- Email: [email protected]
The art of phishing: past, present and future
FEATURE remembering that dark web markets aren’t reliable, accurate or regularly available. Infighting, scamming and competition are rife and volatility is high. That said, we should be optimistic about the future. The bad guys aren’t the only ones using disruptive technology. By focusing on data as a core asset and cyberenabled fraud as a supply chain of stolen and leaked data, organisations have a great chance to mitigate the impact of breaches.
About the author Emily Wilson is vice-president of research at Terbium Labs, an information security and data intelligence start-up based in Baltimore, US. She is responsible for tracking industry news and trends among actors on the dark web, including specific breach operations, popular targets and the appearance of new
sites for trading or discussing stolen data. She provides analysis for Terbium Labs’ customers on the appearance of their information online, along with ongoing analysis on the appearance of fraud, drugs, weapons, extremism and other information. As a dark web expert, Wilson has spoken at several industry tradeshows and conferences, including RSA, Inside the Dark Web and Data Connections. She is frequently quoted in press articles and is a routine guest on The Cyberwire weekly podcast. Wilson has a background in international relations and foreign policy, with an emphasis on post-Cold War Eastern Europe. She has worked with the Institute for the Theory and Practice of International Relations at the College of William and Mary on a project to analyse foreign policy trends among academics and decision makers. Wilson has spent her career working with
start-ups across a variety of industries, with a particular focus on research and product development. She has a degree in international relations from the College of William and Mary.
References 1. ‘Into the Web of Profit’. Bromium. Accessed Mar 2019. www.bromium. com/resource/into-the-web-of-profit/. 2. ‘The world’s most valuable resource is no longer oil, but data’. The Economist, 6 May 2017. Accessed Mar 2019. www.economist.com/leaders/2017/05/06/the-worlds-most-valuable-resource-is-no-longer-oil-but-data. 3. ‘2018 Cost of a Data Breach Study’. IBM/Ponemon Institute. Accessed Mar 2019. www.ibm.com/security/ data-breach.
The art of phishing: past, present and future Adam Binks
Adam Binks, SysGroup What may seem like one of the oldest tricks in the cyber criminal handbook is on the rise – phishing. These scams are becoming so common and advanced that it’s often difficult to discern between genuine and fake emails, and the vast majority of cyber attacks begin with a phishing email.1 These scams prey on our instinctual responses to panic; they threaten loss of data or account details, hoping that you will click through immediately and give up your information. However, 23% of phishing emails are still opened, with 12% of those targeted clicking on the infecting link. That means that protecting companies against human error should be a top priority. In short, we know that the key to combating phishing is to look within companies to eliminate the risk of naive individuals that hackers prey on to click a link or image in an email.
The risks With an estimated 3.7 billion people sending around 269 billion emails each day, April 2019
it’s no wonder that phishing is the most common form of attack. However, as people become savvier and the fight against hackers gets stronger, we are seeing these criminals find different ways to target victims, with social media and mobile phone app attacks on the rise. In a business environment, these phishing campaigns can include tricking employees into downloading malware as a route to theft or engaging with a fake social media profile. We’ve seen cases where cyber criminals have used regular contact via emails or direct messages to build up trust over a number of months, or years in some cases, with employees targeted for specific data or information. This can be as simple as an email address or a password,
or as obviously incriminating as banking information or personal details. While, separately, small pieces of data may not mean much, when placed in the hands of a hacker they are everything they need to carry out criminal activity online. The approaches that hackers take vary and there are new trends emerging all the time, but it nearly always involves a subject line designed to catch the user’s eye. Claiming the user is a competition winner is a popular one among hackers targeting retail customers, while email spoofing has caught out many an employee in a business setting. Appearing to have been sent from a service provider or a member of your own team, spoof emails are designed to catch busy workers off-guard. They usually ask you to follow a link and input personal or company details, or to open an attachment laced with malicious software. Computer Fraud & Security
9
FEATURE
Sophisticated phishing While everyday phishing attacks remain one of the biggest threats to businesses worldwide, a more sophisticated form of phishing is also on the rise and has arguably worse consequences. This is a result of people becoming more aware of Internet scams, meaning that cyber criminals are getting smarter and staying one step ahead of people’s scepticism. Also referred to as spear-phishing, it is a much more advanced way of targeting a specific group or individual, tailoring an attack based on their job function to increase the chance of the email being opened and actioned. CEO fraud, also known as business email compromise (BEC) is an example of this, which sees phishers use names of co-workers or business partners to make an email, direct message or social platform look legitimate – posing as the CEO of the company and sending an email from a spoof account to the CFO asking for an urgent payment to be made and discussed later, for instance. This relies on the assumption that the CFO would fail to question the motives of the boss and would make the transfer immediately. Sophisticated scams like this generally take more time to set up and execute but have a bigger impact if successful. What’s worrying is that a recent study released by Mimecast revealed that there was an 80% increase in sophisticated phishing attacks that impersonated someone familiar to the targeted individual.
