Confession time: I was terrified of vampires as a child.
Werewolves I loved. Ghosts? Frankenstein? Meh. Zombies a little freaky but so long as I wasn’t in a graveyard no worries. Vampires however.… vampires drink blood, sleep in coffins, walk the night and, at the time, struck fear in the hearts of six year olds. Thankfully, the fear was a phase that didn’t last. Oh, there are still some sparky ‘vampires’ I have no time for, but from stage productions of Stroker's masterpiece to cult classics like What We Do in the Shadows, nowadays vampires mean for a production that's fun, utterly ridiculous, or both.
The same cannot be stated for phishing attacks, the information security manager's nightmare.
Phishing attacks: a cyber security threat that won’t die.
Even if the name is unfamiliar, odds are you know about phishing attacks. Phishing attacks are messages that entice you to perform actions that benefit hackers. The most common forms of phishing attacks get users to click on malicious links or provide access credentials to fraudulent websites. You receive an email requesting money, a link directs you to a copycat website where you enter your password... the list of examples goes on. If you've ever received an email asking for a money transfer to far off royalty in a country you've never heard of: congratulations, someone has attempted to 'phish' you.
According to Retruster, phishing attacks account for 90% of data breaches, and there’s good reason for this.
Phishing attacks are:
- Relatively easy to send.
- Can be automated. Software tools and email lists available on the dark web mean very little work need be involved to phish.
- Are increasingly hard to detect. Even advanced cyber security professionals can fall victim to the right phish.
- Can bypass even complex security systems.
- Present the attacker with a small investment, large payout.
How are phishing attacks like vampires?
Besides their uncanny ability to strike terror once discovered? No one wants to be the sacrifice in a horror story, and there's nothing painful like discovering your organization is the victim of a successful phish. Recognizing why phishing attacks are so dangerous can go a long way towards survival. Here are four shared traits of both predators from the shadows and dark web.
1. Phishing accounts need to get your permission to come inside.
Phishing attacks need you, the user, to cooperate in order to work. Unlike a brute force denial of service (DoS), phishes need the users to take action in order to get in. A phishing attack doesn’t come in through a back door in the code, or improper firewalls. Conversely, they are so effective because they don’t waste time trying. A phishing email or text is that midnight caller outside your door. Please kind sir or madam, won’t you tell me your name and let me in? If you open the attachment or click the links they’ve brought, the attack is a success.
2. Phishing accounts act like your friend.
One of the more terrifying elements of vampires is how often we’re told they look just like us. Oh sure, in the right light we might see pointed ears, paler skin, bright eyes and red fangs, but that’s when they want to take you out to dinner. Otherwise, the relationship is perfectly charming: they flatter, act friendly, and get their victims to lay down their guard. Phishing attacks work the same: friendly until it is time to strike. Two types of phishing in particular are experts at this approach. ‘Catphishing’ attempts to use loneliness and seduction to attract interest, while 'spear phishing' gets up close and personal.
For examples of successful catphishing attacks, look no further than the 2017 Deloitte breach. London-based photographer and completely fictional persona 'Mia Ash' convinced a company cyber security professional to open up a corrupted Excel file, after months of Facebook interactions. Unfortunately for the business and professional, Mia's disarming face was a front for an Iranian APT group, intent on getting in and causing damage.
Spear phishing attacks don't always play on romance, but they're no less disarming. In particular, spear phishes developed using social engineering techniques are uncanny: they scrap data about you, friends and family from online sources to look like a trusted source. Sure, an email asking for money might send off alarm bells, but what if the email came from your mother? What if it was a text message from a close friend? From your employer? Spear phishing pushes past protection measures by appearing as personal messages from trusted sources.
3. Phishing attacks aim to get inside your head and take over.
One of the more popular myths of vampires is that they can use some of their victims to make more vampires, increasing their resources for hunting. Even if you believe your information invaluable, or yourself on the low totem pole at work, beware: to an attacher who uses phishing, you’re still good as help. A phishing attempting to get access to a larger organization for example, might attack a staff member with less responsibility, and likely less security training, than company senior. The attacker then uses the access credentials they do have to gather more information, and find ways to attack their larger targets. Most recently, according to PC Magazine and Proofpoint, United States utilities have become the target for a malicious phish that installs a remote trojan on infected machines. Once inside, the trojan could allow for "viewing of process, system, and file data; deleting files; executing commands; taking screenshots; moving and clicking the mouse; rebooting the machine and deleting itself from an infected host".
4. They're both blood-suckers of different veins.
While phishing attacks can be used to tear systems apart, many are deployed with a different purpose: to drain your data dry. Once inside your system and in control, attackers typically have two goals: to find more weak points they can exploit, or make a play for valuable information now in sight. Phishing attacks are common tools to further instigate data breaches, instal malware, and erase infected machines. Worse, you may not even be aware they’re sucking you dry. Many well publicized data breaches, including eBay (2014), Anthem (2015), and RSA Security (2011), were the results of successful attackers who operated undetected for months, stealing massive payloads and leaving their victims feeling weak and helpless once their antics were exposed.
One way phishing accounts aren’t like vampires: there’s no silver bullet
Although phishing attacks bare similarity to monsters, critical difference during security planning: there’s no silver bullet for threat removal. To date, there are no digital equivalents of wooden steaks, sunlight, or holy water to remove the threat of attack completely. There are, however, actions and software that can repel the likelihood of successful attack. No need to wear a cross or eat a ton of garlic however, unless by choice. Instead, consider a two-pronged approach: limit the ways they can get in, and limit the damage they can cause if they do make it inside.
Review your security practices and ask:
- What are the levels of access our system? Do we have any access controls in place?
- Do we log access to sensitive information? How often do we look at and audit these logs for irregularities?
- Do we train our staff on phishing attacks? How often?
- What behaviours are we training? Do they know how to stop and verify requests, check links or report suspicious activity?
Still living in fear during the darkest hours? Bring in a specialist: security and privacy professionals that are regularly on the lookouts for an attack. Outside auditing can’t stop phishing attempts, but they can spot holes in your defences internal plans miss, while vulnerability testers and auditors can catch hackers who have already phished their way inside. Even those who know what they’re up against benefit from a helping hand.
“But we are strong, each in our purpose, and we are all more strong together.”
- Bram Stroker, Dracula