names of real companies in Houston); sense of urgency to act (confirm participation today). All of this combined might be enough to get Joe to click the fake link that is poised to deliver a malware payload. And it’s that simple.
Obviously this type of spear phishing requires some effort to customize and send the email. Now there is news of a new technique called “longlining” that brings mass customization to spear phishing. According to security service provider Proofpoint, Inc.:
Longlining combines successful spear phishing tactics with mass customization. Using these techniques, attackers are now able to rapidly deploy thousands of unique, malware laden messages that are largely undetectable to traditional signature and reputation-based security systems. Worse, despite their scale, these mass customized phish were effective enough to trick more than 10 percent of recipients into clicking on malicious content capable of taking complete control of PCs and compromising corporate networks.
Great. Expect those spear phishing attacks to come even more frequently.
The next big platform for phishing attacks is that mobile device that is never far from your hand. SMiShing – SMS phishing – is growing by leaps and bounds. The security firm Cloudmark reports there was a 400% increase in SMS spam in the first half of 2012, and SMiShing attacks account for one-third of all that spam.
In a SMiShing attack, you receive a text message that either directs you to a fake website or asks you to call a phone number to provide private information. The text message might appear to come from someone you know and trust—a friend, a colleague, your bank, a retail merchant you do business with (“click here to get your free gift card”), etc. Of course, they aren’t the real source of the message, just a spoofed alias to gain your trust.
The average person reads a text message within 15 minutes of its receipt. This responsiveness plays to the strength of a SMiShing attack: getting you to act quickly without giving your actions much thought. With text messaging, you are more likely to take the bait and set the hook before you realize you’ve been had. As a result, you inadvertently download malware to your phone or you give up personal information to someone who shouldn’t have it.
SMiShing is dangerous for individuals, of course, but it also puts companies at risk when workers are permitted to use their personally-owned devices to access company resources (BYOD). A smart phone with malware such as a keystroke logger can compromise an entire network unless strong security measures are in place. Keylogger applications were present in almost half (48%) of all breaches that the Verizon RISK Team investigated or analyzed in 2011. This most likely contributed to the use of stolen credentials in roughly 1 out of 3 breach-related incidents, according to Verizon.
The criminals who execute all forms of phishing attacks are getting better at their craft. That means that all of us need to give pause any time we receive an email or a text message that just doesn’t feel right.