Think practical With all of this in mind, what steps can companies take to ensure they are as secure and prepared as possible when it comes to the war against phishing? We’ve all read about the large-scale data breaches across the world, but relatively few stop to think about how they happened, who is responsible and how their own actions could impact the company for which they work. First, it’s important to remember that email is the route in for many phishing 10
Computer Fraud & Security
attacks, so having the right technology measures in place, such as anti-virus software and robust firewalls, is key. Not only do they protect emails, they also keep IT infrastructure safe, too, protecting against other common threats and potential hacks. Company-wide education is also important in combating or preventing these attacks. Training may seem like a simple idea, but it is the most effective way to prepare for a phishing attack. It needs to spread further than the IT department, making all employees aware of what phishing attacks look like, the risks they pose and steps to take in case of a breach. There are training courses available with external security companies that can help, too. For example, Kaspersky and WatchGuard take companies through a number of training sessions to improve their security. These include role-playing common scenarios and encouraging employees to make errors in a controlled environment in order to spot potential threats going forward. Initial and ongoing training is critical when it comes to mitigating the internal risk of sophisticated phishing. The whole team should be onboard from the start to ensure everybody is on the same page with policies and processes. It should also be part of any induction when bringing in new team members and there should be regular updates with the entire team to keep the risk front of mind.
Look out for mistakes While cyber criminals are getting smarter and attacks are often well disguised, there are some standout points to train employees to look out for when it comes to phishing. The first, and arguably the most obvious, point is that if an offer in an email looks too good to be true, it’s almost certainly a spam email. Whether it’s an extravagant free holiday or even just vouchers for your favourite store asking for you or your company’s details, the chances are it’s fake. Poor spelling or grammar is another big giveaway. It’s unlikely that a professional
organisation will send emails with these sort of mistakes – or at least not often – so they’re a good sign that something isn’t right. The same goes for email addresses – spoofing works by using a similar name or email combination with a few small, often unnoticeable, differences. Combat this by encouraging your team to keep an eye on the sender’s address to ensure the message is from who it says it is from. Another point to consider is shortened links. This is a tactic used by attackers to disguise a fake web address and relies on a busy worker not having the time to check if it is legitimate. If you don’t have a reason to trust someone who’s sent you a shortened link or you’re not sure why you would have received it, you can search for a shortened link checker online. If you’re still not sure after that, don’t click on it.
Put a plan in place On a business level, there are some strategic processes that can be put in place to help protect against such phishing threats. Having pre-emptive methods to deal with potential system breaches, for example, should be a priority. This includes regular reviews, analysis of the company’s cyber security strategy, regular training and having the right technology in place. When coupled with robust mail filtering and advanced firewall technology systems, organisations are one step closer to preempting the risk. Post-attack measures should also be considered. A ready and tested phishing incident management policy should be put in place so that if a member of staff does accidentally click on a link that causes a breach then everybody knows what to do, who to report it to and when, and where to look for possible infection. The faster you act on this threat, the less damage it will have on the company.
What lies ahead What has been a threat for more than 20 years is likely to continue, simply due to the fact that it is easy for a hacker to carry April 2019
FEATURE out. And it still works. No matter how many large-scale phishing attacks we read about in the news, there are still employees that will click questionable links or download dubious attachments that let criminals into the company. Cyber criminals will always try to stay one step ahead, thinking of the next clever idea to get access to our data or systems. The key to mitigating and controlling this threat lies in training employees to know what to look out for, while being prepared with recovery measures in the event of a breach. If you can impress one
thing upon employees, let it be this: if something looks ‘phishy’, it probably is. Besides employee training, putting that all-important resilient and security proof technology in place is key to winning the war against hackers.
About the author Adam Binks joined SysGroup in 2014 and was appointed as CEO in April 2018. He has extensive experience in the managed IT, hosting & telecoms sectors across his 18-year career. Binks has previously held a number of senior manage-
ment & board level positions. Prior to joining SysGroup, he was sales & technical director at Vispa, a managed hosting and connectivity provider.
Reference 1. ‘New Mimecast Report Detects 400% Increase in Impersonation Attacks’. Mimecast, 6 Jun 2017. Accessed Mar 2019. www.mimecast.com/resources/press-releases/ dates/2017/6/new-mimecast-reportdetects-400-increase-in-impersonation-attacks/.
