The recent ITWeb Security Summit highlighted the growing sophistication of phishing. LIRON SEGEV compiled the lessons of the event into a concise guide.
Security breach, hacking, cyber warefare and industrial espionage. These make headlines across the world when any high profile website or social network account is breached.
One could think that there are armies who deploy sophisticated technological weapons across the Internet with missile-like precision, finding their intended target.
While this does happen, the arsenal of weapons that exists doesn’t have to be so sophisticated. In fact, they are so common that anyone, with no programming skills at all, can now buy these system online for a couple of Dollars. This was one of the key underlying elements that speakers included in their presentations at the recent ITWeb Security Summit. Yes, there is an element of technological defences that need to be deployed at home and at work, but there is still one weak link that no technology can assist with – the human element.
We have been told countless times not to click on any email that looks suspicious, and certainly not to click on links inside emails that ask for usernames and passwords. Yet every day, thousands of people do exactly that and then find themselves in hot water as they realise that they have fallen victim to cyber crime. This is kind of attack is known as a phishing and is a favourite tool amongst the attackers.
How does phishing work?
Phishing is based on a couple of components. The hacker purchases a mailing list of email addresses, then he or she creates an email that mimics a popular website like LinkedIn or Facebook. Imbedded in this email is an invitation to click on a link that takes the recipients to a landing page, which is where they are asked to enter information like usernames and passwords. This information is sent to the attacker and a “sorry we are offline – try again later” message is displayed to the user, so they simply switch off thinking nothing of it.
Why does phishing work?
Phishing is successful as it is based on sheer numbers. Sending out millions of emails will results in some people revealing their information for the hacker to do with as they please. There is even a market for selling active usernames and passwords.
What is spear phishing ?
An advanced version of phishing is known as spear phishing. This is where the attacker targets a specific set of people instead of a blanket mass mail. The attacker will create a webpage that is common to the selected group, e.g. mimic a specific banking site web page or a company web mail login page and then send their mass mail to those specific people.
This kind of attack is usually successful as the recipient visually identifies with the website that they constantly access and therefore they don’t think twice about logging in thus revealing their sensitive information.
As an added “bonus”, as part of the phishing attack, the attacker may wish to add spyware software that is installed on the recipients’ computer. This is done be embedding the malicious code on the landing page and manipulating the victim to install the “software update” or “security patch”. This allows the attacker to access that computer via a backdoor that the software creates. The malicious software may also replicate itself on the network to other machines and may even relay keys pressed on the keyboard to the attacker (known as key-logging).
There are two typical reactions that people have when they hear about these attacks.
1. “I am safe, I have an antivirus!”
2. “who would be so stupid at to fall for this?”
The “I have an antivirus” reaction is common, but unfortunately this is not good enough. Even those people who are diligent and update their software regularly are still susceptible. There are many “services” on offer that for R600 will guarantee that an attacker’s hacking-code will bypass most antivirus systems. Even when there is an update, this service will develop a work-around for the code to work. They even provide a service level agreement!
The “who would fall for this” question, is something you can answer for yourself. Thinkst has developed a tool called Phish5 that allows you to “attack” your own company and see if you are vulnerable to phishing attacks. Sign up, add some members in your company, use the template to build your fake phishing email, use it to create a fake landing page and launch your attack. You will be notified as soon as people become victims with graphs and reports.
Haroon Meer from thinkst confirms that “Despite spending many years on extremely cutting-edge hacking, it’s pretty clear that corporations across the board are still getting taken with phishing attacks.” The Phish5 tool was built as way for administrators to test their own system. “This way they phish departments just prior to training sessions and get to talk real numbers during the training. Over time, they are then able to spot departments or people that never learn and are able to reward people who do react well.”
Phishing is just one tool in the arsenal, and falls under the bigger umbrella known as social engineering or the way attackers manipulate people into helping them get the information they want.
No amount of technology can fully protect your business. There has to be constant training of the people using the system. At the ITWeb Technology Summit, speaker after speaker confirmed the same mantra: If your business has something worth stealing, chances are that the hacker is already in. Only the “bad” hackers are caught, the “good ones” run a business – selling your information.