Phishing surge shows human element weakest link in cyber-defense

Kaspersky has identified an alarming rise in phishing attacks this year, with an average of 3,000 users being attacked in this manner every day in the UK (up three times from 2011-2012). And that points to the fact that human nature is the weakest link in any cyber-defense, Emm said, speaking at the Royal Holloway University during Kaspersky’s Cyber Security for the Next Generation conference in London.

Examining how criminals target individuals with well-crafted messaging is one aspect of the issue; taking into account how people interact in today’s online world is another.

“If you’re a pickpocket in town, you go where the crowds go, and modern hackers are the same,” said Emm, according to ITProPortal. “If you think about Facebook as if it were a country, it’d be among the two or three most populous in the world. There are masses of people on social networks and therefore there’s a big pool of potential victims.”

He added that hackers are almost sleepless, constantly “trying to persuade people to click on something. They spot fear in them, spread gossip, or do similar things to try and get people to click.”

Meanwhile, hackers also mine social media for personal information that can be put into the equivalent of a feedback loop, to better target individuals. For instance, if someone posts about an industry conference, that’s a reference point to craft a phishing campaign around that conference to take back to the individual.

“Hackers use social networks to harvest information about individuals… Facebook, Twitter, Tumblr and all the rest of them, they share what you do, and the danger is that we over-share – and the information is valuable,” Emm said.

Kaspersky’s research also shows that what was once a subset of spam has evolved into a rapidly growing cyberthreat in its own right. Phishing is technically a form of internet fraud in which criminals create a fake copy of a popular site (an email service, an internet banking website, a social networking site, etc.) and try to lure users to these rogue web pages to enter credentials, which are then employed to steal users’ money, compromise other accounts, or distribute spam and malware.

Google has seen the same trend, recently adding country-by-country malware and phishing incidences to its Transparency Report. One of the biggest threats it sees are “phishing scams that try to trick you into sharing passwords or other private information,” the company said, adding that it is currently flagging up to 10,000 sites a day as being unsafe.

What’s Hot on Infosecurity Magazine?