Cybercrime is becoming an increasingly lucrative business and threat actors are finding new, innovative ways to get their hands-on valuable data or breach into personal, corporate or government networks. Just like premeditated crimes in the real world, the end goal can be achieved in a variety of different ways; either through technical prowess, brute force, deception or a combination of those.
Deception is an interesting one as instead of just relying on tools, the perpetrator can depend on their wits, psychological tactics and take advantage of the ill-informed, naive, heedless or trusting nature of their unsuspecting victims.
Phishing attacks are a perfect example of age-old deception techniques repackaged for the new digital world. Chances are, you have heard of phishing and may have even encountered or fallen victim to such an attack. This article will take a closer look at the growing threat of phishing (with comments from several industry experts) to give you a better idea of what it is and what to look out for in the future.
This is important because in recent years, business entities are becoming a stronger target for cyber criminals through malware. In the State of Malware Report 2018, for example, cybersecurity firm Malwarebytes observed that business detections of malware in the APAC region rose sharply by 273%. In many cases, the initial malware infections are introduced through phishing, social engineering methods or malicious emails.
The numbers don’t lie. In 2017, the Cyber Security Agency of Singapore (CSA) detected up to 23,420 phishing URLs with a Singapore-link. Meanwhile, an Email Security Trends 2018 Study by Barracuda confirmed the fact that email security threats are pervasive, with 87% of respondents having faced an email-based security threat in the past year.
Moreover, the 2018 Cisco Annual Cybersecurity report found as many as 101,934 total phishing URLs and 8,445 total phishing domains back in March 2017, supporting the notion that phishing is a well-worn tactic for stealing users’ credentials and other sensitive information.
To learn what phishing is and the best ways of defending against this sneaky menace, read on.
Phishing Attacks vs Scams vs Spams
Phishing, often categorised as a social engineering attack, is all about deception. In order to breach a system or steal data such as personal or sensitive information, login credentials or credit card numbers, attackers will attempt to dupe a victim into opening an email, instant message, text message or a malicious link and make it seem as though it came from a legitimate source.
It is therefore not a coincidence that the pronunciation of the word sounds identical to “fishing”. Attackers put out bait, in this case a fake message, document or site, with hopes that someone or anyone would bite.
According to Jeff Hurmuses, Area Vice President and Managing Director, Asia Pacific, Malwarebytes, today’s phishing attacks are typically carried out by organised groups of cyber criminals.
He explained, “Although it is perfectly possible for an individual to do it (specifically in cases where it is a limited campaign with only a few hundred or thousand e-mails), it is easier for an organized group to establish a process for sending malicious spam/phishing attacks. Also, considering the amount of phishing attacks we see every day and the complexity, individuals would not be able to do it by themselves for any significant amount of time or effort. That’s why we are primarily dealing with organised groups, with individuals bringing different skillsets and talents.”
How is phishing different from online scams? Well, phishing is a type of scam, but scams come in many different flavours. You can say that all phishing attacks are scams, but not all scams are phishing attacks.
What about spam? Instead of tricking you into doing something you’re not supposed to (other than subscribe to or purchase something you might regret later), spam is often referred to as electronic junk mail. It is a form of commercial advertising where messaging systems such as email or SMS are used to send unsolicited messages in bulk.
However, phishers are also known to use these cost-effective mediums to send out their “bait” because they don’t really care who their victims are. They are looking at reaching out to as many potential victims as possible, thereby raising their chances of success.
That is how regular phishing differs from spear phishing. Spear phishing is more a targeted form of phishing. Instead of sending out thousands of identical emails, spear phishers will actually spend time to do research and find out how to come up with a personalised email and best approach to gain a particular victim’s trust.
Jeff from Malwarebytes added that at the end of the day, for phishers, it really comes down to numbers – it’s about “being able to establish numerous staging points for sending malicious emails, developing a generic yet convincing e-mail, and either buying or being paid to distribute malware or redirect users to a phishing page that needs to routinely be rotated to different domains to avoid detection.”
The Devil is in the Details
How do phishers carry out their attacks? James Forbes-May, the Vice President of APAC Sales for Barracuda, said that phishing could come in many forms and some of the most widely used are:
In the early years, phishing scams were quite easy to spot even by someone with basic IT knowledge if they paid attention. Gross spelling or grammar errors, vagueness, the inclusion of suspicious links/attachments and unusual misspelled return addresses were often clear giveaways that it’s a scam.
