NAMIC convention session alerts attendees to spear phishers’ activities
Thanks to technology (see what I did there), I was able to attend this year’s National Association of Mutual Insurance Companies convention virtually via their Connect Differently option. A session on cyber security was an eye-opener for me, diving into the details of how hackers operate. Delivered by Joe Cicero, an IT security instructor at Northeast Wisconsin Technical College, the session titled “Spear Phishing for Whales: Targeted Attacks on Corporate Executives” compared the components needed for phishing—we’ll get to definitions in a bit—to those used in the sport of fishing.
It’s been a bit; here’s some hacking terminology:
- Spam—junk mail; it’s not an attack.
- Phishing—an attack, typically anattempt to extract information—usernames or passwords—to gainaccess to an account or organization.
- Spear phishing—a more personal form of phishing (e.g., a fake message from American Express when you have an American Express card).
- Whaling—attacking high-value targets, like C-level executives or system administrators.
- Doxing—Publishing stolen information—whether emails, data or credit card info—on the Internet.
- Vishing—voice phishing.
- SMiShing—an SMS phishing attack.
Attacks and stats
Cyber attacks are always occurring; earlier this year 143 million U.S. consumers were affected by the Equifax breach. What exactly caused some of the more infamous data breaches in recent history?
“Remember when we used to use our mother’s maiden name as a security question answer? It’s all published on the Internet and very easy to find.”
—Joe Cicero
IT Security Instructor
Northeast Wisconsin Technical College
“In 2014, C-level executives at Sony received an email from ioscareteam.net,and upon clicking the link they were given a form where they could fill out their credentials,” explains Cicero. “The attackers used those credentials along with information they found on LinkedIn to gain access to Sony’s network. They did it all in hopes that the executives used the same passwords or similar passwords on their iOS devices as they used to get into the network.”
A simple human error led to the 2016 breach involving John Podesta and the Democratic National Committee.
“Podesta received an email apparently from Google saying your account has been hacked and you need to change your password,” explains Cicero. “Luckily, an aide saw that email and forwarded it to an IT technician. The technician made a spelling error in his response saying that this was a legitimate email when he meant to say illegitimate. Podesta clicked the link in the email, and we had the DNC hack.”
What do these attacks mean for your organization?
According to PhishMe’s 2016 Enterprise Phishing Susceptibility and Resiliency Report, phishing is the number one delivery vehicle of malware. The State of the Phish, released by Wombat Security Technologies in January 2016, states that 85% of organizations have been attacked, by either phishing or spear phishing. And in its white paper Spear Phishing Attacks—Why They are Successful and How to Stop Them, FireEye says that the open rate of a spear phishing email is 70%. Fifty percent of the 70% will proceed to click on the link.
“The best predictor of future behavior is past behavior,” says Cicero. “Every year we see this happen, and it’s increasing. You and your organizations need to be familiar with and be prepared for what’s going to happen if you get attacked.”
Phishing as fishing
“When you go fishing, you have to go to the right location, at the right time, use the right equipment, and have the right bait,” Cicero says.
Time—Phishing attacks tend to increase around holidays, news events, elections, and disasters.
“I had two colleagues recently receive SMiShing attacks, an SMS message from Chase—they both had Chase accounts—and it all went back to the Equifax hack,” explains Cicero. “When that Chase message arrived they were in the right frame of mind; it was the right time to hit them.
“What happens around tax time? We get phone calls and emails. The IRS is coming after you. The hackers know this.”
Location—Places with large numbers of people are good targets: conferences, hotels, sporting events.
“We’re at the NAMIC conference and there are a lot of C-suite level executives here,” explains Cicero. “This is a wonderful location to be able to target somebody; you’re all in one location at a hotel. A lot of people will be using the open wireless connection.”
Equipment—A number of software applications are available to assist with phishing; “all of them have a legitimate purpose,” says Cicero. “They were designed for security pen testers (individuals who simulate attacks on computer systems to look for weaknesses), but anyone can go online and download them.”
From automatically doing background searches and slipping applications through systems’ back doors to testing whether antivirus systems will discover malware, platforms like Kali Linux, Maltego CE, Social Engineer Toolkit and Shellter assist spear phishers by simplifying the tasks at hand.
Bait—A Cisco Security report shows that typical phishing bait includes in the subject line phrases like purchase order, payment, receipt, product order or invoice.
“Take an extra ten seconds every time one of these emails comes in and make sure it’s really what it is, rather than hurrying through it,” Cicero says.
When it comes to the more specific spear phishing, where are the attackers gaining their information?
“Just as if you were doing a background search when hiring somebody, you would want to Google them; the bad guys are going to do the same thing,” says Cicero. “If they’re looking at attacking you or your organization they might use Google, Google Street View, Bing or Yahoo to find out information about you.”
Cicero gave an example of how he found a C-level executive’s name on LinkedIn, searched that name on a different site to get a home address, and then looked up the address on Google Street View.
“Next to this executive’s house was a vehicle for his lawn care service, MEGA Lawn Care,” Cicero says. “I immediately have an attack vector. I create an email from MEGA Lawn Care and send it to the executive with the subject ‘invoice payment not received.’ What are the odds that they’re going to open that email? According to the stats, 70%.”
