By David Ashamalla, Director of Security Operations

What is Phishing?

Phishing (pronounced: “Fishing”) is the art of sending emails under a false name (misrepresenting the actual sender) in order to trick an end user into voluntarily giving up personal information, running a program, or granting access to funds.  These attacks are frequent, and take advantage of the fact that sending e-mail is an inexpensive proposition.

Early versions of phishing were slightly more suspicious as attackers assumed the identities of celebrities popular with the press at the time, such as Bill Gates and Paris Hilton. To bypass early spam filters, attackers may have adjusted the spelling of the (faked) sender’s name, replacing letters with similar looking characters and numbers like Par1s and Bi11.

The goal was to get people to view a single web page, usually to drive up online advertising revenue. More recent variations of phishing campaigns include tricking the targets into running software that mines Bitcoin on behalf of the Phisherman!

In Phishing, attackers cast a “Wide Net”, sending these emails to large groups of targets, knowing at least a few will fall for it. A more targeted form of attack is called “Spear Phishing”. Like hunting with a spear, these attacks are customized using information already gleaned from public sources like LinkedIn, Facebook, and other Internet sources to make you trust the attacker. They can then request that you take action for them to make bank transfers, or as we have recently seen, request for Gift Cards to be bought in bulk. IE, please buy 50 Apple gift cards. No need to send them, just email me the codes. (This is all you need to use them over the internet.) Modern spear phishing uses personal and professional details to establish trust and sell the attacker’s fake identity.

According to:

  • PhishMe’s yearly report, phishing attempts have grown 65% this year.
  • Verizon’s Data Breach Investigation’s report, 30% of the phishing messages get opened, 12% of the users click the link.
  • According to SANS institute, 95% of all attacks on enterprise networks are the result of successful spear phishing.

A Case Study

Phishing exploits trust and assumption, and can be devastating to a business. A recent spear phishing attack on a customer nearly cost them $36,000! (Note: we have been given permission from the business to share the story and have removed identifying information).

The initial request was designed to look like it was from one of the founders. An email was received directly by an employee in the accounting department. It was sufficiently vague enough to prompt a response. The tone and content of the employee’s reply indicated that they believed this was from the falsified sender, which told the attacker that they had them “on the line.”

The attacker then initiated a “call to action”. They requested that the employee make a wire transfer in the amount of over $18,000 and provided the employee with all the details necessary to do so.

The employee then received a second request, seemingly from another founder who simply asked “Are you in the office.” The employee verified that they were, and the attacker had them hooked again. In this second email thread, the attacker again provided account numbers and requested a second bank transfer in the amount of approximately $17,000.00.

Luckily for the business, the Phisherman mistyped the account details for the second transfer and the transaction was rejected. The employee created a new e-mail to follow up with the partner, only this one was to the correct email address. This is where they began to realize what had happened, and the Incident Response process began.

It was determined by the local police that the account details of one of the partners has been compromised. They were able to freeze the account used in the first transfer, unfortunately that transfer had already gone through and the money was lost.

Determining the Target

The attacker was able to use a lot of public information when choosing their target:

  • The company had been the subject of numerous news articles highlighting its phenomenal growth.
  • Five days before the phishing attack the news of this particular employee’s hire was announced on one of the local news channel’s website.
  • The founders’ names, email addresses, work and education histories are readily accessible on the Internet.
  • There is no evidence that the e-mail accounts were actually compromised. In fact, the phisherman’s reply-to addresses are clearly similar, only slightly changed from the actual domain name. For example, something like jsmith@ciosloutions.com

Reducing Your Risk

  1. Utilize a process that verifies bank transfer requests verbally vs solely via computer.
  2.  Train employees to be vigilant and able to spot attacks.

Your best line of defense is your employees. CIO Solutions provides solutions for training employees to be aware, suspicious, and therefore vigilant forces in protecting your business from attack.