Bait comes in all shapes and sizes and does not discriminate based on user level. Anyone who uses a computer is susceptible to these attacks on their information, regardless of experience. While some may think that phishing bait only lures out the weaker computer users, it has a way of sneak-attacking anyone that lets their guard down. The data collected after the bait is taken can range from personal information to passwords to even full remote access to your computer. Frighteningly, there is even a chance of continuous keystroke spying, allowing the hacker to secretly record every keystroke on the computer, even after resolving the initial phishing attack. This is a more common trend and can lead a lot of users into a false sense of security. Follow-up attacks after failed or successful attacks are sometimes more successful than the initial attempt. So what should you look out for when it comes to the bait and data schemes?
The Email Forging Attempt
Business users are at a disadvantage when it comes to email forging since they are on the same domain. A user under an identical security policy as his peers can singlehandedly infect the entire domain with this scam. Businesses are the bread and butter of email scams, accounting for over 17,642 victims and $2,300,000,000 in damages. Yes, you read that correctly, over $2,300,000,000 in damages and counting from simple email forging. The number is high enough to get the FBI involved on many fronts, mostly because they themselves are potential targets of email forging. Email addresses can be mimicked and is an effortless practice to fake the sender and deliver a compromising message. Protocols can be put in place to verify whether the sender is legit, but can turn out to be an expensive option for a company on a budget. Even at this point, when the user believes that Bill Gates is sending them a certified check for $1,000,000, hope still isn’t lost. Simply reading an email isn’t what email forging is about. That is just the deception part, with the underlying menace having more to do with opening a link or attachment in the email. Once it is clicked, that is when the troubles begin. Links in particular are nasty, as they can sometimes lead to a website where the user has to input their personal information – and they do so, willingly! In a worst case scenario, a worm infects their address book and sends an infected email under their name to everyone on the list. The success of email forging is dependent on the user doing their homework in regards to the sender, and not clicking on anything that looks suspicious. If the user simply deletes the email after reading it, then no harm, no foul. In a better world, the user would mark the email as spam so that it auto-reports.
How Clone Phishing Can Destroy a Business
Clone phishing is an improved technique that hides in plain sight and can fool the most cautious of users. Using information from legitimate emails, the hacker recreates a 1:1 copy with a modified attachment. It can be sent as a resend of the original, and in some cases as an update to the original email with additional information. The same trick used in email forging to spoof the sender is applied here, but is more effective since the email itself looks familiar to the user. That last tidbit is important, as the trust issues that plague email forging quickly melt away and the wall of cautiousness drops without a second thought. Clone phishing destroys a company’s credibility from the inside out. The more information that goes outbound, the more clients that become affected by the security breach. Even if your security is top-notch, losing control of confidential information puts several jobs at risk, even on the upper levels. When a company loses control of their ability to protect information from within and from potential clients, then the flow of business begins to generate in the direction of companies that can and will protect that data. A security breach is no laughing matter and, unfortunately, when it happens, trust begins to wane rapidly. In the case of clone phishing, startups don’t have nearly the amount of reputation protection as larger companies. Even large businesses like Sony still feel the sting of a breach, and they’re a multi-billion-dollar company. Clone phishing hacks can and will put doubts in the minds of your employees, partners and rival businesses.
