Pretty much every few weeks we see a company’s data being exploited with some sort of phishing attack. The versions of the email are a little different, but basically the principal idea is to send a legitimate looking email to a recipient to invoke a particular action, like clicking a link or opening an attachment. Something that simple then turns into an exploited machine, then an exploited network, and data breach. On the positive, this has caused everyone to get a little smarter when reading emails, on the down-side, our mistrust has caused the hackers to get ever more dubious.
In the good old days of phishing attacks, fake emails were pretty easy to detect. It started with a random email with a strange link, or attachment. Some people may click the link or open the file, but not very many. So the hackers got a little smarter, they would make the subject of the email something more and more engaging or interesting. Usually pertaining to celebrity pictures or unstoppable financial strategies. Again, this worked for a while, but ultimately we all got a little smarter and more untrusting.
Now this is where it started to get interesting. The hackers’ response to this was to take a leap forward into exploiting our human behavior; our tendency to lower our guards when dealing with the familiar. The next wave of emails were now coming from contacts that we know, or pertained services that we were actually using. The attacks would first exploit one person, and then use that persons’s contact lists to attempt to exploit all of their contacts. Or the emails would look like they came from a well-known company, and ironically say something like “your account has been hacked”, or “someone tried to change your password”, please click here to protect your account.
But in time, we all got a little smarter, and more untrusting of emails. And again, the response from hackers was to dig deeper, and exploit more of our psyche. So now, we are seeing an even more personalized form of attack. Let’s take a recent fantasy football themed attack as an example. This one starts similarly to a Spear Attack, whereas the hacker identifies a business to attack, then through social media identifies specific employees to target. They dig through the employees public profiles and find interests and hobbies ultimately learning of online communities they participate in. Let’s say for example, this hacker identified your business, and your employee John Smith as a target. Through their Facebook interests they determine John loves fantasy football. Armed with that knowledge, they search online profiles from fantasy football sites looking for a John (most people use real information on fantasy football sites). Then they wait; when John’s online fantasy football account is updated, say on a local leaderboard, they leap into action. Monday morning after an amazing weekend of fantasy football, John gets an email from his fantasy football site complimenting him on his great weekend, and also offering John some reward for how awesome he is. Knowing how awesome he is, and because the message comes from a familiar source, and because it comes within a relevant time frame, John’s guard is dropped and he clicks on the link, exposing your business.
This is an extremely sophisticated attack that uses a number of techniques to create familiarity among a suspecting audience. It comes in a number of flavors based on the type of Internet community a user belongs to, but it typically is deployed similarly. The hackers finds a business, finds a target, then constructs a personalized attack. They’ll either initiate immediately, or wait for a trigger to make an even more personal version.
The good news is that avoiding these attacks is still the same. Educate employees and create processes and policies to arm your staff on ways to sniff out and avoid.
Here’s some tips to get you started:
- If you are still haphazardly clicking anything and everything that gets sent to you, STOP IT!
- Don’t ever open an attachment from someone you don’t know.
- If you receive an attachment from someone you know, but you aren’t expecting it, don’t open it. Verify with that person to ensure it was from them.
- For even more protection, don’t send attachments within your organization. Instead keep files in a central location, and send recognizable links to the files.
- The same rules apply for links, if you don’t know the sender, avoid clicking.
- Even email seems familiar, make sure the links point to the domain they should. Hover over the link in the email and check the URL. In the example below, when hovering over the link you see the domain, Awecomm.com. If instead it was anything unexpected or unknown it could be an issue. Even something like Awecomm.securetrustedblog.com seems a little off, so check it out. Do a search on Google for the company and verify the URL is accurate before clicking anything.
Unfortunately phishing scammers are evolving and getting smarter. General attacks are no longer working as readily as they were in the past. So the hackers’ A-team came back to the table to create new ways to get unsuspecting persons to click infected links. In an evolution similar to that of marketing genius (or villain) Edward Bernays, scammers are exploiting the very things that define us. I am fearful of how this will progress, but one thing is for sure, it will definitely continue.