Dissection of a Phishing Attack

We have all heard the term phishing. However, do we understand what it means and the overall magnitude of phishing attacks? According to a Digital Trends and Microsoft survey of Office 365 users phishing attacks are up so far in 2019 by more than 250%. An analysis by Microsoft Security Team which report more than 6.5 Trillion security related signals a day and 470 billion emails per day say we see the tip of the iceberg. This thought is staggering when you think about all it takes is one to get through; it could be costly to your organization. You are most likely asking yourself how is this possible? I spend so much money on Firewalls, Anti-Virus, and SPAM malware protections, how is it possible that I am at more of a risk now than before? Since protection research has improved so has the methods used by scammers to become more proficient and efficient in how they coordinate their attacks.

Dissection of a Phishing Attack.

There are many moving parts when it comes to how phishing attacks happen. How do you detect a phishing attack? How do you determine the damage? Could this be system damage via cryptovirus or financial harm to your organization? Incident Response; What responsibilities do you have to vendors, customers, and if you are a public company how do you report this to shareholders and customers? How do you deal with mobile device security and remote access, the most common entry points for phishing attacks? The questions both positive and negative go on and on. In today’s always connected world, there is a need for full collaboration software and connected services, but are they opening you up to phishing attacks? Couple those business needs with our need for immediate access to data then add the human factor, and you have all the dynamics for a robust phishing attack.

Before we get too far into this, let's go through the different types of phishing scenarios and how they target different people and processes.

Spear phishing; This is a very targeted attack based on a group of emails that were harvested through social media such as Facebook, Twitter, and LinkedIn. Alternatively, email lists that were bought through tradeshows, conferences, online newsletters or other organizations and companies where you have signed up for something and provided your email address.

Whaling is even a more focused email attack typically at high profile individuals the public face of your company, which could include C-level individuals within organizations such as CFO's, CIO's, COO.

Smishing is an attack via SMS focused primarily on mobile devices and is done through text messaging. Smishing is often confused with Vishing which is done via the phone. This type of attack is more commonly referred to as Robocalling.

Content Injection Phishing, this is tougher to do. It is when phishers insert malicious code or misleading information into emails or websites. They encourage people to input in the user credentials, password information or perform other activities such as transfer of funds.

Man in the middle phishing. Happens when phishers position themselves between the legitimate websites people use such as social sites or banking sites. These are difficult to detect because this typically continues the transaction and does not create any disruptions.

Phishing attacks are typically more focused on the social engineering of the human and the assumptions that the human brain has been trained to see or expect to view data in a specific format. Phishers have become experts at identifying weaknesses in human behavior and the assumptions that we all make every day. In most cases we the human, don’t understand that we are making these assumptions. When it comes to changing human behavior, according to a Forbes Nov 2018 article, 70% of change initiatives within organizations fail and 84% of companies undergoing a digital transformation process fail. Companies see this human behavior in action in many forms. Companies spend millions on securing corporate email and networks. Only to find out that employees will use a Gmail account, or some other third-party email to get around restrictions that were put in place to protect the company. Companies spend millions on software. Only to find out that employees continue to use Excel or other work processes that the new software was bought to improve. These are simple examples but shows how difficult it is to retrain human behavior even when we know it is in our best interest. That makes us susceptible to phishing attacks.

Now that we have outlined the magnitude of phishing, the different types of phishing and determined that for a phishing campaign to work it does need the assistance of a human to help it along. You might be wondering how did all this get started? So, kind of as a fun fact according to Computerworld Magazine. The term phishing was the first document in 1996 in a hacker newsgroup while they were trying to steal America Online username and passwords. This term came out of what is known as phreaking or phone phreaking which is the original hacking of phone systems. The term phreaking was coined by John Draper, aka Captain Crunch who created the now infamous blue box that emitted an audible tone for hacking phone systems in the 1970s. The term phishing grew from this history and hackers knew the more hooks they put out there, the more fish they would catch, create the term Phishing.

What should you do to prepare for a security breach, whether it is from a phishing attack or some other form of system breach? The basic rule of thumb is; it is much cheaper to prepare for a breach than to react to one or clean up after one. According to a 2019 Gillware report industry experts are predicting Cybercrime to be a $6 Trillion-dollar business by 2021 and companies will spend more than 1 Trillion dollars on countermeasures to protect themselves.

