Phishing: Think like a cybercrook

February 18, 2019 Kent Blackwell

Phishing still steamrolls organizations

Phishing attacks rely on a single moment of inattention or ignorance. Follow a link and the results are front-page news. A strategy for combating these attacks on multiple fronts is vital. Alan R. Earls reports.

Phishing is one of the original forms of cybercrime and yet it still wreaks havoc. Witness the persistence of variations on the Nigerian prince email as an example. This tactic survives because it relies on flaws in human wetware instead of flaws in computer software or hardware.

“It’s all about and around social engineering; getting or tricking somebody into getting or giving you something you normally would not want to do.”

Specifically, phishers confuse people into inputting passwords or other credentials the attackers want, says Joshua Eckroth, a professor of computer science at Stetson University. Greg Schulz, senior advisory analyst at Storageio, adds, “It’s all about and around social engineering; getting or tricking somebody into getting or giving you something you normally would not want to do.”

Today's users are typically aware that the older form of phishing bait, Trojan horse email attachments from unknown senders, can contain malware. Related malware detection software has also improved to prevent those payloads from reaching users' inboxes. Eckroth says that today's typical phishing bait evolved into important-seeming emails from banks or utility companies that ask you to log into “their” website: a fake look-alike. A few clicks and keystrokes later and the phishers have what they want, whether that is login credentials or the codes for that user’s hardware security fobs.

About one third of people receive a phishing message and click through, often with disastrous consequences. Even worse, Eckroth explains, the most common variation on the theme today is a version of “spear-phishing” (a targeted attack) called “whaling,” which usually targets a “big fish” like a senior-level executive. The level of access those credentials give a phisher is truly dangerous.

So, how do people fall for the tricks of phishing and its cousins: vishing (over the phone), smishing (SMS fishing), pharming (website interception and redirection), and whaling? "Phishing emails and websites are often extremely convincing; typically the only way to tell if a message is legitimate is to look at the links themselves or hover over a link with a mouse," Eckroth says. "And, even then, the link might be so similar that most message recipients wouldn't flag the message as fake."

Those hoping their cyber insurance policy covers them against successful phishing attacks need to think again. Jeff Wilbur, technical director of the Internet Society's Online Trust Alliance (OTA), says many cyber insurance policies will not help because, ultimately, the phisher convinced an employee to act: a human failure rather than a breach achieved through technology. "We recommend you check your policy because often [phishing] is determined to be an act of a person as opposed to a hacker: if you fooled me, it was on me,” says Wilbur.

“The best defense against any phishing attack is your people; one well-trained user is enough to stop even the craftiest of phishing attacks in its tracks,” says Kent Blackwell, manager for security and vulnerability assessments at Schellman & Company.

Download and read full whitepaper at SC Magazine >

 

About the Author

Kent Blackwell

Kent Blackwell is a Manager with Schellman. Kent has over 9 years of experience serving clients in a multitude of industries, including the Department of Defense and top cloud service providers. In this position, Kent leads test efforts against client's web applications, networks, and employees through social engineering campaigns. Additionally Kent works with Schellman’s FedRAMP and PCI teams to ensure customer’s compliance needs are met in a secure and logical manner.

More Content by Kent Blackwell
Previous Article
If You’re Not First, You’re Last - Risks of Delaying CaCPA Compliance
If You’re Not First, You’re Last - Risks of Delaying CaCPA Compliance

Overview of CaCPA Privacy continues to span headlines with endless coverage of personal data mi...

Next Article
Supply and Demand (for security)
Supply and Demand (for security)

2018 was the year that raised the alarm in earnest about potential vulnerabilities in the supply...

×



Subscribe now
to receive content updates once a week

First Name
!
Success
Error - something went wrong!