Corin Imai, Senior Security Advisor at DomainTools, discusses the phishing scams which will populate the threat landscape in 2019 and how to protect your organisation from them.
As we move further into 2019, the uncertainty of recent years shows no signs of slowing down. What remains consistent in these inconsistent times, however, is phishing. In fact, according to PhishMe’s Enterprise Phishing and Resilience Defense Report, attempted phishes grew 65% in 2018.
Additionally, a staggering 1.5 million new phishing websites are created each month according to WebRoot’s Threat Report, and perhaps most worrisome, Intel found that 97% of people, regardless of Internet-literacy, were unable to identify a sophisticated phishing email.
With this information in mind, it is clear that whereas other types of cybercrime fluctuate, moving in and out of fashion, the practice of phishing has become more and more popular; Human error remains the most profitable vulnerability there is.
The consequences of falling victim to a phishing scam can be dire. It is the cyber equivalent of an open-goal, allowing an attacker to target the victim’s data, enter their network or target them even more specifically using the compromised credentials. The best way to protect your organisation is to understand the kinds of phishing scams which populate the threat landscape in 2019.
Casting a wide net: The ‘classic’ email phishing scam
These phishing scams are the ones that you are most likely to be exposed to as a consumer. The premise remains simple; Choose a well-known and trusted brand, such as Apple, Microsoft, or a government department which people could feel uncomfortable ignoring such as HMRC or the IRS. Then, design an email pretending to be from this brand, asking the victim to click on a link to reset their account, claim a tax rebate, etc.
The email will include a compromised PDF, word document or a URL leading to a malicious website which will steal log-in details or install malicious software on a device; either way, the victim has now been compromised.
While these scams are common, that does not necessarily mean that they are unsophisticated. The infamous Netflix phish which plagued users of the content streaming platform in 2017 is one such obvious example, where the email was exceptionally similar to the legitimate Netflix landing page. The email included imagery which promoted original Netflix content, as well as encrypted user-side HTML in the phishing page, which stopped antivirus scanners from checking whether the code contained malicious elements, which would have notified potential victims that something was not right.
Phishing for a big catch: Spear phishing and BEC scams
Spear phishing is exactly what the name would suggest; it is an attempt by a threat actor to target specific individuals within an organisation, for a specific reason. The reasons can vary massively, but they usually relate to financial gain or data exfiltration in the same way normal phishing scams do – but often with significantly increased stakes.
If a threat actor approaches an individual within an organisation with the intent of extracting company funds, the sum involved tends to be a more significant amount than in traditional phishing scams. This specific subset of spear phishing is known as Whaling, BEC (Business Email Compromise) or CEO fraud, and often sees the threat actor impersonating a senior executive within the business to approach a member of the finance or HR team to facilitate a fraudulent transfer of company funds or Personally Identifiable Information (PII) relating to employees.
BEC fraud preys on individual’s desire to perform well at work; fraudsters assume that individuals would rather perform a task quickly when asked by the ‘CEO’ than to question it. It is an assumption that pays dividends; According to the FBI, BEC scams have provided fraudsters with in excess of $12 billion between 2013 and 2018.
Cybersquatting (also known as domain squatting or Typosquatting) is the act of registering a domain name with the purpose of getting monetary benefit from a trademark that belongs to someone else.
These domains are often used in phishing email campaigns and various other kinds of scams including pay per click ads (often for competitors’ services), for-profit survey sites and affiliate program abuse, or more nefarious content like ransomware and drive-by download campaigns. These methods can be incredibly sophisticated and difficult to spot, with things such as the ‘secure’ padlock present on half of all phishing sites, essentially rendering it useless as a security feature.
In terms of phishing campaigns, cybersquatting is used to add a further cloak of legitimacy to phishing emails, with a link back to a cybersquatting site included. The assumption is that the victim will not pay close enough attention to notice that the URL is not legitimate. DomainTools uncovered this practice in 2017 occurring on over 300 websites associated with large UK banks, intending to steal financial information and online banking login credentials.
SMS phishing is much the same as the other variations of phishing discussed, with the crucial difference that the method of delivery is a text message as opposed to an email. While awareness of phishing campaigns has increased in the last few years, the dangers of clicking on unsolicited links on mobile devices is still rampant, and the consequences call still be significant.
Downloading malicious applications onto a mobile device can compromise exactly the same kind of PII as a malware infection on a PC, and the increasingly blurred lines between our working lives and our home lives mean that an infected mobile could very easily enter a corporate network, compromising further sensitive data.
To reduce the significance of phishing as a threat vector, both organisations and individuals need to engage in educational measures to make it an unprofitable method. On an individual level, this is achieved via education and encouraging individuals to take extra caution when clicking on any unsolicited links. Educating employees about the dangers phishing poses, and the tell-tale signs to look out for goes a long way.
On an enterprise level, educational measures should be deployed in conjunction with up-to-date antivirus and anti-malware solutions to nullify the damage if your organisation is targeted by a phishing scam. Organisations should also be proactive in understanding the phishing landscape and any specific phishing campaigns that have been identified.
There’s no fool-proof method to stop phishing – threat actors have worked hard to make this the case. However, engaging with education and understanding the types of threats which are prevalent gives your organisation a fighting chance of remaining secure.