Cyber attacks have increased 24% globally during the second quarter of 2017 compared with the first, with the electronics industry being the most heavily targeted. Around 91% of information breaches originate from phishing, making it a standout among cyber-attacks. Around 34% of phishing attacks are targeted toward electronic manufacturers, as threat actors perceive the prospective gains in attacking networks in this industry.

Countries Affected By Phishing Attacks Source: Phishlabs

Why Phish the Electronics Industry?

Right now, you cannot imagine any industry to flourish without the help of electronics. Starting from your home (microwave, washing machine, dryer, TV, AC, etc.) to the space and aviation industries to healthcare and so forth, there is no industry that doesn’t rely on electronics. In a nutshell, the electronics manufacturing industry has a vast and solid customer base, thus attracting malicious actors. According to the report by the US –NCMS, the increase in cyber-attacks targeting electronic manufacturers is ascribed to fierce competition in a sector where intellectual property is at a premium. The fact that industrial control systems (ICS) are often left unguarded is due to lack of investment in its security and more focus on productivity and efficiency, as most manufacturing systems today were made to be productive; they were not prepared to be secure. Because of the increasing utilization of Internet of things (IoT) devices, robotics, and human-machine interfaces in order to minimize costs and improve automation, there is commiserate rise in attacks. If electronic manufacturers do not have a proper incident response plan in place, then IT security liabilities not only impact the manufacturing organizations but suppliers, as well as related industries and consumers. We will discuss this later in the article under “How Phishing Escalates to Consumers of Electronics” section. .

How is the Electronic Industry Targeted?

The attackers use various modes of phishing/spear phishing to the target organizations. The trend shows that they are increasingly using free hosting providers as one of the resources to build their campaigns. These free hosts are cheap and easy to use, as well as permit threat artists to create subdomains to spoof a targeted brand by showing a genuine looking phishing page. (An example of this is explained in “How Phishing Escalates to Consumers of Electronics” section.) Cybercriminals appear to be using phishing emails with malicious attachments containing PowerShell commands in macros as a primary attack vector. Here is an example of a ransomware “PowerWare” which spreads through a word email attachment.

PowerWare Ransomware

Source- carbonblack.com In the above example, the user is tricked to download the word document. When the user enables the macros to run, cmd.exe will be utilized to start of a pair instances of PowerShell: notably, one that downloads the ransomware script and another that flinches PowerShell with the script as input. Below screenshots depict what is happening behind the scenes.

Source- carbonblack.com

How Phishing Escalates to Consumers of Electronics

MOBILE BROWSER ATTACK

As the increasing demand for consumer electronic devices with embedded browsers is becoming popular, financial institutions and online dealers are setting up websites to accommodate visitors who are using these devices. These devices include mobile phones, gaming consoles, cars, and refrigerators. Porting a conventional desktop browser to these devices contain a significant number of complexities than merely resizing the display. To become accustomed to the hardware limitations inbuilt in these devices, often these device browsers remove or replace certain features that are found in conventional browsers. Unfortunately, some of these features are acute for protecting against phishing attacks. Below is an example of a study conducted in the University of California on how a significant defect in the iPhone’s Safari browser permitted them to develop a phishing scenario to efficiently trick users into giving away their credentials to a bogus Bank of America account.

Figure (1)

