Don’t get hooked by phishing attacks
That old line, “Just because you’re paranoid doesn’t mean they’re not out to get you,” started as a joke.
But when it comes to the online world, they — tens of thousands of malicious hackers — really are out to get you. Globally, 30,000 websites are hacked every day. Which means some controlled paranoia is not only acceptable, it’s crucial.
And that’s why the theme for the final week of national Cybersecurity Awareness Month (CSAM) was “Phishing.” Of all the security threats coming from malicious hackers, the exploitation of the so-called “human element” through methods known as social engineering is the one that can trump even the most sophisticated technology.
That isn’t to say that technology is useless. Christopher Hadnagy, chief human hacker at security consulting and training company Social-Engineer, has taught dozens of courses on social engineering and says that while “technology cannot save us, we still must use it. Firewalls, IDP [identity provider], packet inspection, email filters, AV [antivirus], password managers, VPNs [virtual private networks], etc. are all vital.” While they can’t guarantee 100% protection (nothing does), “we must use them to remove the low-hanging attacks,” he said.
But he and others know from experience that sophisticated phishing attacks — emails designed to trick, seduce, or scare a human into clicking a malicious link, revealing sensitive information, opening a malicious file, or giving up personal or corporate credentials — can let attackers get around the best tech available. Phishing is the most common method of social engineering, perennially ranking in the top five methods by which hackers are able to breach personal or corporate accounts, according to the annual Verizon Data Breach Investigations Report.
Hook, line, and sunk
That’s because it works. According to technology ranking site TechJury, email is responsible for 94% of all malware. And not surprisingly, phishing has become much more credible and harder to spot over the years. No longer are there rampant spelling or grammatical errors in an email addressed to “Dear One,” supposedly from a Nigerian princess.
Attackers frequently have already collected personal or business information about their targets and are ready with fake IRS badge numbers and other “authentication.” They can mention your boss, your colleagues, and other information about your organization to heighten their credibility. It’s easy, given what they can collect from your social media or business networking accounts.
All you have to do to see it in action is watch some videos of the capture-the-flag contest in the social engineering community at DEF CON in Las Vegas every August. Or watch a TED Talk by Hadnagy, during which he plays a recording of a call with an employee of a major U.S. corporation who was one of the 75% of 1,000 employees who fell for an email phishing scam promoting a fake raffle for a free iPhone.
Hadnagy, posing as “Paul from tech support,” got the employee to download a file that he promised would clean up the malware “mess,” but instead gave Hadnagy full access to the employee’s desktop.
The relative ease with which social engineering experts can get people to hand over sensitive, proprietary information to emailers or callers they’ve never met and don’t know can be funny, but also frightening.
Because it doesn’t happen only in contests or by good guys running test scams. It happens in the real world — a lot. As noted, the most common phishing vector is still an email or text message, purportedly from a trusted source, but it comes in multiple other forms as well.
“Vishing” is phishing by phone — what the contestants at DEF CON do. There’s “SMShing,” in which an attacker tries to get a victim to give up private information via a text or SMS message.
There are also video game social engineering scams. One involves an attacker posing as a player who sends a chat message to a victim asking him to join his team — of course complimenting his skills. To join, however, the victim has to download and install an app, presumably necessary to be on the team. The reality, of course, is that the “app” is malware that can steal account credentials.
It’s hard, but possible
In the face of all this, how can anyone — average citizen, corporate employee, or even tax professional — avoid becoming a victim? Well, it ain’t easy. If it were, the problem would have been solved long ago, since many well-crafted security awareness programs have been in place for decades, and every major security conference features multiple presentations on the topic.
The reality is that it’s hard, first because phishing emails have improved so much. Phishers are using “phishing and vishing combined,” Hadnagy said. “They are buying domains, setting up SPF [sender policy frameworks] and making it more real. Spellcheck is being used, grammar and spelling are no longer strong indicators. One report said that more than 80% of spear phishes [targeting a single person] use personal details from social media.”
Drew Thompson, director, training and enablement with the Synopsys Software Integrity Group, said members of his red team (which tests client organizations’ resistance to phishing) see the same thing — that writing in phishing emails is getting much better.
Second, phishing is expanding beyond email to other platforms — it’s everywhere. “We’ve seen a major increase in SMShing and social engineering over WhatsApp as well as LinkedIn,” said Alex Serebreny, director of information security at Synopsys.
Third, hackers have gotten much better at tapping into emotions with messages that create a sense of fear or urgency. Hadnagy said research shows that “emotional stimuli can trigger physiological and psychological responses before the brain has time to kick in. Logic shuts down when strong emotions are triggered.”
Still, it’s possible to become a much more difficult target with both vigilance and a healthy level of paranoia.
To start, you need to use that paranoia to help you recognize when a communication that may look legit is really a scam. The CSAM website has a list of tips on what phishing emails often contain. They include
- An offer that’s too good to be true
- Language that’s urgent, alarming, or threatening
- Greetings that are ambiguous or generic, although a spear phish email will be addressed to a specific person
- Requests to send personal information
- Urgency to click an unfamiliar hyperlinks or open an attachment
- Strange or abrupt business requests
- A sending email address that doesn’t match the company it’s purportedly coming from
To that list, Justin Soderberg, associate principal consultant with the Synopsys Software Integrity Group, has a couple of additions.
- Requests to authenticate to a website with specific credentials
- Suggesting password resets or problems with accounts
Soderberg said he and his team try to help clients recognize phishing emails by sending test phishes to see if the client’s employees can spot them.
“We have sent phishes to clients claiming they have invalid invoices that need new account numbers, or that there are new stock options requiring the user to sign in and accept them, which collects credentials,” he said. “We use tools that allow us to send malformed PDF files that can lead to the launching of remote agents back to our testers.”
Fortunately, those tests won’t lead to an actual breach. Instead, they will help a company see where the security awareness of their employees needs to be improved.
Verify first, then trust
In general, when confronted with any kind of communication from someone you don’t know, it’s best to modify President Ronald Reagan’s “trust but verify” slogan about dealing with foreign adversaries. In the online world, it should be “don’t trust until you verify.”
That means don’t trust anyone you don’t know even if an email or call looks like it comes from within the company or is a number you think you recognize. Vishers spoof numbers. To verify it, use a communication that you control — call the number or email the address that you have.
Also, as the CSAM website advises, don’t click any links in an email — even to unsubscribe or reply. You can improve your protection a bit more by blocking the sending address by labeling it junk. CSAM has a list of links that allow you to block a sender in Outlook, Gmail, Mac Mail, and Yahoo! Mail.
And on a call, don’t give out any personal or company information to a caller — even someone who knows enough about you to drop names of colleagues or a supervisor. Those are classic phishing techniques designed to build trust that an attacker can exploit. Remember, it’s easy for hackers to get some information about you. Don’t let that trick you into giving them information they don’t have.
Hadnagy said his social engineering courses focus on teaching students all the techniques that attackers use, because “if you know how to do it, you are much more likely to know when somebody is trying to do it to you.”
And getting savvy to phishing matters — a lot. “We notice a considerable difference in our phishing assessments between customers that conduct regular security awareness training and ones that don’t,” said Thomas Richards, principal security consultant with the Synopsys Software Integrity Group.
“With the companies that perform regular security awareness training, our phishing success rates are in the single digits. Against a company that doesn’t have a strong or mature security awareness training program, our success usually ranges from 20% to 30% and sometimes can be more,” he said.
And that’s more than enough to cause trouble. As the security cliché puts it, security defenders have to get it right every time. Attackers only have to get it right once, or fool one employee in thousands.