Teach Someone to Phish and They Can Feed Themself Forever…
Or maybe, we work harder to avoid phishing.
Phishing is a form of social engineering that attempts to steal sensitive information. An attacker’s goal is to compromise systems to obtain usernames, passwords, and other account and/or financial data. They most frequently accomplish phishing attacks via email. The attacker sends crafted emails to people within an organization. The email usually pretends to be from someone trustworthy, like your bank, UPS/FedEx, a credit card company or an airline, or some other site for which you may have login credentials. The email includes a link to an “official” website that is actually a fake site operated by the attacker.
Once the user visits the fake site, they may be asked overtly to enter account information such as usernames, passwords, credit card details, social security or bank account numbers. The victim may also be exposed to malware by the fake site. Taking advantage of a variety of vulnerabilities in the browser, the attacker may be able to install a Trojan Horse on the user’s computer. If done correctly, the attack can capture sensitive information without the victim even knowing that they have been compromised.
Why Phishing Works
Such attacks are especially troublesome when the victims are privileged users within an organization. Suppose a user has privileges to approve or send checks, or authorize a bank transfer such as an ACH transfer. If that user can be tricked into giving up their username and password, then an imposter can potentially re-use the official username/password to initiate their own transfer. Since the transfer is being authorized by an appropriate account holder (as far as the system is concerned, with a valid username and password) it is harder to identify this as fraud without additional monitoring and validations.
Attackers utilize more advanced and more determined phishing methods if they are sure they have identified high value account holders. “Spear phishing” includes techniques to ensure that the attacks are successful. An attacker might, for instance, develop their target employee list, and then check social media pages like Facebook for interests, children’s names and schools, and other available information to gather detailed intelligence that they can use to craft a targeted email. You may not automatically respond to an email from your bank, but would an email from your dealer about an emergency recall notice on your new car, or a notice from a pharmaceutical company about critical side effects of a prescription drug you are taking, or an email about your daughter’s financial aid at college be likely to get some attention? These targeted emails are usually highly effective.
Current phishing attacks against financial institutions are very customized. They are designed to be effective in these environments by targeting large numbers of financial institution employees. The goal is to infect and compromise enough users that the attacker can get end-to-end control of financial transaction approval systems, allowing him to initiate and approve transactions that appear to be properly authorized. These attacks use tailored techniques, dynamic websites, and regularly update the methods used. The result is a series of attacks that have an alarmingly high success rate, yet a relatively low detection rate.
As far as we know right now, these attacks have mostly been conducted against small-to-medium sized banks and credit unions, but some large banks and other financial organizations have been specifically targeted. The resulting compromises have allowed fraudulent wire transfers of sizeable amounts – $400,000 to 900,000, and sometimes more. Attackers are often able to browse an organization’s accounts and specifically select accounts with the highest balances.
Avoid Becoming a Victim
Organizationally, there are things you can do to help avoid becoming a victim, and to minimize damage if you are victimized:
1. Consider using dedicated systems for payment requests and approval processes. Consider disabling email access on any system involved with payment processing. If an attacker cannot compromise the systems in payment processing, he will have a harder time obtaining payment usernames and passwords, and a harder time actually requesting/approving a transfer.
2. Consider using a strong authentication mechanism on all payment processing systems. This would include replacing or augmenting username/password combinations with a hardware token and PIN, or with biometrics such as a fingerprint reader. An attacker will be unable to copy and reuse strong authentication such as a token or biometrics.
3. Consider blocking Internet access for systems involved in payment processing. If the system genuinely has no Internet access, malware would be unable to talk back to its controlling systems and attacker.
4. Consider disabling the use of USB flash drives in payment processing systems. In some circles USB flash drives are often referred to as “malware delivery devices.” Disabling USB flash drives removes one more potential avenue for infection.
5. Use tools available in your email client. Outlook, for instance, has the ability to help filter potentially harmful links. In Outlook, go to Tools/Options/Preferences/Junk E-mail/Options, and check “Disable links and other functionality in phishing messages” and “Warn me about suspicious domain names in e-mail addresses.” These are not perfect solutions but they can help.
6. Be diligent in your use of anti-virus and anti-malware software, including regular updates and scans. Most of the malware used as part of a phishing attack is not detected by standard anti-virus software, but some of it is. Some malware indicators may not be changed before an anti-virus update is available, and sometimes older versions of malware are distributed. Additionally, anti-virus software can help identify secondary infections that may be related to an attack.
7. Use reputation-based website, IP address, and URL filtering to help ensure that any systems accessed from within the company are not considered “bad” sites. You can extend this further by allowing only “white-list” access – access to addresses that have specifically been recognized as “good” sites (note that this has the potential to inhibit some Internet capability).
8. Consider enforcing time-of-day login and payment processing. Many fraudulent transactions occur after normal working hours. For instance, a series of large transfers that completed at 7:00PM Friday evening might be functionally ignored until staff return and see abnormal activities Monday morning.
9. Consider limiting access to payment processing systems from mobile devices, laptops, and systems based in home offices. These distributed systems are typically more vulnerable to threats.
10. Do not allow access to any internal organization system, especially payment processing systems, from a personally owned home computer. There is simply no way the organization can enforce proper control over such a system.
11. Conduct employee security awareness sessions to instruct employees on how to identify phishing emails and avoid falling victim to them. Any reduction in exposure slows compromise and increases your organization’s capability to identify an escalating threat.
12. Explicitly communicate to employees, partners and clients that you will never solicit account information via email, or send a link to update account information.
Individually, there are things employees can do to help avoid becoming a victim and compromising the integrity of organizational operations:
1. Never open attachments or links in unsolicited emails.
2. In general, be suspicious of all emails containing links. If you get an email with a link for you to click, do not click it. Navigate independently to the destination site (for example, by typing www.mybigbank.com into a new browser window) and find the referenced location without using the conveniently included link.
3. Do not respond to suspicious emails in any manner.
4. Do not access emails on the same computers used to initiate or approve payments.
5. Make management aware when you receive a suspicious email.
Examples of Phishing Emails
You can refer back to a previous column I wrote on here for a detailed breakdown of a phishing email. But what if the email is not as blatant as the one I dissected before?
For purposes of this analysis, we will assume that “Account Operator” is a reasonable role in your organization. The attacker has gathered enough intelligence to know that the salutation is appropriate. Also assume that the organization name replaced with xxxxx.com is the name of your organization. What is wrong with this email?
1. Effectively, not much. By all appearances this is an email that came from your own security department providing notice that your ACH privileges have been at least temporarily revoked.
2. Checking the email address will show nothing as the email address has been spoofed.
3. Your first clue should be that the email has a generic salutation. If this email actually came from your own security department, it would probably be addressed to “Martin”, or “Mr. Reyes”, and not to the job role.
4. The only real clue in this email is the hyperlink available at “view details.” In most browser-based email clients and some clients like Outlook, hovering over the hyperlink field will show the embedded link without actually opening it. The hyperlink pointed to a site that was completely unrelated to the organization, something similar to this: “http://jkdev.nodonenet.com/forwarding.htm”
Chances are that you have been the target of a phishing attack. If you are in the financial community, chances are that you have been exposed to dedicated attacks – and will be again. Your best protection against phishing attacks is a combination of training and awareness that can limit the success of phishing attacks, and technical controls that will help identify compromised systems and attempts by those systems to talk to hostile servers on the Internet.