Avoiding the weaknesses of a penetration test Fabrizio Baiardi, Università di Pisa
Fabrizio Baiardi
A penetration test is a traditional solution for evaluating and improving the robustness of an ICT system. Such tests can be comprehensive, but problems can arise when deciding how to use its results to select the countermeasures against a successful penetration. These problems may explain the successful attacks against systems that previously passed such tests. So, it’s useful to look at some theoretical explanations of the weaknesses of a penetration test and suggest some alternatives. The increasing complexity of ICT systems has led to the adoption of red team strategies to assess their robustness with respect to intelligent attackers.1-4 This solution overcomes the lack of formal tools and metrics for the assessment. The most widely adopted red team strategy is the penetration test where the owner of a system assigns to the red team the task of attacking the system. The assignment includes the goal of the attack – ie, the information the team should steal or the system modules it should control – and the attack may only occur after deploying the system. A deadline for the test may also be set. Usually, the red team works in a stealthy way to evaluate whether the system administrators and/or the intrusion detection systems can discover the attack. Furthermore, the team receives little or no information on the target system, to mimic a scenario where attackers have no information availApril 2019
able on their target. The main goal of running a penetration test is not to attack a system but to improve the system’s robustness. Hence, the red team should report any weakness or vulnerability it discovers so that the owner can select and deploy the proper countermeasures. The activities of the red team result in building an attack chain or a privilege escalation because the team can control the modules of interest only after acquiring the control of some intermediate modules or nodes. Hence, alternative descriptions of a penetration test are building an attack chain or implementing a privilege escalation or moving in a lateral way in the target system.
Collect and exploit The two main activities of a red team as it tries to build an attack chain are collect
and exploit. Collect includes all the activities used to discover information on the target system, such as its hardware and software modules, its topology, the configuration of the operating systems and, most important, the weaknesses and vulnerabilities of its modules. The two main mechanisms used to collect information are fingerprinting and vulnerability scanning. Exploit includes all the activities to attack a module and to acquire privileges, which the team uses to collect further information or to implement further attacks in its escalation. The red team interleaves collect and exploit activities in the test because it can attack a module only after collecting information on its vulnerability. On the other hand, it can collect information only after controlling some modules. By choosing how to interleave these two activities, the red team chooses its solution for the collect or exploit dilemma. Let’s exemplify the collect or exploit dilemma with an example: consider the segmented network in Figure 1 and assume the red team goal is to control Computer Fraud & Security
11
About the author Emily Wilson is vice-president of research at Terbium Labs, an information security and data intelligence start-up based in Baltimore, US. She is responsible for tracking industry news and trends among actors on the dark web, including specific breach operations, popular targets and the appearance of new
sites for trading or discussing stolen data. She provides analysis for Terbium Labs’ customers on the appearance of their information online, along with ongoing analysis on the appearance of fraud, drugs, weapons, extremism and other information. As a dark web expert, Wilson has spoken at several industry tradeshows and conferences, including RSA, Inside the Dark Web and Data Connections. She is frequently quoted in press articles and is a routine guest on The Cyberwire weekly podcast. Wilson has a background in international relations and foreign policy, with an emphasis on post-Cold War Eastern Europe. She has worked with the Institute for the Theory and Practice of International Relations at the College of William and Mary on a project to analyse foreign policy trends among academics and decision makers. Wilson has spent her career working with
start-ups across a variety of industries, with a particular focus on research and product development. She has a degree in international relations from the College of William and Mary.
References 1. ‘Into the Web of Profit’. Bromium. Accessed Mar 2019. www.bromium. com/resource/into-the-web-of-profit/. 2. ‘The world’s most valuable resource is no longer oil, but data’. The Economist, 6 May 2017. Accessed Mar 2019. www.economist.com/leaders/2017/05/06/the-worlds-most-valuable-resource-is-no-longer-oil-but-data. 3. ‘2018 Cost of a Data Breach Study’. IBM/Ponemon Institute. Accessed Mar 2019. www.ibm.com/security/ data-breach.
The art of phishing: past, present and future Adam Binks
Adam Binks, SysGroup What may seem like one of the oldest tricks in the cyber criminal handbook is on the rise – phishing. These scams are becoming so common and advanced that it’s often difficult to discern between genuine and fake emails, and the vast majority of cyber attacks begin with a phishing email.1 These scams prey on our instinctual responses to panic; they threaten loss of data or account details, hoping that you will click through immediately and give up your information. However, 23% of phishing emails are still opened, with 12% of those targeted clicking on the infecting link. That means that protecting companies against human error should be a top priority. In short, we know that the key to combating phishing is to look within companies to eliminate the risk of naive individuals that hackers prey on to click a link or image in an email.
