Phishing is an older style of cyber-attack, but one that never fallen out of favor with attackers. With the right phishing network in place, some information gathering, and the right bait, attackers can gain access to just about any company or organization, even government agencies, and wreak havoc. In fact, phishing remains the most popular and potent attack vector for attackers.
Data Theft and Financial Fraud
According to a study conducted by PhishLabs in 2016, 22% of all spear-phishing attacks in 2015 were motivated by financial fraud or related crimes. It has become a hugely lucrative option for attackers, and there are plenty of examples out there. For instance, Magnolia Health was attacked in early 2016. A phishing network impersonated the firm’s CEO in an email. This was what is called a forged email phishing attack, and it led directly to the theft of data related to the company’s employees, including their Social Security numbers, pay rate, date of birth, physical address, full name, and their employee number. Of course, Magnolia is hardly alone. The largest healthcare industry breach of all time happened in late 2014 and early 2015, and involved Anthem, Inc. The breach exposed more than 37.5 million records of both Anthem employees and patients. Hackers stole full names, physical addresses, Social Security numbers, medical identification numbers, income data, email addresses and more. No health-specific information was stolen, though. While Magnolia’s breach was definitely the result of phishing, the actual attack method in Anthem’s instance hasn’t been determined. Experts do think it was some variation of phishing, though. Hackers gained access to IT administrator credentials, and then had over two months in which to enjoy unfettered access to the company’s databases. Of course, the fact that Anthem didn’t encrypt the stolen files exacerbated the problem. The FBI released an alert in mid-2016 stating that financial losses from phishing attacks for the first half of the year stood at $3.1 billion. And that’s just for a six-month period. The primary threat is from BEC, or business email compromise, attacks. The FBI’s alert stated, “The BEC scam continues to grow, evolve and target businesses of all sizes. Since January of 2015, there has been a 1,300% increase in identified exposed losses. The scam has been reported by victims in 50 states and 100 countries. Reports indicate that fraudulent transfers have been sent to 79 countries with the majority going to Asian banks located within China and Hong Kong.”
Phishing APTs (Advanced Persistent Threats)
Advanced persistent threats, or APTs, have also become very popular with cyber-attackers. Essentially, this is a long-term infection or security breach that might go unnoticed for weeks, months or even up to a year. There are no “most common” targets in these attacks. Essentially, anyone is fair game. Large and small businesses, nonprofit organizations, and even government agencies can be victims of APTs. It is also important to note that APTs are more often associated with foreign governments and militaries than with conventional phishing networks. There have been several reported successful APT attacks over the years. Some of the most famous (or infamous) include Operation Aurora in 2009, followed by the HBGary Federal attack in 2011, the RSA hack in the same year, Stuxnet, APT1 (involving the Chinese military), and APT28 (involving the Russian military). While they all had different durations, each attack started similarly with a successful spear-phishing attack. There are several unique attributes of APTs, including the following:
They are ongoing missions They have very specific objectives They are generally carried out against high-profile targets They are “bait-and-bleed” attacks
Bait-and-bleed attacks are so-called because, once the bait has been taken, the attackers will wait and bleed the victim for as long as possible. Most phishing attacks are hit and run or have a relatively short duration, but APTs can go on for a very long time. This is at least partially due to the fact that victims are almost universally slow to realize that they have been attacked, and to respond to the threat. As mentioned, APTs have precise targets and objectives. Missions can range from monetary theft to intelligence gathering on rival governments and even political goals. They also often target digital assets, such as nuclear power plant designs or high-technology schematics. The typical APT attack consists of six primary steps or stages. These are as follows:
The attacker gathers information on the target, often through social engineering, but also through other methods, such as web scraping and sometimes personal interaction through chatrooms and social networking.
The attacker creates and then sends phishing emails and/or messages. These are perfectly tailored to the target, and are almost indiscernible from the real thing. They include real names, phone numbers, addresses and other details needed for credibility.