Figure (2) Source – http://static.usenix.org/legacy/events/upsec08/tech/full_papers/niu/niu_html/ All URLs too long to fit on one line are truncated. In Figure 1, an extensive central part of the URL is truncated and substituted with an ellipsis with no expansion method for the truncated portion of the URL. The only way by which a user will be able to see the whole URL is to revisit the URL input and manually scroll, letter by letter, through the URL. The center part of the URL is truncated similarly (Figure 2). Moreover, upon hovering, the destination link is shown following a couple of seconds of holding it. Upon release, the hover activity may even now be interpreted as a click if the user lifts as opposed to sliding the finger far from the link, thus triggering the browser load the phishing page. An attacker from a rogue domain wishing to imitate a legitimate domain may easily create an extended URL that uses the valid domain name as a subdomain name. For instance, a phisher wanting to mislead Bank of America users could construct a site on phishydomain.com by making a subdomain finishing with bankofamerica.com and utilizing long filenames as in the mentioned URL: subdomain.bankofamerica.com.phishydomain.com/longfilename. The attacker can choose the string subdomain in the above URL with the end goal that the starting piece of the URL – subdomain.bankofamerica.com – which seems accurate – is shown in the browser’s URL bar, yet the following string – .phishydomain.com – which is untrusted, is truncated in the URL bar. The URL bar uses approximately 50 pixels to show the http://or https:// part of the URL. Expecting an estimated 10 pixels for every letter, to cover up phishydomain.com in portrait mode, we require a subdomain name of around seven letters to prepend to bankofamerica.com.phishydomain.com as bankofamerica.com utilizes roughly 170 pixels. In occurrences where the SSL lock icon shows up, subdomain names can be considerably shorter. 

IOT BOTNET

A botnet is a network of systems joined with the purpose of remotely taking control and dispensing malware. Controlled by botnet administrators using Command-and-Control-Servers (C&C Server), they are used on a grand scale by criminals for things such as stealing private data, exploiting controls of an organization, DDoS-attacks or sending spam and phishing emails. Looking at the upsurge of the IoT, many devices are under threat of THINKBOTS – a botnet that combines independently associated objects. Botnets, as well as THINKBOTS, comprise a wide range of devices, all associated with each other – from PCs, laptops, mobile phones, and tablets to those “smart” devices. These things have two chief attributes: they are web-empowered, and they can exchange information automatically via a network. Anti-spam technology can spot if one machine sends a large number of similar emails, but it’s a tough to recognize if those emails are sent from different devices that are a part of a botnet. They all have one common objective: sending a large number of emails with the expectation that the platform crashes while attempting to cope with a large number of requests.

ADVANCED PERSISTENT THREATS

An Advanced Persistent Threat (APT) occurs when an unauthorized individual accesses a network and remains there undetected for a longer time. The goal of an APT attack is specific: it can be used to steal data or to cause mass disruption to the network and organization being undetected. One classic example of APT is STUXNET, a virus which was silently destroying the centrifuges of uranium enrichment plant in Iran by exploiting zero-days in Siemens S7 Programmable Logic Controllers (PLCs). It had been observed that 91% of APT attacks use phishing as a medium. Phishing attacks have the credibility to deliver cyber-weapon-like STUXNET through the electronics industry, causing mass destruction. Thus it can be a challenge to maintain accountability with regard to control of our critical infrastructure systems, as it impacts industrial controls like power plants, power grids, gas pumps, telecommunication, ATM’s, etc. which power our lives.

Measures Against Phishing Attacks

Almost all the phishing attacks have a success rate inversely proportional to user awareness; hence it’s a three step process:

Baseline Testing – This testing assesses the Phish-prone percentage of the user through a simulated phishing attack. Train Your Users – Educate your employees and conduct training sessions with mock phishing scenarios. Additionally, you may arrange automated training campaigns such as interactive modules, video games, posters or newsletters to train users online. Phish Your Users – A fully automated simulated phishing attack is helpful in preparing users of actual phishing attack. Analyze The Results – Helpful in reporting the strength of an enterprise against phishing attacks by showing stats and graphs of both training and phishing.

Resources

https://digitalguardian.com/blog/what-phishing-attack-defining-and-identifying-different-types-phishing-attacks http://static.usenix.org/legacy/events/upsec08/tech/full_papers/niu/niu_html/ http://www.trendmicro.co.in/vinfo/in/security/news/cybercrime-and-digital-threats/best-practices-identifying-and-mitigating-phishing-attacks