Humans — from the point of view of AI, they’re a weak link. Until the singularity occurs, or what Malcolm Gladwell would call the “tipping point,” human nature poses the largest cybersecurity risk, no matter what technological measures get put into protecting information. Such is the case with phishing, spearphishing, whaling, and every other phish attack under the sun. It’s the method that attackers use to get a fingerhold, as in the case of the 2016 Clinton presidential campaign, as in the case of countless fake IRS email scams, and as is the case across the entire Internet. Humans can’t help but click on interesting emails and email from people they think they trust. For these reasons, phishing is here to stay. It has become more sophisticated, more focused, and more malicious than ever before. In some ways, people have gotten better about their response to phishing attempts, and in other ways, attacks show that things might be worse. Now, reports indicate that a new wave of phishing scams are about to surge, and the principle behind it focuses on shaming intended victims. The state of phishing scams aren’t something found on a map, it is something that requires a historical and forward-looking view comprised of analysis, facts, and results.
The good: Government gets better
In late 2017, Binding Operational Directive 18-01 became effective. Under these standards of the Department of Homeland Security, this security measures checklist provides ongoing technical guidance for better practices in email and web security. The result of this effort over the last year has delivered improved technical measures across the board, in many cases exceeding the security measures instituted in public sector businesses. Implement these things, they can help.
The bad: Notable 2018 phishing scams news
Last year went into the security history books as a year where business experienced an uptick in impersonation attacks. Earlier in the year, the FBI warned the public that business email compromise (BEC) schemes were on the rise. The bureau also announced a major takedown of a BEC scheme network in June.
As the widely awaited European privacy GDPR regulations went into effect last year, scammers hit high gear, firing off a new wave of scams suddenly backed by a new air of authority.
Attackers have stepped up their focused attacks and BEC efforts by implementing text messages, phone calls, and social media.
The ugly: Sextortion
One particularly devious spearphishing plot leveraged fear, shame, and stolen passwords. As they planned their campaigns, attackers used usernames and passwords found in data breach databases to contact victims and notify them that they had used their password to install malware and record the victim’s webcam as they had watched pornography. The payoff: send us money or else.
That’s an interesting tactic (and the stuff of digital marketers). First, get the target to open the email. Second, use some bit of intelligence to relate to the victim (the password). Third, exploit some emotion (fear). Finally, close the deal.
There isn’t even anything technical about that kind of attack. It’s just an email campaign. Imagine such an attack combined with technology. We’ll get to that.
Bring on the shame
Here’s where it gets interesting. The webcam porn campaign was a game changer because up until this event, spearphishing required deliberate research. For example, a spearphishing operation often incorporates who is the target, why are you targeting him, and what can you find out about them. If you’ve done your homework well, you can find a way to get the target (or someone close to the target) to open an email.
Given the ease of this ploy, we can expect many more phishing scams such as these webcam porn email campaigns. Just think, we’ve officially entered an age where almost every adult in the United States has had their data compromised somewhere, somehow. Information such as usernames, address, first born, maiden name, and more are out there, just as valid as your current or former password. According to various statistics, most males consume pornography, as much as 70 percent, with women hitting 30 percent. Most would probably like to keep their habits personal and perhaps hidden from everyone else. Once a scammer has gotten you to at least halfway believe them, the rest is easy money.
In other words, the next thing to look out for is targeted spearphishing emails, at scale. I believe that the very same Artificial Intelligence that has wowed us and makes so many things better, can also be turned against us, making threats like phishing much worse. The tools are out there, much of it is open, and you can bet that state-sponsored groups are already on this. Think back to the OPM data breach and all of that personal information that so many of us confessed to the government. Now imagine that in your inbox at work. Imagine politicians and what they get in their inboxes.
Also, expect more attacks against mobile devices, as mobile work continues to be a norm.
Getting on defense
Technology is continually improving; thus anti-phishing measures perform increasingly better at stopping malicious emails. For all that technology that is available, the human factor will always be the factor. It seems that for now, the public-at-large is probably screwed.
If you’re protecting a business, however, as long as you have leaders, you can create a positive culture of cyber-awareness. Tell people to be smart, connect the dots. Embrace security as a culture, minding the process of constant information, while delivering constant reminders. On the technological side, protections include detection tools, URL detonation, and proactive measures.
For example, the folks over at WhoisXML API put together an example of how a database of WHOIS information could have been leveraged in the case of the Airbnb phishing attack (a GDPR-focused campaign).
One of the short-term impacts of the new rules was that all the companies handling data of EU citizens in any form had to contact their clients to confirm certain new agreements.
As a consequence, emails with reference to the new GDPR started flooding all EU citizens (with rules that many of the latter do not even clearly understand). Because most of those emails urged for some activity or reply, this confusion-filled scenario became a genuine paradise for phishing schemes.
Using a map-filtering approach with this data, an organization can detect attacks ahead of time with relevant, updated information.
Hundreds of millions of phishing emails are sent on the Internet every day, leading to billions of dollars stolen annually, not to mention the overtaken accounts and sensitive data obtained this way. The importance of the fight against email phishing cannot thus be overemphasized.
By correlating bulk WHOIS information and data about short-lived domains, the demo shows how systems behind the attack could have been easily found and perhaps prevented.
What to do about phishing scams
Phishing scams persist because individuals get duped by them. At times, the impersonation is technological and in other cases, there is intelligence built into the attack. Tactics change over time, so it’s important to address awareness at the human level, leverage technologies such as threat detection, and to build (counter)-intelligence at the organizational level.
Featured image: Shutterstock
