Today's topic is about phishing campaigns. Imagine for a moment, you work in an office and respond to e-mail and phone calls all day long. One day, you open up a message that looks to be from your administrator telling you to reset your password. Thinking nothing of it, you click on the link provided in the message and enter your new password. Seems harmless enough right? The next day, you come into the office and notice your desktop suddenly seems different. Folders are on your computer that you did not create. Files you had on your desktop are suddenly missing or appear to have been altered. You have just been victimized by a phishing attack.
These types of attacks take place every day. And it’s not just home users that have to be alert. Businesses, small and large are increasingly being targeted by phishing campaigns on a daily basis. While spam filters have played a great roll in keeping these types of email from your inbox, attackers have grown more sophisticated in their attempts methods.
What is phishing?
Phishing is a form of social engineering attack. Phishing, in general, is designed to bait a user into clicking on a link (that installs malicious software in the background) or into providing sensitive information (such as passwords) that allows attackers to gain a stronger foothold into a computer. If an attacker is able to gain the credentials of a person in power, they can use those elevated privileges to potentially gain access to a businesses entire network infrastructure.
There are different types of phishing attacks as well. Rather than define and go through them all, the InfoSec Institute provides a great read on the various phishing techniques used which can be found at their website. What is important is that everyone is aware of what attackers are doing, and by being aware are able to use better judgement before clicking on a link or opening an e-mail that seems suspicious.
Increasingly, attackers are crafting e-mail and designing web pages to look like legitimate companies (SEE the images below).
Figure 1: Designed to look like an Outlook Web App notification. Provided courtesy of https://krebsonsecurity.com/2013/08/washington-post-site-hacked-after-successful-phishing-campaign/
Figure 2: Designed to look like a message from DHL. Provided Courtesy of https://krebsonsecurity.com/2014/12/be-wary-of-order-confirmation-emails/comment-page-1/
Figure 3: Designed to look like a Netflix notification. Provided courtesy of https://resources.infosecinstitute.com/category/enterprise/phishing/
Diagram of an attackers methodology
Figure 4 APT attack against an industrial control system (ICS).
The above is a diagram of an advanced persistent threat (attacker) using a phishing attack against a senior level employee to gain elevated privileges. Although figure 4 is a demonstration against an Industrial Control System, the same methodology is applicable to much smaller businesses with much less security in place. The attacker sends out an e-mail over the internet. The user, not recognizing the attachment as malware clicks on the attachment, which infects the system with malware or even a remote access trojan, creating a back door for future entry. With access to a senior admins credentials, the attacker can navigate to files or databases storing sensitive information or even take control of network infrastructure.
Why attackers like to go phishing
There are several reasons attackers prefer to use phishing tools against their victims. But the best three reasons are it’s cheap, it’s efficient and it’s effective.
Attackers have the capability of automating their phishing attacks, meaning they can target multiple victims at a time. While most people have effective spam folders or other tools in place to address phishing attempts, all it takes is for one user to click on a malicious link or attachment and the attacker potentially has a foothold into the company’s network. Author and security expert Marc Goodman, conveys how attackers can easily purchase 'kits sold on the digital underground capable of sending 500,000 phishing emails for the low cost of sixty-five dollars' (Future Crimes, 2015).
According to a report by the InfoSec Institute, at least “fifty percent of internet users receive at least one phishing email per day. Even more alarming, the report goes on to state, "ninety-seven percent of people in the world cannot identify a phishing e-mail and one out of 25 people actually click on phishing e-mails." Needless to say, if an attacker can run automated scans against so many people who are not aware of what to look out for, the odds of a successful attack are significantly high.
Phishing attacks have proven to be very successful. From home end users and small businesses to large organizations and governmental agencies, everyone is potentially vulnerable. According to a report by Forbes, phishing scams cost american businesses alone, upwards of half a billion dollars.
What does a phishing campaign entail?
A phishing campaign pertains to sending out a series of carefully crafted e-mails that contain potentially malicious material (or re-directs users to a fake site), to all employees at an organization. The messages are designed to look legitimate in order to trick as many end-users as possible into opening up an attachment or by clicking on a link and submitting personally identifiable information. The overall goal is to examine user behavior and analyze what employees are falling prey to. This allows for IT management or a managed service provider (MSP) to facilitate a plan of action in order to raise awareness and reduce or mitigate the prospects of a future phishing attack being successful.
Why conduct phishing campaigns?
Your employees are your front line of defense to your business. Every business is only as strong as its weakest link. The most common weakest link that attackers attempt to exploit are people. While computers and devices joined to a network can have mechanisms in place to protect or safeguard data (i.e. Access Control mechanisms, Anti-Virus, firewalls), humans do not have that same capability. So the best way to address phishing attacks is through awareness and training. By knowing what attackers are after and what methods are used, employees are better able to point out a fake or attempted phishing e-mail.
Conducting phishing campaigns raise awareness and understanding. In return, awareness significantly reduces the chances employees will click on or open up suspicious e-mails. By conducting phishing campaigns management is in a position to see who is likely to click on malicious e-mails or open up questionable attachments and create a program to better educate employees on what to look out for.
It is important to stress that phishing campaigns should be approached as a fun learning experience, or even a game for your employees with an incentive to learn and progressively get better. Because if taken too seriously, employees may feel they are being targeted or discriminated against and less inclined to participate in the future. Always try to remember, the goal of phishing campaigns is to strengthen your front line of defense; your employees.
I think I might be a victim to a phishing attack. What do I do?
If you suspect you may have fallen victim to a phishing attack notify your IT department or IT service provider immediately. Aside from that, here are a few recommendations:
1. Change your password. Changing your password hinders an attacker from gaining access with those stolen credentials.
2. Use 2 factor authentication (2FA). Regardless of what platform you use for e-mail (i.e. Gmail, Outlook, Yahoo), if the platform offers 2FA make sure you set it up immediately. 2FA adds an extra layer of security in the event that a password is stolen, without a verification code submitted via 2FA, the attacker cannot gain access.
3. Consider using a password managing tool. Utilizing a password management tool (i.e. LastPass, Keepass, or Password Safe) stores all of your passwords into one location. This way you are not forced to try and remember several different account passwords. You only need to remember one, and that is to access the password managing tool.
4. Use a password generator. The stronger and more complicated your password is, the harder for an attacker to steal it. However, it can also make it hard to remember. So we encourage using a password generator as well as a managing tool to store those strong passwords.
If you feel you may have been victimized and would like assistance, or just want more information, don't hesitate to contact us.
Goodman, M. (2016). Future crimes: Inside the digital underground and the battle for our connected world. New York: Anchor Books, a division of Penguin Random House, LLC. Pg. 172-175
Johnson, C. (n.d.). 15 Examples of Phishing Emails from 2016-2017. Retrieved from https://www.edts.com/edts-blog/15-examples-of-phishing-emails-from-2016-2017
Security Awareness Statistics. (n.d.). Retrieved September 20, 2018, from https://resources.infosecinstitute.com/category/enterprise/securityawareness/security-awareness-fundamentals/security-awareness-statistics/