Phishing campaigns are traditionally delivered by mass spam campaigns, largely via hired botnets. But now Rohyt Belani, CEO at PhishMe, sees a primary threat for 2013 being the evolution of phishing into primarily spear-phishing aimed at the BYOD market.
“If 2012 was the year of BYOD,” he warns, “2013 will be the year of mobile malware designed to take advantage of it. We have seen a growth in consumer apps that violate privacy, for example by tracking your GPS data, but in 2013 we will see criminals targeting mobile device users, specifically with the intention of getting inside their corporate email system.”
The attack method of choice is likely to be increasingly sophisticated spear-phishing. Simple phishing has become less effective as users begin to recognize the clues, and attackers are already turning to spear-phishing attacks. Spear-phishing focuses on an individual or small group of individuals and delivers a personalized lure – often using intelligence gleaned from social networks – designed specifically for those individuals.
“For example,” says Belani, “if a user receives an email (or SMS) that appears to be from a friend, suggesting that they check out a wonderful new app, then they can easily be tricked into clicking a link they shouldn’t.” He points out that spear-phishing is particularly successful on mobile devices that can’t hover the cursor over a disguised link to learn the true destination of the link. “Just one click could install malware on the device, which accesses your corporate email account and sends out emails to your colleagues, perhaps directing them to another link to download more malware onto your corporate network.”
Belani gives another example of current spear-phishing. “A phisher might send an email to John saying ‘It was great to meet you at XYZ event last week, here’s a link to some of the research we covered on the day which might be interesting to you’ (because the criminal has seen from his Twitter feed that John was at an event last week).” But this might fail because John cannot remember the meeting and becomes suspicious.
In response, the criminals are beginning to use a short form of the long game, which Belani calls a two-stage attack. “So the criminal might initially send an email to John saying ‘It was great to see you at XYZ event last week, I’m just working on a report that I think you might find interesting – I’ll send it over to you tomorrow.’ And lo and behold, tomorrow comes, John receives the email he has been told to expect, and his defenses are down – so he is much more likely to click the link.”
Once an attacker has infiltrated the email system on a mobile device, it becomes relatively simple to transfer malware to the corporate network. The problem with spear-phishing attacks is that it is human against human – something that technology cannot defend. The best solution, says Belani, is education: “You have to train your users what to look out for.”