The risks With an estimated 3.7 billion people sending around 269 billion emails each day, April 2019
it’s no wonder that phishing is the most common form of attack. However, as people become savvier and the fight against hackers gets stronger, we are seeing these criminals find different ways to target victims, with social media and mobile phone app attacks on the rise. In a business environment, these phishing campaigns can include tricking employees into downloading malware as a route to theft or engaging with a fake social media profile. We’ve seen cases where cyber criminals have used regular contact via emails or direct messages to build up trust over a number of months, or years in some cases, with employees targeted for specific data or information. This can be as simple as an email address or a password,
or as obviously incriminating as banking information or personal details. While, separately, small pieces of data may not mean much, when placed in the hands of a hacker they are everything they need to carry out criminal activity online. The approaches that hackers take vary and there are new trends emerging all the time, but it nearly always involves a subject line designed to catch the user’s eye. Claiming the user is a competition winner is a popular one among hackers targeting retail customers, while email spoofing has caught out many an employee in a business setting. Appearing to have been sent from a service provider or a member of your own team, spoof emails are designed to catch busy workers off-guard. They usually ask you to follow a link and input personal or company details, or to open an attachment laced with malicious software. Computer Fraud & Security
9
FEATURE
Sophisticated phishing While everyday phishing attacks remain one of the biggest threats to businesses worldwide, a more sophisticated form of phishing is also on the rise and has arguably worse consequences. This is a result of people becoming more aware of Internet scams, meaning that cyber criminals are getting smarter and staying one step ahead of people’s scepticism. Also referred to as spear-phishing, it is a much more advanced way of targeting a specific group or individual, tailoring an attack based on their job function to increase the chance of the email being opened and actioned. CEO fraud, also known as business email compromise (BEC) is an example of this, which sees phishers use names of co-workers or business partners to make an email, direct message or social platform look legitimate – posing as the CEO of the company and sending an email from a spoof account to the CFO asking for an urgent payment to be made and discussed later, for instance. This relies on the assumption that the CFO would fail to question the motives of the boss and would make the transfer immediately. Sophisticated scams like this generally take more time to set up and execute but have a bigger impact if successful. What’s worrying is that a recent study released by Mimecast revealed that there was an 80% increase in sophisticated phishing attacks that impersonated someone familiar to the targeted individual.
Think practical With all of this in mind, what steps can companies take to ensure they are as secure and prepared as possible when it comes to the war against phishing? We’ve all read about the large-scale data breaches across the world, but relatively few stop to think about how they happened, who is responsible and how their own actions could impact the company for which they work. First, it’s important to remember that email is the route in for many phishing 10
Computer Fraud & Security
attacks, so having the right technology measures in place, such as anti-virus software and robust firewalls, is key. Not only do they protect emails, they also keep IT infrastructure safe, too, protecting against other common threats and potential hacks. Company-wide education is also important in combating or preventing these attacks. Training may seem like a simple idea, but it is the most effective way to prepare for a phishing attack. It needs to spread further than the IT department, making all employees aware of what phishing attacks look like, the risks they pose and steps to take in case of a breach. There are training courses available with external security companies that can help, too. For example, Kaspersky and WatchGuard take companies through a number of training sessions to improve their security. These include role-playing common scenarios and encouraging employees to make errors in a controlled environment in order to spot potential threats going forward. Initial and ongoing training is critical when it comes to mitigating the internal risk of sophisticated phishing. The whole team should be onboard from the start to ensure everybody is on the same page with policies and processes. It should also be part of any induction when bringing in new team members and there should be regular updates with the entire team to keep the risk front of mind.
Look out for mistakes While cyber criminals are getting smarter and attacks are often well disguised, there are some standout points to train employees to look out for when it comes to phishing. The first, and arguably the most obvious, point is that if an offer in an email looks too good to be true, it’s almost certainly a spam email. Whether it’s an extravagant free holiday or even just vouchers for your favourite store asking for you or your company’s details, the chances are it’s fake. Poor spelling or grammar is another big giveaway. It’s unlikely that a professional
organisation will send emails with these sort of mistakes – or at least not often – so they’re a good sign that something isn’t right. The same goes for email addresses – spoofing works by using a similar name or email combination with a few small, often unnoticeable, differences. Combat this by encouraging your team to keep an eye on the sender’s address to ensure the message is from who it says it is from. Another point to consider is shortened links. This is a tactic used by attackers to disguise a fake web address and relies on a busy worker not having the time to check if it is legitimate. If you don’t have a reason to trust someone who’s sent you a shortened link or you’re not sure why you would have received it, you can search for a shortened link checker online. If you’re still not sure after that, don’t click on it.