Where should you start to focus your attention when it comes to preparing for a security breach? According to Gillware here are some primary areas to consider:

Consider compliance. Just about every industry, Federal and state have compliance measures that you have to consider. Regulations like GDPR (General Data Protection Regulation). Health Insurance Portability and Accountability Act (HIPAA) to name a couple. GDPR is one that is starting to catch many American based companies by surprise because it is already in effect. It affects any company that processes individual data of European Union citizens even if that citizen lives in the United States.

Create an incident response plan. The incident response plan should outline how your company is going to respond in the event a breach is suspected or confirmed. The program should describe the roles and responsibilities of senior executives. They are going to be the point person for coordination and information dissemination. Who is going to talk to the press if that is required? Who is going to be responsible for the collection or remediation processes and damage control? Your response plan could also outline who and how those remediation and confirmation steps are going to be addressed and implemented.

Use blockchain, and artificial intelligence, the speed at which emerging threats are identified is increasing daily. The countermeasures put in place are now becoming more and more critical. When it comes to security one of the things to consider is not making yourself the most natural target on the block. You do this by keeping your security devices and software up to date. Practicing good policies and employee training is vital. With emerging threats today, the methods being undertaken by scammers to gain access to the use of artificial intelligence to look for patterns and analyze risks is increasingly becoming critical to overcoming these emerging threats. Products like the Bandura Advanced Threat Assessment appliance is an example of using AI to bolster your security.

Protect your email system. Your email system continues to be the favorite spot for phishing attacks and other viruses such as crypto and ransomware along with a multitude of other malware and viruses. Office 365 E5 plan users can take advantage of the anti-phishing in the Security and Compliance center within your Office 365 portal. There are instructions in the user portal on how to configure for your application. In-house systems have many tools to choose from, companies like Symantec, Barracuda, and many others offer advance phishing detection and prevention features. Remember no single device will protect you. Security is a layered approach with many nets to trap the many threats that are out there. Don't put all your eggs in one basket. Think big and broad when it comes to securing your email.

Stop data breaches before they start, this starts with having good employee policies, ongoing training for employees, and testing of employees to identify those who may be more susceptible to phishing and security attempts. Be proactive in keeping your systems up to date. Don’t have outdated hardware or software. Owners have to have the fortitude to enforce the policies consistently across your entire organization.

Some other interesting historical facts about phishing: These are according to the IT Governance Institute.

The lifecycle of a phishing site on average is under 15 hours. The lifecycle of the phishing sites continues to shrink due to prevention and detection methods. So the need for scammers to increase the volume of phishing attempts is required so they can penetrate new detection and artificial intelligence protocols.

Almost all phishing URL's are within benign domains. Phishing scammers don't use static web pages any longer. Primarily because they are easy to detect and block. Now hackers prefer to use a single page of benign sites and merely replace that page with a phishing page. These are much harder to detect due to their legitimate appearance thus resulting in more phishing emails that get through. So, if your company is on a blacklist, one thing you might do is make sure that your website has not been compromised and is now a phishing site.

An average of over 400,000 phishing sites are detected each month. Due to better countermeasures, the short lifecycle of phishing sites has ballooned the number of phishing sites to an incredible new level. The number of new phishing sites is expected to continue to grow.

Google, PayPal, Yahoo, and Apple are the most impersonated companies. In most cases, for a phishing scam to be successful, there must be brand recognition. So some of the largest companies and most recognizable companies are often used to exploit the human condition of familiarity to get responses from potential victims.

You are doing all the right things, you have updated your systems, implemented new firewalls and advanced threat detection. You have anti-virus loaded. You have good patch management in place. Then you find out you were still a victim of a phishing scam. How can that happen? In most cases, you may never know who did it and in some cases how the breach occurred. Let’s walk through an actual incident that Winning Technologies got involved in finding out how it was done and worked with both sides to examine prevention improvement steps. I’ll try and walk you through how all the things we have discussed so far came together to create for this company more than a $250,000-dollar loss. However, it could have been worse. The initial request attempt by the scammer was for over a million dollars.

