When it comes to phishing, fraudsters use timing, trends, and technical modifications to make their phishing attacks work better, says Limor Kessem, global executive security advisor, cyber security researcher, IBM Security. “We can see seasonal trends with phishing, mostly around tax time and the holiday season, but phishers prey on users whenever a popular subject arises, like major sporting events, or news about something that affects the entire nation,” she says.
Kessem adds that phishers rely on a variety of established methods that they shuffle to keep evading spam filters and detection. Some examples from recent campaigns feature different site redirection schemes, serving malicious URLs from within benign productivity files, wrapping up malware payloads in multiple layers of different file formats, and registering numerous fake domains to serve malicious content and malware, she adds.
Facebook’s Greene has similar experiences. “The threat landscape is always changing and the cybercriminals are always looking for ways to look more legitimate and increase believability,” Greene says. “Over time, the language used in lure emails has become more polished and often lacks the grammatical or spelling errors that were easy giveaways in classic phishing lures.”
This past year has seen a sharp increase in the number of business email compromise (BEC) scams, like CEO fraud, according to Symantec’s 2017 Internet Security Threat Report. CEO fraud is where a bad actor pretends to be the chief executive or another top executive to get the CFO or accounts payable department to put through a wire transfer or release confidential or valuable information to the bad actor. BEC scams alone have cost enterprises more than $5 billion between October 2013 and December 2016, according to the FBI.
This past year has also seen a huge uptick in W-2 phishing scams, aimed at getting organizations to turn over sensitive tax document information based on a fraudulent email purported to be from the Internal Revenue Service, or from a high-level executive at the organization requesting payroll or HR information. Tax phishing emails jumped 870 percent in 2017, according to the IRS Return Integrity Compliance Services.
Given most employees’ fear of running afoul of the IRS, these phishing scams tend to have a 25 percent success rate, according to the IRS. In a 2017 press release aimed at warning employers about this onslaught, Tamara Powell, acting director of the IRS Return Integrity Compliance Services, called these attacks “one of the most dangerous email phishing scams we’ve seen in a long time.”
Greene says that in these more sophisticated attacks, “it’s not unusual for there to be an intermediate target who is only being phished to compromise his or her account and send the next lure to the ‘real’ target. Once the intermediate account is compromised, the lure can be added to an existing email threat using real content in the proper context to be believed.”
And while attackers are aiming high with more up-market spear-phishing, many are taking more of a shotgun approach, phishing often and aggressively to as many targets as they can. In other words, cyber-criminals are aiming both high and low in their attacks, going after quality and quantity, potentially big payoffs as well as smaller ones, in effort to get access to information or entry into corporate systems wherever they can. At least two-thirds of the time (67 percent), corporate employees are victims of spoofing and impersonation, but they can often fall prey to branded or seasonal attacks, according to the IronScales report.
There are also simply more cyber-crime and black-hat hacker groups actively targeting businesses than there were in the past, according to Kessem. “Malware groups that operate banking Trojans, for example, are more focused on businesses in search of heftier amounts of money to steal,” she says, adding that Dridex, TrickBot and Qakbot were all Trojans that preyed almost entirely on business and corporate banking customers.
School of Phish
Phishing is a problem that is both technical and human in nature, so it is not surprising that the likely solutions to mitigate the problems associated with the risk and impact of phishing attacks, especially on more high-value targets, need to incorporate both technology and human training, the experts agree.
Kessem believes the real issues with phishing “begin and end with the human factor. Without proper education and awareness, employees will remain the weakest link no matter what sort of tools and technology are being used.” To combat these concerns, she recommends that CISOs opt to launch an effective awareness campaign across the organization to help keep the potential of phishing in their employees’ minds by providing recurring and visual reminders about common risks, best practices, and the importance of security to the organization.
Greene points out that Facebook is a contributor to and member of the FIDO Alliance, which is aimed at developing standard and interoperability for authentication technologies. Such technologies could help stem the tide of these fraudulent emails, messages and texts. In addition, Greene adds, the giant social media network has implemented two-factor security keys that can provide users with the options of two-factor identification and thereby mitigate the misuse of stolen passwords.
Education about phishing and online scams has become a part of many organizations’ toolkits, and law enforcement and industry regulators including the SEC, the IRS, and the FTC post advice on their web sites, she adds. Kessem believes that every organization should plan and implement their own customized educational process about online threats, and follow best practices from NIST, ISACs (Information Sharing and Analysis Center) and other organizations in order to standardize security practices.
“Role-based training should be provided to users across the organization, from the C-suite to accounting, HR, the IT staff, administrative workers, and any other group, to ensure that each employee understands the risks, their potential exposure in their specific role, and ways to respond if ever they suspect an issue,” Kessem adds. “Security policies and standards should be clear and communicated to all employees. Then have them sign a document outlining their own responsibility to uphold those standards on the company’s infrastructure and equipment.”
Ransomware questions become more complex
The complex web of mitigating, preparing for and responding to ransomware threats is becoming all the more tangled for enterprises, as they wrangle with concerns around ethics, business case, and a changing security and technological infrastructure.
That is the over-arching message from Brendan Griffin, threat intelligence manager for the intelligence operations group at PhishMe, when he discussed existing and emerging issues around ransomware during an SC Media 20/20 webcast in October. Griffin’s comments during the webcast, dubbed “Know Your Ransomware Enemy,” offers insight into the growing challenges of responding to ransomware demands and advice on what enterprise IT security teams can do to better protect themselves, their customers and their sensitive data.
Given that the people behind these ransomware scams are not always acting in good faith and honesty, Griffin’s take on the issue of whether or not enterprises should pay the ransom to their attackers or not — if this presents the cheapest and easiest way to regain access to their locked down data, or if these bad actors can even be trusted to follow through with turning over control, comes back to making an educated business decision.
Griffin points out that for hospitals, government agencies or enterprises that manage crucial infrastructure and utilities, “the stakes can be much higher for not paying the ransom. Lives are on the line there.” For these organizations, there are also ethical questions surrounding how they handle ransomware demands, “and that’s why ransomware has such a grip on some entities,” Griffin adds. “It’s not just about the cost, but how long we can [ethically] delay the services we provide.”
In many cases, Griffin says, organizations typically consider their ransomware response based on the technical issues, and not the business case — the impact of downed or delayed services, or missing data that would need to be replaced, and the ultimate cost of that data being exploited by cybercriminals.
He points out that often the simplest (and the best) means of mitigating ransomware attacks is through basic changes in protocols and procedures, such as putting through a phone call to the CEO or the CFO to confirm an urgent wire transfer they supposedly requested by email. “Any request for a wire transfer should go through a particular process,” Griffin says. “Information security is spilling over, beyond technical, into other parts of the business which may have been seen as isolated from worrying about these things before.”
To the issue of using backups after a breach, Griffin says that while the conventional thinking is that making regular backups of corporate data and networks is the best way to defend the enterprise in the event of a ransomware attack, savvy cyber-criminals often anticipate this approach, and will lock up network backups and restore points as well. “There’s a risk in relying on backups too much,” he notes. “Nothing should be on the network that you cannot afford to lose.” For mission-critical data and systems, he recommended a separate air-gapped system.
With the explosion of the Internet of Things devices in enterprise settings, the ransomware challenge is likely to get more difficult before it gets easier. “Once [ransomware] reaches the Internet of Things, it becomes harder to redress the issue,” Griffin says. Many of these IPcontrolled machines might not have security built in directly and they are not designed with vulnerability patching in mind. “This will introduce a whole new aspect [of ransomware] and new challenges for security professionals.”