It seems like we’ve been hearing a lot about phishing in the news in recent years, and this threat hasn’t abated yet. Why are attacks via phishing –and social engineering in general —so prevalent and so effective? This whitepaper examines the many different methods employed in phishing attacks and social engineering campaigns, and offers a solution-based approach to mitigating risk from these attack vectors.
Most of today’s data breaches start with a phishing email, giving company-confidential data to malicious outsiders. This is a real problem that companies need to address.
Phishing attacks are the most frequently used form of social engineering. They work because they take advantage of cognitive biases, or how people make decisions. These techniques prey on human emotion by appealing to greed, curiosity, anxiety or trust.
Phishing means that attackers are fishing for your private information. Attackers attempt to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Many times this is done to steal a victim’s login credentials and other confidential information. Phishing continues to grow and become more widespread with attacks up 37% year over year, and 1 in every 300 emails on the web containing elements pointing to phishing.
So, how can you combat phishing attacks and protect your company and its employees? This paper will discuss the problem of social engineering and phishing along with its consequences, and will outline approaches for solutions to safeguard your organization.
Defining the Problem: Breaches Often Start With Phishing
To demonstrate the seriousness of the problem, we will briefly present three examples of phishing and the damage they can cause within an organization. These examples range from politically-motivated to financially-motivated to healthcare data attacks.
The New York Times, The Wall Street Journal, The Washington Post, Twitter and Apple were all attacked in early 2013 in what is seen as a wide-spread, potentially connected attack on high-value targets.2 In the case of The New York Times, the attackers stole the corporate passwords for every Times employee and used them to gain access to the personal computers of 53 employees. The attack is believed to be politically-motivated retaliation for a Times investigation on China’s prime minister, Wen Jiabao. Although China’s Ministry of National Defense denies the attacks, it appears to be part of a computer espionage campaign against American media that have reported on Chinese leaders and corporations. 3 Although these are all high-profile organizations with sophisticated defenses in place, it appears that attackers may have used a targeted spearphishing attack to breach the Times, exploiting human vulnerabilities to click on a link that led to a malicious website.
Many times cyberattacks are financially motivated. Attackers try to get customers’ credit card information, and if they are successful, it results in a breach of trust with the company that was attacked, as well as substantial costs of dealing with a breach. Barnes & Noble, the world’s largest bookseller, had credit card information stolen at 63 stores across the U.S.; this information was then used to make unauthorized purchases. In this case, a malware (or malicious software) attack targeted the keypad devices in stores. Security experts believe a company insider could have inserted malicious code, or criminals could have persuaded an unsuspecting employee to click on a malicious link that installed the malware, giving the perpetrators a foothold into Barnes & Noble’s point-of-sale systems.4
Healthcare data breaches have also been in the news recently. According to security expert Larry Ponemon, president of the Ponemon Institute, stolen healthcare records can be much more valuable that financial records because they can be used for financial ID theft crimes, medical ID theft or both, With medical records providing physical characteristic information, attackers can create false passports and visas.5 Over the past three years, about 21 million patients have had their medical records exposed in data security breaches that were big enough to require they be reported to the federal government. (As required by section 13402(e)(4) of the HITECH Act, breaches affecting 500 people or more need to be reported, if the data was not encrypted.) At present, physical theft – such as a stolen laptop from a car – made up 54% of the breaches, while hacking made up about 6% of the compromised data.6 And, although phishing attacks have not been the cause of the most significant data breaches to date, the healthcare industry is acutely aware of the threat and trying to protect against it.
Consequences of Phishing
Phishing attacks can result in compromised client systems. Here are some different consequences of phishing that can impact your network:
The next two are a little bit different. These require that the user’s computer is already compromised, for example by one of the methods described above, and then they are used to gain additional information.
As a result of compromised credentials, the attacker can gain access to the local file system, file servers, email, the Customer Relationship Management (CRM) system to access customer information, the Enterprise Resource Planning (ERP) system to access corporate financial information, credit card data, healthcare information, and other Personally Identifiable Information (PII) such as Social Security Numbers. So, even if one person in an organization is a victim of a phishing attack, there are major implications for the entire organization and its data.
The problems worsen with pivoting to other machines, where a compromised system is used to attack other systems on the same network in multi-layered attacks, bypassing the perimeter defenses. So, even if the user who was hacked does not have access to the ERP system, for example, the attacker now scan the entire internal network through the first user’s machine and see what other machines are out there and the vulnerabilities that exist.
Limiting user privileges does not always protect companies from compromise either. Attackers often use privilege escalation, exploiting a bug in an operating system or software application, to gain administrator-level privileges.
So, how do social engineering and phishing attacks happen?