In this case (Company A) was financing a project with a financial institution and a third-party investor. The project had reached a point that some of the financing for the project was scheduled for payment to keep the project moving along. (Company A) Emailed the investor to request the monthly requisition payment voucher so that a portion of the financing for the project could be paid out and distributed to vendors and suppliers of the project. There was no real descriptive information in the initial email's necessary discussions around timing and process for the release of financing. At some point, the emails were intercepted, and content injection phishing scam started to take place. The interception was so clean that (Company A) had no way to believe that the message was intercepted. It only looked like the investor had gotten busy, distracted, or was preparing additional information for the release of funds. From the investors perspective, they were now exchanging emails with the partner. However, based on the human conditioning factor didn't recognize the discreet signs that the parties had changed and that they were no longer communicating with (Company A). However, during the first look at this from a forensic perspective, it looked like a common spoofing of an email account, however, if you take a close look at the email headers you can easily see when the content injection happened.

What do we know so far?

Two companies that know each other with common interests are exchanging normal email traffic.

Two users within those companies that know each other have communicated with each other in the past with this type of communication and requests.

Standard email communications. Both companies using Office 365.

No confidential or descriptive information in the emails.

Looks like regular spoofing email, similar to when you get an email from yourself, but upon close examination, there was evidence things changed. However, the human condition prevented the realization that things had changed.

Two users within those companies that know each other have communicated with each other in the past with this type of communication and requests.

How was the email intercepted? It is just not that hard to detect and trap email traffic that is going across the Internet. You should have a higher sense of awareness if you are a high-profile organization or high-value targets such as a finance company, bank, or credit card processing company or government agency. Something that makes you a target. It is harder to do nowadays than it has ever been, but again anything that travels over the public internet is a potential target. Upon reviewing the header information of the emails, it was not to difficult to determine what had happened. Once the email from (Company A) was intercepted the scammer changed two letters in the domain name. Set up fake email accounts using Gmail and a phony domain. They even changed the email addresses of the individuals who were in the CC line of the email to further exploit the human conditioning factor of normalcy and started the communication with the third-party investor.

What do we know now?

Financial request by the scammer is included in the email.

The scammer said bank could not accept electronic funds transfers.

Scammer requested funds sent to out of country account.

Bank thought the transfer request was questionable.

Bank called third-party investor.

An employee at third-party investor didn't correctly question, escalate or clear the application and change of existing and previously used US bank to a new Mexican bank, internally or with (Company A) verbally.

There were lots of red flags all over this transaction. In the end, it was not a breakdown in the technology. Both sides have confirmed that neither team had a security breach of their internal networks or the Office 365 systems. This phishing attack was focused on the human conditioning of the brain seeing what is expecting and the lack of training. The bank questioned the transaction. Verbal conversations took place concerning the transfer. Internal verification processes by the humans involved were not adequately acted upon and documented. The money was transferred to the Mexican bank as requested. The Mexican bank accounts were closed, and the spoofed Gmail accounts were deleted.

We have learned a lot about phishing. There are typically red flags that would warn you that you might be part of phishing attempt or someone is trying to make you a victim. However, what are those signs? According to Protected Trust here are some things that you can watch out for:

Are you familiar with the sending address? Take the time and read the email address, one way to help spot small subtle changes is to read the email address backward. It sounds funny, but it makes your brain stop and think about what you are reading verses using the human condition to understand what it expects to see. Other things to look out for are; Do you know this person? Have you ever exchanged emails with them before? Are they asking you to do something that was outside of the norm, or not expected? If it seems fishy, then don't hit reply or reply all but now type in the “To” or “CC” fields the actual email address again.

Check for misspellings. It is widespread to see spelling errors in the email addresses and within the body of the email. One easy thing to do is turn on spell check in Outlook to ensure that the message is highlighting spelling errors.

High sense of urgency. If the sender is changing things and you have to act now, this elevated sense of urgency should be a red flag. Remember the lifespan of a phishing site is only 15 hours. So things have to happen quickly. So, if you were to procrastinate on something this might be it.

