The evolution of phishing attacks

Malware News
1

A practical guide to phishing and best practices to avoid falling victim.

Introduction

Over the past several years, remote and hybrid work has quickly gained popularity amongst those seeking a to reduce the amount of time on the road or an improved work/life balance. To accomplish this, users are often working from multiple devices, some of which may be company issued, but others may be privately owned.

Cyberattackers have leveraged this trend to bypass traditional security controls using social engineering, with phishing attacks being a favored tactic. In fact, the FBI Internet Crime Report issued in 2022 reported phishing as the top reported internet crime for the past 5 years. Its ability to persuade individuals to divulge sensitive information to seemingly familiar contacts and companies over email and/or SMS text messages has resulted in significant data breaches, both personal and financial, across all industries. Mobile phishing, in particular, is quickly becoming a preferred attack vector among hackers seeking to use them as a jump point to gain access to proprietary data within a company’s network.

This article provides an overview of the origins of phishing, its impact on businesses, the types of mobile phishing attacks hackers employ, and ways in which companies can best defend themselves against such attacks.

The origins of phishing

The belief among many in the cybersecurity industry is that phishing attacks first emerged in the mid-90s when dial-up was the only means of gaining access to the internet. Hackers posing as ISP administrators used fake screen names to establish credibility with the user, enabling them to “phish” for personal log-in data. Once successful, they were able to exploit the victim’s account by sending out phishing emails to other users in their contact list, with the goal of scoring free internet access or other financial gain.

Awareness of phishing was still limited until May 2000 when Love Bug entered the picture. Love Bug, a highly effective and contagious virus designed to take advantage of the user’s psyche was unleashed in the Philippines, impacting an estimated 45 million Window PCs globally. Love Bug was sent via email with the subject line reading “ILOVEYOU”. The body of the message simply read “Kindly check the attached LOVELETTER coming from me”. Users who couldn’t resist opening the message unleashed a worm virus infecting and overwriting user’s files with copies of the virus. When the user opened the file, they would reinfect the system.

Lovebug elevated phishing to a new level as it demonstrated the ability to target a user’s email mailing list for the purpose of spamming acquaintances thereby incentivizing the reader to open his/her email.  This enabled the lovebug worm to infect computer systems and steal other user’s passwords providing the hacker the opportunity to log-in to other user accounts providing unlimited internet access. 

Since Love Bug, the basic concept and primary goal of phishing tactics has remained consistent, but the tactics and vectors have evolved. The window of opportunity has increased significantly for hackers with the increased use of social media (e.g., Linkedin, Twitter, Facebook). This provides more personal data to the hackers enabling them to exploit their targets with more sophisticated phishing tactics while avoiding detection.

Phishing’s impact in the marketplace today

Phishing attacks present a significant threat for organizations as their ability to capture proprietary business and financial data are both costly and time consuming for IT organizations to detect and remediate. Based on a recent survey, 59% of companies reported an increase in the number of mobile phishing attacks over a 12-month period. On average, dealing with the threat of a single phishing email takes 27.5 minutes at a cost of $31.32 per phishing message with some organizations taking much longer and paying more per phishing message.

Types of phishing attacks

Phishing attacks have become more targeted as hackers are seeking very specific personal or corporate information. The following highlights a few of the more popular types of targeted phishing tactics:

  • Spear-phishing: Hackers perform reconnaissance through the web or social media platforms to target specific individuals, most often those with access to highly confidential information or that have escalated network privileges. These campaigns are tailored or personal in nature to make them more enticing to act on a phishing message.
  • Whale phishing: This is an even more targeted spear-phishing attack targeting high-level executives. Hackers are fully aware of executive access to highly sensitive personal and financial data within their respective company so obtaining executive credentials is key. As with spear phishing, whale phishing is highly targeted but more personal in its message.
  • Billing phishing:  Although less targeted and more random in nature, this sort of phishing attack disguises itself as a legitimate company to trick users into urgently visit a spoofed website. The phishing SMS and email attacks come in various forms of fraudulent template, with some of the most common appearing in the form of shipping notifications, utility bills, or urgent credit card fraud alerts.

Although phishing attacks often seek to capture login credentials or financial data, it may also be used as a means to deploy other types of malware, including ransomware. Ransomware is a malware attack that denies a user or organization access to files on their computer by encrypting them, and then demanding a ransom payment for the decryption key. Ransomware variants such as Ryuk are more targeted in encrypting specific enterprise files while the Maze variant encrypt files and draw sensitive data prior to encryption.  

Mobile phishing – The preferred method of attack

Mobile phishing has become a preferred tactic among hackers. The mobile device has become not only a significant mainstream communication tool but one with access to sensitive corporate data and messages. A hacker’s ability to steal a person’s log-in credentials increases as they spread their attacks across both personal and work platforms. These trends are contributing to the increase in mobile phishing attacks:

  • Increase in the number of BYOD devices due to hybrid work - Many companies incorporating hybrid work have made personal devices more acceptable and as a result have relaxed their bring-your-own-devices (BYOD) policies. This poses significant risk and challenges to enterprise data as personal device access to social media and unsecure Wi-Fi networks could have an impact on the enterprise data accessible from that device. These situations potentially invite bad actors to initiate socially engineered attacks coming from social media or third-party messaging platforms.
  • Mobile phishing has extended beyond email – Hackers have now extended their attacks beyond email. We are seeing increased use of other means of launching attacks including:
    • Smishing: Smishing are phony text messages designed to trick you into providing proprietary data.
    • Vishing: Vishing are phony phone calls designed to trick you into revealing personal information.
    • Quishing : An emerging tactic where QR codes are embedded in images to bypass email security tools that scan a message for known malicious links. This will allow the phishing messages to reach the target’s inbox.

Ways to prevent phishing attacks

What can your company do to prevent such attacks from occurring in the future?  Here are several tips for you to consider:

  • Leverage internal and external data to develop a company strategy on how you will combat phishing attacks and reduce the risk associated with these attacks.
  • Educate your users on how to identify a phishing attack using phishing simulators or other tools and establish a communication channel for users to report them to your IT department.  
  • Track both successful and unsuccessful phishing attacks over time to determine attack patterns such as persons or departments being targeted. IT should report out the activity they are tracking to better inform employees of any phishing trends.
  • Consider endpoint security for your desktops, laptops, and servers and mobile threat defense (MTD) applications for all your iOS and Android endpoints. These technologies offer comprehensive protection against a wide range of threats, including the ability to identify phishing attacks sent via email or SMS as well as blocking malicious URLs. Although all companies can benefit greatly from endpoint and mobile threat defense solutions, they are of paramount importance for companies in high-security sectors, regulated sectors (i.e., finance and healthcare), large and fragmented device fleets and companies with users that are potential targets of geopolitically motivated cyberattacks.

  

4 https://ostermanresearch.com/2022/10/21/business-cost-phishing-ironscales/ (White paper by Osterman Research, October 2022 (See attachment))

 

 

 

 [BK1]Link to blog on this topic

Article Link: The evolution of phishing attacks