Brute-Force Phishing
In many ways, email is getting safer. DMARC (domain-based message authentication, reporting, and conformance) is the latest and greatest safeguard against phishing who want to use a known brand identity to further their nefarious activities. With DMARC, companies and users can create a policy that they then send to email providers, a sort of seal of approval that the message is coming from the real company. When a message claiming to be from Target doesn’t contain the DMARC code in its header, the email provider will run an authentication check. If it fails, the email ends up in the spam folder. Unfortunately, DMARC is just another obstacle (albeit a higher one) for phishers to jump over, and they’re doing it with a technique called “brute-force phishing.” Here’s how it works: The corporation can set a DMARC reject policy for its main domain (www.mcdonalds.com), but DMARC cannot create policies for subdomains, such as sub.mcdonalds.com. Naturally, McDonald’s isn’t going to be publicly posting their domain architecture any time soon, and they’re not likely to use something as obvious as sub.mcdonalds.com. Brute-force phishers send out combinations of likely letters in hopes of figuring out the proper subdomain for the brand’s server and exploiting that loophole. As such, they get to live “under the wings” of a giant corporation, using the legitimacy of the brand and the security of the DMARC security to launch some truly frightening phishing campaigns. For clients that are left truly vulnerable, the entire host can be flipped into a source for serving phishing pages. So, without your knowledge, your company could serve as a nest for collecting information only to have it sent to an anonymous user—and all without your knowledge. Brute-force phishing is silent in its approach but deadly in how long the hacker is allowed to stay active. And even in the case where the effect is found out quickly, considerable damage is already done.
The Proxy Problem
Proxies pose a problem for users who lose their data to hackers. Proxies are used to mask IP addresses from the originating location, something that covers any and all tracks of wrongdoing. Depending on their setup, they can have the information sent to a portable hard drive to decrypt the information or send it to a remote location in the cloud. Surprisingly, the most efficient way to retrieve the data is to have it sent by email. When the attacker has the information emailed to himself, he also runs the risk of being attacked by an attacker with similar intentions. When using a portable drive to access the encrypted data, there is software that automatically begins to decrypt your data. The only saving grace is that there is a huge risk if the hacker does this, so it is less likely to be used than the email method of retrieving data. Sending the information to the cloud can also be covered by proxy, but doesn’t have the convenience of the hard drive tools automatically brute-forcing the data. And this method by itself leaves more tracks than the other two combined. So, to this extent, think of emailing your data as the best middle ground for an attacker.
Chatbots Are Not Human
Imitating human emotions and conversation is something that is still a long way off when it comes to chatbots. Chatbots have real uses, and they are set up by predefined rules. They are sometimes used to moderate a forum or chat room. Thankfully, these little bots are limited by the rules they have to follow so, when used for phishing purposes, deceiving the user is more like bulk emailing. Ever receive an invite from a stranger on a messenger service like Skype? Their profile is legitimate with all of the information filled in, and a profile picture in place. Where things get simple is that no matter what you chat to them about, it is a canned response. The automated responses end with them sending you a link to click that had nothing to do with the conversation. This is the lowest form of the chatbot, and one that is easy to avoid. But there is a reason this is still a scary phishing tactic, right? Chatbots that are programmed to ask for a friend request and instantly send a link that is of importance to the user is a very dangerous tactic. Social media once again becomes a problem in this case, and if a bot that just added you as a friend sends a link to one of your interests in life, you are more likely to click it. They have evolved enough to gather information about the user to the point where they can solicit an add and click all within a few seconds. These simple bots can be found for free or bought in bulk, and not even business chat clients like Microsoft Lync can escape the epidemic. The only way around this problem is to avoid adding people that you don’t know, and to never click on a link unless it is from someone you know. Phishing is all about data manipulation in order to steal data. Spotting the data manipulation as it is happening in real time will keep your own information safe.
Summary
A lot of the phishing topics discussed in this article are exceedingly subtle, and even extremely savvy people might fall for them in a moment of impulse. While security systems continue to improve in order to prevent phishing attacks, the #1 most important line of defense is changing human behavior. Training yourself, your friends, or your employees to always avoid clicking through links or grabbing unexpected attachments requires a fundamental retraining of email etiquette, and the best way to start this process is to sign up for Infosec IQ, from InfoSec Institute. Conducting fake-phishing campaigns is one of the proven ways to change protocol, especially when clever fakes requiring split-second decision-making are on the table. DMARC and strong security algorithms are a great start, but changing your behavior with Infosec IQ is the best defense of all.