If the scammer is trying to direct you to a new URL, so if you see in the message, you need to go here and put in your username and password, then that should be a red flag. Instead of clicking on the link, look up in Google the actual URL and type that in your browser where you type in the address of the website. You can also hover your mouse over the link, and it will show you the fully qualified address of where you would go if you clicked on it. On mobile devices, you can use a light touch to see the fully qualified address. The risk here is press too hard, and you will go there. Always remember your bank, the IRS, other government agencies don’t contact you directly via email so be very cautious when you see messages like that.

Make sure that on the URL line, which is the line where you type in the website address, that you see the closed lock on that line. Or you should see HTTPS. Check for the “S” this is a sign that this is a secured website. If one or more of those are missing, do not trust the site as a legitimate website. Also, your browser may put a circle with a red x or hash through it. If you see that it is not secure, leave the site.

Securing the human is the key to any security initiative. Even more so when it comes to phishing attacks, it is easy to think that the technology is at fault when it comes to security prevention. However, the real weakness is in human conditioning. Scammers have become experts at human behavior and attacking the human condition. So, until we secure the human, all the technology in the world is going to have this one major flaw. What are some of the behavioral elements that can help us secure the human?

Employee training. It is essential to communicate and train employees on the risks of phishing, how it happens and what they can do to be aware of the dangers. Educate employees about prevention steps and their role in that and how that is protecting the company. Create a culture of security within your business. Share the information. Educate on the risks and empower employees to ask questions. We have seen in the Winning Technologies customer base where we have implemented filter and prevention systems, and then people start to complain because they don't understand the role and function of the new system. Educating on the new and increasing threats and emerging threats over some time will help reinforce the culture of security within your company. Then it comes down to a security verse convenience discussion, and you can’t be secure and convenient, so you have to find that balance for your organization.

Routine testing of employees. Several products allow you to test your employees with fake phishing attempts. These will identify how click happy your employees are and specifically identify within your employee base who is more likely to fall victim to a phishing attempt. Armed with that information it allows you to have more focused educational programs for these individual employees, and help in the development of routine training for all employees. This type of routine testing can be an eye-opener for owners and managers. It can also show you if you are building a culture of security and awareness which is key to a long-term security strategy.

Cyber Insurance has been an ongoing debate regarding phishing attacks. The long-standing question is, are phishing attacks typically covered under a cyber insurance policy? In 2016 a case was filed by Ameriforge Group Inc. Challenging if a cyber insurance policy taken out through CHUBB should provide protections for a spear phishing attack which resulted in a bank transfer of 480,000 dollars by Ameriforge. The insurer denied the claim because they said it did not cover CEO fraud or business email compromise as a result of spear phishing. According to the policy, it would only cover the cyber event if it involved a forgery of a financial instrument. According to CHUBB's legal team, the financial device involves a written promise, order or direction to pay that is similar to a check or draft. The bottom line here is that since it does take human interaction and phishing financial losses are typically tied back to a human mistake. It is going to depend on the language and the specifics of each policy and how the coverage is defined within that policy. Phishing is such a high risk these days that phishing is by most standards left out of cyber insurance policies. So don't assume that all cyber insurance policies are going to cover phishing attacks that result in financial losses.

Successful phishing attacks don't happen merely due to the human condition. Companies still do not focus as much energy and money into training, technology countermeasures along with simply understanding and communicating the risks to our employees that are present in our connected world. Phishing is going to continue to grow. You can't create a multibillion or trillion-dollar industry and expect that it is going to slow down or disappear. Unfortunately, it just isn't going to work that way. There are many things you can do to help reduce the risk, limit the damage, and not make yourself the easiest target on the block. However, these come with a budget impact that is going to be ongoing, must be managed, and proactively monitored.

By Scott M. Lewis, President / CEO Winning Technologies, Inc.

About the Author: Scott Lewis is the President and CEO of Winning Technologies Group of Companies, which includes Liberty One Software. Scott has more than 36 years of experience in the technology industry and is a nationally recognized speaker and author on technology subjects. Scott has worked with hundreds of large and small businesses to empower them to use technology to improve work processes, increase productivity, and reduce costs. Scott has designed thousands of systems for large, medium, and small companies, and Winning Technologies' goal is to work with companies on the selection, implementation, management, and support of technology resources. Learn more about Winning Technologies call 877-379-8279.