Phishing Hits the Big Time
Phishing is probably the biggest threat businesses face online, but what can you do to defend against it?
Phishing is big news at the moment. A deceptively simple, sometimes very inexpensive method of attack, the results can be startling. From disrupting cryptocurrency ICOs through to forcing the FBI to issue warnings to the public, phishing is perhaps the broadest cybersecurity threat to enterprise, SMB and consumers online. It is also big business too, with phishing startup PhishMe recently acquired in a deal that valued the firm at $400 million.
A recent report from Trend Micro predicted that business email compromise (BEC) attacks will tot up to more than $9 billion in losses in 2018, up from $5.3 billion at the end of 2016. This enormous figure is due to the widening scope of phishing attacks, and the sliding scale of difficulty required. Another study by security firm Wombat found that 76 per cent of organisations said they experienced phishing attacks in 2017, and that the impact of these attacks has worsened, with an 80+ per cent increase in reports of malware infections, account compromise, and data loss related to phishing attacks.
At their simplest, the ‘cyber con man’ impersonates a business individual by gaining control of their email or spoofing it, a strategy that relies almost entirely on social engineering, and requires little or no technical knowledge. A study by IBM concluded that many of these groups are “likely operating out of Nigeria because both the spoofed sender email addresses and IP addresses used to log in to email web access portals are primarily traced to Nigeria. However, it is worth noting that the same threat actors often leveraged compromised servers or revolving proxies that may be traced to other countries to mask their actual location.”
IBM noted that although the size of each group is not known, one set of threat actors had used a phishing kit to create spoofed DocuSign login pages on over 100 compromised websites - indicating that widespread campaigns designed to snare business users and harvest their credentials are being created.
The threat facing business users and consumers alike is significant, by any metric. Stats from High-Tech Bridge’s Radar tool demonstrate the scale of the problem. Users intending to use Paypal’s services, for example, currently have to battle a total of 2,344 phishing domains attempting to steal login data or conduct a watering hole compromise.
Second place goes to Facebook.com, with a massive 1,462 potentially fraudulent domains, followed by Microsoft and Google, with 600 and 580 phishing domains respectively. It’s interesting just how steep the drop off in volume is between the most popular target and number 10 (FedEx, 187 fraudulent domains) - that’s a drop of 92 per cent in the top ten.
So, how can businesses defend against phishing attacks? The usual response is to offer training to staff to mitigate the issue, but this is no panacea, as an annual ‘State of the Phish’ report from Wombat Security found. Comparing US and UK approaches to training and tools, the researchers found considerable variation. In the US, most organisations use computer-based online security awareness training and simulated phishing attacks to train employees, while UK organizations generally opt for more passive training methods over hands-on practice. In the US, the awareness tools are used bi-weekly or monthly by 46 per cent of organisations, while UK organisations do the same in a mere 21 per cent of cases. The result of this split is stark, with 61 per cent of US organisations seeing quantifiable results from their training efforts, compared to 28 per cent of UK organisations.
“Just knowing a threat exists isn’t the same as knowing how to recognize and respond to a threat when it presents itself. In-depth education about phishing prevention is needed to create lasting behavior change,” commented Wombat Security researchers.
A recent Gartner report made three key recommendations:
Strengthen anti-phishing efforts by monitoring and reporting all active phishing attacks, both internal and external. This is a big ask of most enterprises, but it is essential to monitor and report phishing attacks beyond your perimeter.
Monitor all brand mentions, including “look-alike” domain names.
The ease with which a malicious entity can create a look-alike domain is concerning, and enterprises need to work with a partner to carefully monitor all mentions of their brand within the email channel and report any malicious URLs to their takedown vendor immediately, said Gartner.
Implement email authentication.
Email is inherently insecure, but implementing email authentication protocols SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication Reporting and Conformance) on all of their domains help to combat spoofing.
The High-Tech Bridge Trademark Monitoring Radar has run more than 172 million tests to date, and is a free online service provided and operated by High-Tech Bridge, designed to help businesses detect malicious domain activities. The service identifies potential cybersquatting, domains registered in different TLDs and owned by a third party, and domains imitating domain names. It also searches for typosquatting and phishing attacks, by looking for domains that try to visually impersonate your domain or brand and are owned by a third party, as well as any third party sites that contain malicious content.