Social media is another location to learn about attack vectors for potential victims.
“Age is an attack vector you can discover on social media,” says Cicero. “When you’re around 50, you start getting messages about the PSA test. Hackers know this. They might make a phone call to your company and find out what insurance you use; maybe they applied for a position they weren’t even interested in just to get information about your organization. Now they know your insurance company, and then you receive an email from them—PSA results, please open immediately. Probably something we would click on.”
Other attack vectors are marital status, health concerns, vacations, connections, and social causes.
“The chance of your opening the email is much higher if it comes from something you’re familiar with,” Cicero says.
Another good source to discover aggravators is public record sites like Black Book Online, Itelius, PeekYou, Pipl, Spokeo, and Snitch.name.
“These sites will take the information from multiple public record databases and put it in one place for one-stop shopping,” says Cicero. “Do you have some type of license—which is a public record—that needs to be renewed? I can find that information and can send you an email about that.”
Other public records attractive to spear phishers are property taxes and payments and public and criminal records. Neighbor and relative searches also can be beneficial.
“Remember when we used to use our mother’s maiden name as a security question answer?” Cicero asks. “It’s all published on the Internet and very easy to find.”
License searches also can be used for spear phishing bait.
“You can do car license plate searches now,” Cicero says. “Go to Craigslist. When you see someone selling a car with a shown license plate number, you can do a search and find all kinds of information about that car. You can do the same with FAA registry numbers for airplanes.”
Overlooked bait is the use of video and photographs.
“If you have a Flickr account or use Instagram, YouTube or TinEye, it will allow me to abstract the information from images or videos,” says Cicero. “What can you find in an image? Metadata might show the make of the camera. I could send an email in regard to trading in your specific camera model for an upgrade.”
Additional attack vectors are dates and times, host operating systems, and hobbies. Locations also can be retrieved from the data stored in photographs.
“Who has seen somebody take a picture of their meal on Facebook?” asks Cicero. “If I extract the latitude and longitude of that picture, I now know where you ate it. If I know where you ate it, I could design an email from that restaurant saying, ‘Hey, thank you for publishing a picture of your meal on the Internet. We’d like to give you this free coupon; click here to download.’ What are the odds it’ll be opened? Probably 70%.
“I can take a profile picture used on a company web page and stick it on TinEye, a reverse image search. It tells me everywhere else that picture is located on the Internet. One of the websites was alumnius.net. What are the odds that if your picture is on alumnius.net and you get an email from alumnius.com or aluminius.biz, you’re going to click on that link? You’re familiar with that website; this is what spear phishers do.”
What can you do?
It appears inevitable that an attack attempt of some kind is going to happen, but what can you do to prepare for one?
“Education and training are the best actions you can take,” Cicero says. “Real training. Phish your employees and have them learn from their mistakes.”
Keep your employees informed; remind them of the keywords frequently found in subject lines. Recognize when emails are actual phishing attacks and make sure to report them.
“Recognizing and reporting are important and where a lot of companies fail,” explains Cicero. “You receive a phishing email, you recognize it as a phishing email and you treat it like spam. You delete it. That doesn’t help the person next to you. If you see a phishing email, it would be much better to have a procedure where you let your IT department know, or if you’re a small business let the other employees know.”
Another simple thing your employees can do is to slow down.
“Make sure they are actually looking at the emails going to them; sometimes we just click too fast,” Cicero says.
As for your IT department, it can “block countries that your employees don’t need to be connected to,” says Cicero. “You can research which countries are used the most for phishing attacks, and you can block those entire countries. Unfortunately a lot of phishing attacks come from dot-com addresses, so there are a lot of domains you will be unable to block.
“Your employees and you are up against tools, tactics and techniques that the government uses, and now they are leaked to any hacker on the planet. Any individual sitting in a bedroom is capable of doing everything I explained, so you can’t expect your employees to not be phished. Prevention is key, but detection is a must.”
By Christopher W. Cook
YOUR PHONE’S A TARGET, TOO
This past October, Kite Technology Group published a blog that explained “How to Spot a SMiShing Attempt.”
The mobile version of phishing, a SMiShing attack attempts to reach its target by SMS or text, as opposed to email. Similar to an email attack, a SMiShing attack relies on the victim to comply with instructions given in the message, usually requesting to open a link infected with malware. Passwords, accounts, and client information—like in a phishing attack—are the typical credentials sought by “SMiShers.” While most individuals are aware of attacks that can come through their email inbox, the concept of receiving one via text is still catching on.
What can be done upon receiving a SMiShing attack?
Any questionable message requesting you to open a link or risk facing a recurring fee should be brought to the attention of your IT department. Next the SMiShing target should message the sender to verify the legitimacy of the request. This should be done by means other than text—phone call, email, etc.
Be aware of messages using “5000” numbers, indicating that it originated as an email sent as a text. Hackers have been known to use this tactic. A downloadable application in a text is another red flag, as it’s another common method to infect mobile devices with malware.
A good rule of thumb is to download and use apps only from your mobile device’s official marketplace, which will be less likely to be malware in disguise. For added security, augment the practices above with the use of a virtual private network (VPN) to safeguard your mobile activities.Your phone’s a target, too; be on the lookout.
