2016 has been widely acknowledged as the year of ransomware. However, many people also look back on 2016 as the year phishing became a mainstream concept, with the Anti-Phishing Working Group (APWG) observing a 250% increase in the number of phishing websites between October 2015 and March 2016.
Phishing is a quick and easy way for someone to steal a user’s credentials, and no region, industry or organisation is safe from attackers who want to compromise their data. With that in mind, let’s take a look back over some of the hard-hitting phishing attacks of 2016, and how to protect against them.
Phishing, particularly targeted attacks, is the logical evolution of cybercrime. Rather than focusing on stealing user data – of which there are many incidents these days – phishing is now focusing on more direct means of theft by extorting money from their victims. Because of this, it’s no surprise to hear the number of phishing attacks in 2016 increased dramatically.
In conjunction, we also saw a huge increase in the use of phishing emails as a delivery vehicle for ransomware; as of the end of March 2016, phishing was the number one delivery vehicle for ransomware with 93% of all phishing emails containing a malicious link or attachment.
The reason for this high proportion is that it’s easy to send and offers a quick and easy return on investment. These emails look legitimate but contain malicious content which executes as soon as a user clicks on a link or runs the malicious code in a file, encrypting their data and demanding payment.
Victims will then often pay the ransom to retrieve their data, so instead of working hard to steal personal data and sell it on the web, hackers can just wait for the money to roll in.
For example, in April 2016, many people received emails claiming they owed money to British businesses or charities and that they could print an invoice by clicking on a link in the email.
As a result, many users had their files encrypted and ransom demands were made. What made this campaign particularly successful was that the email delivering the ransomware contained personal information about the recipient, including their home address in the email.
Similar phishing campaigns have been conducted relying on familiarity with household brand names.
In addition to these newer forms of phishing, we continue to see an increase in popularity in use of standard credential stealing emails.
This method will never disappear until two-factor authentication becomes the norm for every service we use. Those still using single factor authentication are particularly vulnerable to this type of attack, especially if the password doesn’t factor in any form of biometrics.
One such example of credential theft towards the end of 2016 involved cybercriminals targeting customers of every UK bank, posing as customer support staff on Twitter in order to trick users into revealing their online banking details.
Don’t take the bait in 2017
It’s safe to say phishing will continue to be a popular attack method in 2017. This year has already in seen a highly sophisticated Gmail attack which has been tricking even the most knowledgeable of people, a web browser autofill being used to steal details, and a number of infected Android Apps in the Google Play store reportedly stealing Instagram passwords.
Despite its relentlessness, an organisation can protect itself and its employees by employing a Trusted Access approach:
Enable two-factor authentication for every login. Even if online criminals manage to steal usernames and passwords, they still can’t log into any accounts without possession of the necessary mobile devices.
Assess risks by conducting phishing simulations. Evaluate your company’s likelihood of being phished by using a phishing simulator tool.
For example, research from Duo Security found that 31% of 11,542 participants in a phishing simulation clicked on the link in the email sent to them. This data can then be used to educate users and employees, as well as helping make security budget decisions.
Always stay vigilant. Watch for typos or other signs the email may not be legitimate, especially if you weren’t expecting the email.
Before entering your credentials, check to make sure the web address you’re on is the site you expect, and that it uses https:// and displays the secure lock icon.
Identify and update software on devices. Exploit kits and malware downloaders prey on out-of-date software in order to compromise them. Identify any old software on corporate devices, and encourage employees to update personal devices, to reduce the risk of being compromised.
Traditional security models use a separated and piecemeal approach to securing each area of the business whereas, instead of bolted-on security, organisations should be thinking of a holistic solution designed with the individual organisation in mind.
Using a solution that provides insights into users and devices, which can then be used to customise security access policies, you can ensure your company is protected against any hacker looking to exploit vulnerabilities and weaknesses.
Sourced by Jordan Wright, R&D engineer, Duo Security