A lot of those characteristics can still be found in today’s phishing attempts, but over the years, online scammers have gotten better at masking their intent and make it appear to be legitimate upon casual inspection.
Kerry Singleton, Cyber Security Sales Director for ASEAN, Cisco Global Security Sales Organization (GSSO), warned that today’s phishing attacks typically have something else built into it, such as malware or ransomware elements.
The end goal in most cases, he said, is data. “If attackers are trying to exploit a bank, they would want to get users’ information, credit card information, bank account information, usernames and passwords if possible, and then they would want to sell that data to somebody else who is going to use that data for malicious reasons. So, data is the currency.”
He added, “We sometimes see people trying to deliver malware as a front and a cover to actually start stealing data. The danger is when a phishing attack goes through, it only takes one wrong click for cybercriminals to access a company’s data.”
Don’t Take the Bait
In our opinion, it’s quite easy to spot a phishing attempt if you know what to look out for. Even at AOPG we have received quite a number of phishing emails. Here we will look at a couple of examples.
This first email was made to look like an invoice request from a seemingly legitimate company based in Johor, Malaysia. However, attempts to contact the sender was in vain as the main objective of this attacker was not to initiate contact, but rather to lure the reader to open the word document attached, named Invoice_O295894.doc.
Upon scanning the file, we found that it was loaded with trojan malware. This means that if you don’t have sufficient malware protection, the bad actor could use this method to gain access and control to your enterprise network just by opening a seemingly harmless file. Attackers are counting on the fact that a large number of people work with such documents each day and many would not think twice about opening it, just to see what’s inside.
As for the second example (notice the spelling and grammatical errors), the phisher tried to trick our email users into giving up their login credentials in order to resolve a non-existent technical problem.
Fortunately, many modern browsers are equipped with alerts that can warn users about deceptive sites, as ours did when we clicked the link in the email. But not all users are quite as lucky, and many are yet to be aware that such a method of deception exists.
The fact that there’s some psychology involved in phishing attacks, in the way they are crafted and manipulated, adds to their effectiveness. As James-Forbes May from Barracuda commented, “most phishing attacks try to inflict effect on human nature of being compassion, curious, desire to connect, respect for authority and some negative human nature of having fear, greed, temptations, and the fact that humans make mistakes and possess bad habits.”
How To Defend Against Phishing?
Defending against the threat of phishing requires several different tactics and best practices. Kerry Singleton from Cisco said that the number one way is to have an everyday comprehensive emails security solution.
“When you look at email security, first you need to look at block lists – to determine what things are legitimate and what things are fake. Next, you need to look at phishing as most email vendors incorporate AI and machine learning into the email security solutions to determine what is malicious and identify trusted domains. So, there is a lot of checks that take place in email security level as well around reputation,” he explained.
Kerry also emphasised the importance of having an effective anti-malware protection in place, as well as the use of techniques such as called sandboxing, which isolates unknown files and then analyses their behaviour to determine the files’ threat level.
Since humans are the main target of these attacks, some large organisations send “Phishing Simulation” emails to employees as an education tool in order to train them against cyber-attacks. “The objective is to educate them on how phishing emails hit targets and how a corporate network can be defended against such attacks. Anyone who clicks on the phishing link is brought to an employee training video to teach them how to avoid engaging with suspicious emails in the future,” he said.
Mirroring Kerry’s comments, James-Forbes May added that when it comes to training, “Be sure to involve senior managers and the C-level execs as these time-poor execs are often the worst offenders when it comes to clicking without thinking. Also, train part timers and consultants/partners/contractors. It doesn’t matter who clicks on that phishing link, it will be equally damaging.”
James also said that in addition to investing in the best email security tools and training staff, businesses should seriously consider using multi-factor authentication (MFA) because it will mean “the hackers can’t access accounts with just passwords, neutering their phishing efforts.”
Last but not least, Malwarebytes’ Jeff Hurmuses offered the following words of advice. “Never open any emails or links from unknown senders. Keep up to date with the latest software patches to protect vulnerabilities from being exploited, stay vigilant and be up to date with the latest software.”
“Technology is advancing and there is heightened awareness about phishing attacks; at the same time, attackers are adapting to the trends and coming up with new ways to infiltrate network systems. By keeping security networks well protected, it can ensure better safety against unwanted phishing attacks.”