Introduction
Phishing has proved so successful that it is now the number one attack vector.1 The Anti-Phishing Working Group reports that in the first half of 2017 alone, more than 291,000 unique phishing websites were detected, over 592,000 unique phishing email campaigns were reported, and more than 108,000 domain names were used in attacks.2 In 2016, the FBI’s Internet Crime Complaint Center (IC3) received phishing reports from more than 19,000 victims.3 However, IC3 also notes that only an estimated 15% of victims ever report crimes to law enforcement, so the actual total could exceed 125,000. Of the 19,000 reported cases, the total cost exceeded $31 million.
In this report, we explore why phishing campaigns work so well, how unsuspecting users play into the hands of attackers, and what organizations can do about it.
How Phishers Bait Their Hooks with Information You Volunteer
Seven minutes until his next meeting, Charles Clutterbuck, the CFO of Boring Aeroplanes, had just enough time to answer a few emails. He flopped onto his padded leather chair and tapped out his password. A dozen emails glowed unread at the top of his inbox stack. He skimmed down the list of names and subjects when one caught his eye. It was from an old friend. With a nod, he clicked it up. “How’s it going, Clutt?” the email began. He smiled at the old nickname from the dorm days when he first met Bill. Funny that Bill was emailing him at his work address, but that question was quickly forgotten as he skimmed the message.
From: Bill Fescue b.fescue@blafmail.com
Sent: Thursday, July 6, 2017 12:16
To: Charles Clutterbuck c.clutterbuck@boringaeroplanes.com
Subject: My new hoss
How’s it going, Clutt?
Hit the track with my new Falkens and, guess what? Tremendous grip! No more wheel spins. Check out my track time and cornering: http://vizodsite.com/istruper_video_10
See you at next week’s Autocross?
Bill
As you might have guessed, this is a spear phishing email.
In spear phishing, the attacker leverages gathered information to create a specific request to trick someone into running something or giving up personal information. It’s an extremely successful technique and attackers know this. In fact, the Anti-Phishing Working Group reports that phishing has gone up 5,753% over the past 12 years.4
Phishers work by impersonating someone trusted by the target, which requires crafting a message that is credible and easily acceptable. To do this, the phisher needs information about the target to construct their disguise and bait the hook. They get this information by research and reconnaissance.
In the example above, an executive at a military plane parts supplier received an email apparently from a friend. His interest in car racing—as well as his friend’s name and style of speaking—was plucked off social media. The attacker spent a few minutes of web research on car racing to get the vernacular right and then created an email account in the friend’s name. The link is to a site with a video server that sends an exploit geared to the target’s laptop operating system (gleaned from research on the company infrastructure). It loads specialized malware built to exfiltrate aerospace intellectual property. Easy, peasy.
So, we know that attackers are gathering information from social networks and various Internet sources, but just how much information is available? Defenders spend quite a bit of energy preventing the obvious information leaks like passwords, crypto keys, and personally identifiable information (PII). Those are high impact information leaks, but what about the low impact ones?
It’s worth exploring what’s typically discovered in an attacker’s passive electronic reconnaissance. And, that’s not counting active recon like calling the company’s main phone number and trying to extract information via pretexting5 or going onsite for dumpster diving.6 This is all low-risk stuff that can happen in secret from afar. But, as the Great Detective said, “You know my method. It is founded upon the observation of trifles.”7
How Attackers Collect Data About Your Employees
We’ve seen an everyday example of how easily a competent corporate executive (or any other employee, for that matter) can be drawn into a phishing scam through social engineering. Now let’s look at how some of the seemingly innocent actions we take (information we post) on the Internet make the job of a phisher simple—like taking candy from a baby.
Since spear phishers go after a specific organization, they need to know who works there before they can begin their targeting. A lot of people tag themselves on various social media sites as an employee of a particular company. LinkedIn is a site that provides lots of details on where people work. Quora is another site where tech people congregate: