The Human Element

A Banner Year for Phishing

Ep 7 a banner year for phishing the human elementThe Human Element

It should come as no surprise that phishing attacks continue to increase in number. They’re also becoming more sophisticated utilizing multiple methods of phishing to improve their success rate. But why is phishing used so often? Who is doing the phishing? How do you prevent it?

We will discuss this in this episode of the Human Element. We review some statistics and thoughts from the below article.

Global Phishing Attacks Hit A New Record in 2021

 

Unedited Transcript

0:00
People are the weakest link in any cybersecurity plan. We’re distracted, exhausted and often unmotivated. It’s time to change the approach used to protect our businesses, technology, identity and data. The human element has to be front and center in a war against data breaches and ransomware attacks, it’s time to educate.

0:52
Welcome to the human element podcast, visit our website at the human element dotnet for more content to help you strengthen your awareness of the people problem in cybersecurity. I am Scott Gombar, owner and Washtech a client focused, security minded proactive IT service provider. Everyone welcome to episode seven. I am Scott Gombar. And we’re going to talk about global phishing attacks hit a new record in 2021. Before I get to that, I want to apologize and it’s been a few weeks. As you know, as you may know, if you own any business really but an IT business door ebbs and flows, and sometimes things get a little crazy. So haven’t had an opportunity to sit and record took on a new large client. So been very hectic, but here we are. And I’m reading this from software. It’s software.com. If you go to their new section, there is an article from April 27. So that’s yesterday, as I record this, that global phishing attacks hit a new record in 2021. And I’m not really surprised by this. But we’re gonna go through this nonetheless. And I will point out some things that that I think are important here, so global phishing attacks have hit a new high and 2021. As a new attack as new attack vectors and phishing as a service methods emerged. One of the reasons that this type of attack grows in prevalence every year is its low barrier to entry. Meaning, it’s not hard to send a phishing email, I could send a phishing, I don’t even need anything really to send a phishing email, just open up a fake Google account or a fake Outlook account or whatever. People are still using Hotmail, AOL free cable company email, or ISP, email, all of these things are still being used in then send a phishing email. I’ve literally done this to teach people what to look for. Moreover, cyber criminals take advantage of current events such as COVID-19 pandemic or cryptocurrency to trick victims to hand over their confidential data. Now, of course, we have a war in Ukraine. And the tools that are used to do a lot of this are actually available free to our Linux distributions that include these tools or if you’re inclined, you can download some of the tools and install them on your computer even if you use Windows download VirtualBox and and install kali linux or or parrot on your virtual box and use it from there. And they’re free to use and they’re not hard to learn. And that is what is meant by low barrier to entry. Now, a lot of times the phishing attacks are pretty obvious, you get emails that, you know, the grammar is really bad. And the links are poorly written and it’s sent to a whole bunch of people. And if you pay attention to where it came from, it came from a Gmail address. And if you go to the Nightwatch tech YouTube page, you’ll see a lot of phishing attack emails that we review. And I think another reason it’s growing is some forms of phishing are actually growing. And I don’t know if this article includes those forms. And that’s phishing, which is voice and smishing, which is text message, but then you also have QR codes of phishing websites, you have all kinds of other stuff. So phishing traditionally, his email and email still accounts for 90 something percent of all phishing attacks, but it is growing and other vectors especially vishing voice phishing. So let’s jump into so some of what we got here. A new report from Zscaler, which is a security company they primarily work to secure email, encrypt email and so forth reveals that phishing attacks showed a dramatic 29% growth as record of 873 point 9 million attacks were observed globally in 2021. Now, I would think it’s actually higher than that. And the reason I say that is because phishing filters if you use Google if you use Microsoft or any reputable email service, they’re getting caught by those filters before they even reach an inbox. So if I have Office 365, and I do have Zscaler set up, it may never even get to Zscaler before it gets to office 365. If it goes through your email first now, you may not think the scale actually operates on it. I think it depends on how you have it set up. So some of those services now operate before it actually reaches your email. So for example, Proofpoint, it goes through Proofpoint first. And then if you look at the MX records, it’ll show Proofpoint instead of office 365, or Google or whoever you’re using, which is actually a good thing. Because what I do show people a lot is that it’s not hard to figure out what kind of email service you’re using on the internet.

5:48
A majority of these attacks use productivity tools, illegal streaming sites, illegal being the key word, and that’s where DNS filtering would come into place. By the way, shopping sites, again, DNS filtering social media platforms, you can filter that out, depending on the role of the person that is doing the work financial institutions and logistical services as a lure to target victims. Organizations in retail and wholesale sectors were the most targeted entities experiencing over 400% increase in phishing attacks in the past 12 months, or in the last 12 months. Just 2021. And I think that in part is because the amount of money that is going through those organizations, the US was the most targeted country accounted for 60% of all phishing attacks. The next frequently attacked countries were Singapore, Germany, the Netherlands and the UK. Researchers also noted that SMS phishing is emerging as one of the prevalent attack methods of intrusion, as users become more cautious of suspicious emails. Also very true, I get some text messages that are obviously phishing. We’ve reviewed some of those on this podcast in on the website, the human element.net. And I think it’s important to note, a lot of the phishing attacks and something else we’ve also discussed, are using multiple forms more of it’s more of a social engineering, I mean, phishing is social engineering. But this the types of attacks that are working more, include multiple forms of phishing, so you might get an email and then get a phone call, or you might get an email that asks you to call, make a phone call. And so now we’re using phishing and vishing, or smishing, which is text message and phishing, voice message phishing. And we reviewed the payment app scams that happen where you get a text message that says, Did you authorize this payment of $500 to this account, and you say no, and you immediately get a phone call. And the person claims to be from the fraud department at the bank and in the end up tricking you into sending even more money. So multiple forms of phishing being used there. And the success rate of when that occurs is a lot higher than if it was just one form. And I’ve, I’ve spoken to people and help people who have gone through that. So something to be aware of that listened to previous podcasts, because I don’t want to dive into that here. But something to be aware of that you should always, whenever someone contacts you, unsolicited, and says, Hey, there’s an issue, hang up and call that organization back through known contact methods. So in other words, if you if your bank calls you and says there’s an issue with your account, we suspect fraud. Even if they go as far as Can you verify your account number, can you verify your last four of your social, whatever it is, hang up and call the bank back, if you have a debit card, the bank’s phone number is on the back of the card, you can Google the account, the phone number for the bank, all of these things are better than talking to whoever is calling you. And if they did legitimately call you they will appreciate the fact that you made that extra step. If they didn’t call you, they’ll appreciate it even more, because now you’re not getting defrauded out of, you know, potentially 10s of 1000s or more of dollars. Fishing as a service as a growing threat. So fishing as a service is like anything else as a service. I pay someone to do the phishing attack for me maybe I’ve identified a potential victim that could make the attackers a lot of money and and I take a cut of that. So phishing is a service while phishing has long been one of the most common tactics used in cyber attacks by sophisticated threat actors as it become it has become more accessible to low skilled cyber criminals due to a maturing underground marketplace for attack frameworks and services. Some of that is they actually hire people. They have HR departments and hire people to work for these organizations, these cyber criminal organizations. They act like legitimate businesses that hire people to hire coders. They hire people to become insider threats, initial access brokers, things like that these are all hired people. And then they have affiliate marketing as well. If you get us inside,

10:30
I’ll use also Tesla, if you get us inside Tesla will give you a cut in the payment is actually pretty significant for affiliates, so it’s appealing to some people. And one such incident. Researchers discovered 1000s of man in the middle fishing toolkits being used in the wild to intercept two factor authentic security codes, authentication two factor authentication security codes. These toolkits also enabled the attackers to steal authentication cookie files from computers, we reviewed the some of what is being done to intercept two factor authentication. The Lazarus group that is operating out of Brazil was a teenager running it is doing this successfully. And I’m sure other groups are doing this too. But it is happening in a lot of times it requires human interactivity. So somebody might have you on the phone and asking you for the text message that you just received, which is why text message two factor authentication is not the best method, or one of the reasons, but it is on the rise. So while two factor authentication is great, and you should absolutely have it turned on whatever method any method is better than nothing. There are some methods of two factor authentication that are better than others. The best way to do it at this point is a token. You like a USB token, you plug it into your computer, and you authorize it that way. The second best would be an app on your phone like Microsoft authenticator or Google Authenticator that allows you to generate code every 30 seconds. And that code is only good for 30 seconds or could be good for five seconds depending on when you open the app. And using that code, but that again is susceptible to what I just talked about. Be it be or browser in the browser attacks can add more trouble. And this is a new phishing technique. I’ve heard several different variations of this recently demonstrated by researchers capable of making phishing attacks nearly invisible. And so what happens is, the technique relies on single sign on options on websites and can enable attackers to harvest credentials from Facebook, Google, Apple, Microsoft without users knowledge. And what happens is you’re logging into a what looks like a legitimate website where you actually might be logging into the website, but what you’re logging into is somebody screenshare. And so they’re actually grabbing all of your information as you’re entering it because you’re entering it on their server, even though it is legitimately so you type in office, you know, portal.office.com, which is one of Microsoft’s website, and you enter your credentials. You’re doing this on a remote session, and somebody else is remoted into that server.