Put a plan in place On a business level, there are some strategic processes that can be put in place to help protect against such phishing threats. Having pre-emptive methods to deal with potential system breaches, for example, should be a priority. This includes regular reviews, analysis of the company’s cyber security strategy, regular training and having the right technology in place. When coupled with robust mail filtering and advanced firewall technology systems, organisations are one step closer to preempting the risk. Post-attack measures should also be considered. A ready and tested phishing incident management policy should be put in place so that if a member of staff does accidentally click on a link that causes a breach then everybody knows what to do, who to report it to and when, and where to look for possible infection. The faster you act on this threat, the less damage it will have on the company.
What lies ahead What has been a threat for more than 20 years is likely to continue, simply due to the fact that it is easy for a hacker to carry April 2019
FEATURE out. And it still works. No matter how many large-scale phishing attacks we read about in the news, there are still employees that will click questionable links or download dubious attachments that let criminals into the company. Cyber criminals will always try to stay one step ahead, thinking of the next clever idea to get access to our data or systems. The key to mitigating and controlling this threat lies in training employees to know what to look out for, while being prepared with recovery measures in the event of a breach. If you can impress one
thing upon employees, let it be this: if something looks ‘phishy’, it probably is. Besides employee training, putting that all-important resilient and security proof technology in place is key to winning the war against hackers.
About the author Adam Binks joined SysGroup in 2014 and was appointed as CEO in April 2018. He has extensive experience in the managed IT, hosting & telecoms sectors across his 18-year career. Binks has previously held a number of senior manage-
ment & board level positions. Prior to joining SysGroup, he was sales & technical director at Vispa, a managed hosting and connectivity provider.
Reference 1. ‘New Mimecast Report Detects 400% Increase in Impersonation Attacks’. Mimecast, 6 Jun 2017. Accessed Mar 2019. www.mimecast.com/resources/press-releases/ dates/2017/6/new-mimecast-reportdetects-400-increase-in-impersonation-attacks/.
Avoiding the weaknesses of a penetration test Fabrizio Baiardi, Università di Pisa
Fabrizio Baiardi
A penetration test is a traditional solution for evaluating and improving the robustness of an ICT system. Such tests can be comprehensive, but problems can arise when deciding how to use its results to select the countermeasures against a successful penetration. These problems may explain the successful attacks against systems that previously passed such tests. So, it’s useful to look at some theoretical explanations of the weaknesses of a penetration test and suggest some alternatives. The increasing complexity of ICT systems has led to the adoption of red team strategies to assess their robustness with respect to intelligent attackers.1-4 This solution overcomes the lack of formal tools and metrics for the assessment. The most widely adopted red team strategy is the penetration test where the owner of a system assigns to the red team the task of attacking the system. The assignment includes the goal of the attack – ie, the information the team should steal or the system modules it should control – and the attack may only occur after deploying the system. A deadline for the test may also be set. Usually, the red team works in a stealthy way to evaluate whether the system administrators and/or the intrusion detection systems can discover the attack. Furthermore, the team receives little or no information on the target system, to mimic a scenario where attackers have no information availApril 2019
able on their target. The main goal of running a penetration test is not to attack a system but to improve the system’s robustness. Hence, the red team should report any weakness or vulnerability it discovers so that the owner can select and deploy the proper countermeasures. The activities of the red team result in building an attack chain or a privilege escalation because the team can control the modules of interest only after acquiring the control of some intermediate modules or nodes. Hence, alternative descriptions of a penetration test are building an attack chain or implementing a privilege escalation or moving in a lateral way in the target system.
Collect and exploit The two main activities of a red team as it tries to build an attack chain are collect
and exploit. Collect includes all the activities used to discover information on the target system, such as its hardware and software modules, its topology, the configuration of the operating systems and, most important, the weaknesses and vulnerabilities of its modules. The two main mechanisms used to collect information are fingerprinting and vulnerability scanning. Exploit includes all the activities to attack a module and to acquire privileges, which the team uses to collect further information or to implement further attacks in its escalation. The red team interleaves collect and exploit activities in the test because it can attack a module only after collecting information on its vulnerability. On the other hand, it can collect information only after controlling some modules. By choosing how to interleave these two activities, the red team chooses its solution for the collect or exploit dilemma. Let’s exemplify the collect or exploit dilemma with an example: consider the segmented network in Figure 1 and assume the red team goal is to control Computer Fraud & Security
11