The target opens the email and takes the desired action – either clicking a link that leads to an infected or spoofed website or downloading an infected document. Whatever the scenario, the target takes the bait and falls victim to the scam.
The system on which the user is working is compromised.
The compromised system then goes on to infect the entire network of the targeted organization, business or agency.
The attackers wait and bleed the target of data. This data is extracted, parsed and organized by the APT group.
Once infected and controlled, the APT operator has the ability to install further malware, viruses and other threats. For instance, a remote access Trojan (RAT) could be deployed, providing the APT group with unfettered access to just about any data on the network. Once in control, the APT group can spy and steal information for as long as it takes for the victim to notice that their system has been compromised. That can take a very long time, giving attackers the ability to explore data at their leisure.
Malware Delivery
While some phishing attacks focus on stealing credentials by tricking targeted individuals into entering their information into a spoofed website or web form, others take things a step or two further. Malware has been around for a very long time, but it has become much more advanced than it once was. One of the preferred ways for phishing networks to infiltrate and infect a targeted business or organization is through the installation of malware on the victim’s system. There are two primary ways in which phishing groups accomplish this. One way to infect a targeted system is through a malicious attachment. In this instance, a carefully crafted email would be sent to the individual. Included in that email would be an attachment. It might be a Word document or a PDF. It might be something completely different. In all instances, the email seems to come from a trusted source – a coworker, a boss, a financial institution, for example. In a best-case scenario, antivirus software will catch this type of attachment if it is scanned before being opened. However, compressed files sometimes cannot be completely scanned, leaving some element of risk even if antivirus software is up to date. Ransomware has continued to gain prominence with phishing networks and is one of the most frightening types of malicious attachment. However, ransomware can also be downloaded through an infected website, meaning that email attachments are not the only option for attackers. Ransomware is exactly what it sounds like. It’s a type of malware that infects a target system and then encrypts it, holding all the data on the hard drive hostage. Once the individual, business or organization pays the ransom, the attacker releases the files. Consumers, CEOs and even police departments have been victimized in this way. Macro viruses can also be used to deliver malware through an attachment. These are often used to infect MS Office files and are triggered when the program opens, or when a specified action takes place. Malicious links are the second way that phishing networks manage to infect their victims. In this instance, rather than including a malicious attachment, attackers will include a URL. The goal of the email or social media message is to get the target to click on the link. Once clicked, code might be downloaded to the computer, or the individual will be directed to an infected or spoofed site where malware is released onto the computer. While malicious links are more effective than malicious attachments, phishing networks must go to great lengths to ensure that the message looks credible and authentic. The email used in the Magnolia attack mentioned previously is a prime example of this. The message can be almost anything, although the following are more commonly used:
Notification that an account has been hacked or has experienced some sort of nefarious activity Notification that action must be taken to keep an account active or to verify identity Notification that fraud was detected on a financial account
Other similar methods include cybersquatting and typosquatting. Both rely on variations of correctly spelled URLs. Cybersquatting is registering a domain that is very close to the domain name of an actual business and then spoofing it to look like the real business website. Typosquatting is the same process, but using a commonly mistyped version of the company’s domain. In the end, phishing remains one of the most versatile and successful weapons in an attacker’s arsenal. Moreover, the incidence of phishing attacks is only increasing as time goes on. Businesses and organizations are slow to realize the immense danger here, and even slower to implement the security protocols and training necessary to combat these growing threats, as is evidenced by the larger and larger security breaches affecting businesses ranging from Home Depot to massive conglomerations like Anthem, Inc.
Sources:
http://www.csoonline.com/article/3036837/security/phishing-remains-top-attack-vector-for-criminals-both-novice-and-professional.html http://www.informationweek.com/government/cybersecurity/fbi-business-phishing-attacks-net-cyber-thieves-$31-billion/d/d-id/1325929 https://www.irs.gov/uac/phishing-identity-theft-and-scams