13:34
So you have no idea that it’s being it’s a browser inside a browser, here’s what it is.

13:42
Researchers claim that on average, an average sized organization receives dozens of phishing emails every day, I again would think it’s a lot higher than that. This means that employees at all levels must be aware of the most common phishing tactics and train to spot phishing attempts that can result in financial loss and damage to an organization’s reputation. Now, the training is the key. And we train so in Washtech does train our our clients and employees on how to recognize fishing but that we go further than that? We have. I tried to do it weekly. Again, it hasn’t worked out the last few weeks. But I did put one up a couple, I think a few days ago on our YouTube channel, so it’s YouTube, just YouTube and Washtech NWA J. Tech. And so I tried to do a weekly phishing email review or phishing attack review, really, because this week, as an example, we had one to Google messenger, we had one through Instagram messenger. And we have one that was Gmail that we’ve reviewed before but because it’s so calm, and I wanted to do it again, it’s the same format, just a different company being new. So remember who it was this week and I remember who it was, but I got three of them in a row from the same company. Purportedly from the same company, it wasn’t. And it was, it’s very obvious to someone like me that it’s a phishing email. And there, there are some very obvious signs that it’s phishing. But someone who’s not familiar with those things might fall for. I did see on a Facebook group, a town focus Facebook group, town here in Connecticut, where someone fell for the you just paid $500 for. I don’t know Norton Security Suite through BestBuy. And they fell for it. And they called up and they got scammed. And they shared it on social media, to warn other people so good for them for sharing it, because most people would not share that they fell for something like that. What it is, that is another common phishing scam through email. And these things come in all the time. So I do have email accounts that have no Phishing Protection at all. They’re not my work email, they’re just whatever, emails for various reasons. And they get phishing emails all the time, way more than dozens of per day, in just one account. So imagine a company with 100 employees, even if they’re each getting one per day, this is 100 phishing emails a day. Not to mention that if you’re using Google or Microsoft, they block out 80 to 90% of all the phishing emails. So I think the number is a lot higher than that. And I think education is the key. So that’s why I do this podcast. That’s why I do those videos. That’s why we teach all of our clients because this is one of the four most common ways into an organization’s networks. So there’s fishing, there’s Remote Desktop Protocol or similar services. There’s unpatched software, or hardware. And there’s weak emails. And sometimes these things are combined to launch a massive attack. You know, in the case of I go back to SolarWinds attack, it’s been over a year now. No, it hasn’t, hasn’t been over a year. I don’t even remember anymore. I think it’s been over a year. And there, there was combination, weak password phishing, and unpatched software, all of those things were used to attack SolarWinds. Supposedly, this is what we’re told, and in return, get into other companies, because now they compromised the source code for solar winds. I think to happen at the end of 2019, but I could be mistaken. That means if those are the four most common ways of getting into an organization’s network, an organization’s data phishing is, I believe, the most common way in tech, it has the highest rate. But it was also the lowest barrier of entry, as I mentioned earlier in this podcast. So that means that we’re taking something that’s easy for someone to learn how to do. Especially eat through email. So voice phishing is a little more challenging, because you have to have a little bit of confidence on the phone, you have to sound like you know what you’re talking about. But through email, it’s not hard at all, through text messaging, it’s not hard at all, I can send all of these things, I have multiple phone numbers myself that I could send text messages from, and nobody knows what they are. It is really, really not hard at all. And I’m not spending any money on any of those. Not hard at all, to accomplish these things. low barrier of entry,

18:40
a high rate of success, especially certain attack methods through phishing, and high reward if success is accomplished. So it’s not going to go anywhere, until we continue to teach our people what to look for, how to to defeat it, and how to avoid it, and how to help them understand what it is they’re dealing with most. What you need to look out for the most is anything that elicits an emotion is strong emotion. It least at the very least step away from it and come back to later. Most likely, it’s fishing, and you can ignore it. So if they say you have discharged $500 on your card, and you’re like, Oh, I didn’t do that or at Amazon purchase or, you know, your corporate account has been compromised. And we need you to verify your password. All of these things. You your heart starts racing and you’re you’re panicking. You’re going to make poor decisions. Step back. Think about what you’re doing. Before you do it. Phishing isn’t going anywhere. It’s going to continue to expand into different areas. It’s time to stay educated, and avoid catastrophe is really what it all comes down to in a lot of cases. It’s going to do it for this podcast. Until now. Times, David

Transcribed by https://otter.ai

Exit mobile version