Blog

Hackers Refine Phishing Techniques

In early January 2017, the payroll manager of Sunrun fulfilled what was meant to be a routine request for the W-2 tax forms of its 4,000 employees around the United States. The company offers leases for solar power equipment and services for homeowners.

The urgent request had come from the Sunrun’s CEO Lynn Jurich – or so it seemed. The information the payroll department emailed out included staff social security numbers, wage and tax figures, and addresses. The company discovered the well-planned email scam within an hour of the request, according to The San Francisco Chronicle.

A blend of technology, training, and policy solutions could have averted this scenario, as well as many others that occur every day.

This is How They Do It

Most incursions into computer networks occur through “phishing expeditions”: hackers send emails to staff that contain web links leading to malicious websites or unleashing malware through downloaded files.

The 2017 Verizon Data Breach Security Report cited that phishing was still a huge problem: phishing was a major factor in 21% of all security incidents and 43% of data breaches. It was the most popular cyberespionage method. According to the report, nearly 10 percent of phishing attacks were successful.

Sometimes, the links will take users to websites that inject malware onto local computers. In other instances, links embedded in emails will directly download viruses onto computer systems through documents that contain malicious macros.

Other, more targeted, “spoofing” emails involve communications sent from someone who imitates the directives of the chief executives and owners. The spoofer’s email address in Sunrun’s case looked almost identical to that of the boss of the company.

Usually, spoofing emails go directly to the business's accounting manager to disburse funds to a customer’s bank account. The email provides the bank account information and fund transfer details. Many an unwary manager has sent amounts ranging from a few thousand to a few million dollars to criminal bank accounts.

The FBI reports that internationally, over 22,000 organizations around the globe have lost in excess of $3bn to spoofing scams from 2014 through 2017, according to the BBC.

BYOD and Social Network Phishing

Corporate Bring Your Own Device (BYOD) policies have dramatically increased the vulnerability of networks. Companies try to leverage personal ownership of mobile devices like phones and tablets to reduce their own hardware costs. Organizations provide users with access to corporate applications and data. However, the use of social networks through personal devices can compromise corporate data.

One of the most popular phishing techniques in social networks involves hackers using Facebook to post advertisements to victims. Like phishing emails, such advertisements can lead victims to websites that download malware onto devices. Sometimes the malware can root the device to gain complete control of the machine and access all the user’s credentials, including those with which they use to work on corporate networks.

Another attack vector involves hackers hijacking a social media account to send malicious links to unaware “friends”. Believing the links to be trustworthy, recipients click on the links to unwittingly open their devices to attack.

How to Defend Against Phishing Attacks

A PC Magazine product comparison found that nearly all the top antivirus software packages provide users with phishing protection. Typically, anti-phishing functionality alerts users whenever an email link may lead to a faked website. Some products rate URLs depending on data gathered about the level of malicious intent a website may present (using a red-yellow-green color-coding system). Nevertheless, even the best technology is not very helpful to an organization without appropriate user training and company policies.

Training Solutions

The most effective way to combat the phishing scourge is to educate staff throughout the organization about how to spot phishing and spoofing emails. They need to learn how to report a scam so the others in the company do not make the same mistake. Often, service providers that offer training on end user cybersecurity etiquette also have penetration testing (or “pen testing”) to quantify and target gullible staff.

Policy Solutions

Companies should also consider implementing more robust procedures that involve responses to electronic requests. For instance, any requests for disbursement of funds — whoever the requestor is — should be verified in person or by phone. This is similar to what many banking customers are encounter when they use “two-factor” authentication to access online banking apps.

Sometimes, though, the most effective measures against hackers do not involve more hardware or even software — but the wetware with which we are all supposed to be endowed: common sense.