Why 2017's Phishing Attacks Teach Us All to Beware

At the end of 2016, we claimed it was the year that phishing went mainstream. Yet the first half of 2017 has seen the main ‘stream’ turned into a torrent.

In Q1 alone, Kaspersky Labs products “blocked 51 million attempts to open a phishing page.” That same report found that 1 in 8 attacks targeted a financial services organization. Similarly, mobile ransomware attacks, frequently delivered via SMS text phishing (aka smishing), are up 250% since January.

What these events tell us is that of all attack vectors, email remains the most commonly exploited and spear-phishing is the most prevalent form of attack. Malicious emails continue to easily bypass legacy spam filters, firewalls, and gateway security scans that still inexcusably rely on signatures and email content scanning when analyzing messages.

Regardless of awareness training, people can still be distracted or fooled into opening the wrong thing at the wrong time, so it’s not surprise that spear phishing, email impersonation and spoofing are major catalysts for the rise of CEO fraud and business email compromise (BEC) attacks.

As well as this, the malicious emails that have compromised employee inboxes are not being dealt with fast enough, and security teams are under staffed and overburdened by hundreds of daily reported security events to deal with manually. Many applications require an army of highly-trained SOC and security specialists to handle their system.

2017 is far from finished and the chances are that there will be another headline attack soon, but in the meantime here’s a look back at the most notable, and damaging, phishing attacks of the first half of 2017:

1 in 25 for Qatar – A nation of just 2.3 million people saw its businesses and residents hit not just by one major attack, but more than 93,570 phishing events in a three-month span at the start of this year. Such attacks leveraged both email and SMS texts as attack vectors.

Czech Smishing – A campaign faked texts from the Czech Republic’s postal service to trick people into downloading a malicious app containing a Trojan horse that would steal credit card information. The full extent of damages is not yet known.

“Energy & Industrial Solutions” BEC Attack Hits 50 Countries – An attack stemming from Nigeria targeted more than 500 businesses, primarily industrial companies, prompting employees to download a file entitled “Energy & Industrial Solutions W.L.L_pdf” that injected malware to access company networks and information.

Chipotle feels the Heat – An Eastern-European cyber-criminal group sent “malware laden” emails to Chipotle staff that compromised Point of Sale systems at most Chipotle locations, obtain customer credit card data from millions of people in the process.

It’s a jungle out there for Amazon – In January, hackers attempted to access sensitive payment information by creating deals that looked “legitimate.” When buyers went to purchase discounted items, the transaction would appear as no longer available, promoting shoppers to input information that was later used against them.

Google & Facebook Taken for $100 Million Each – After months of uncertainty, the U.S. Department of Justice (DOJ) announced the arrest of a Lithuanian man for allegedly stealing $100 million from two U.S.-based tech companies. The attacker targeted attack successfully used a phishing email to induce employees into wiring the money to overseas bank accounts under his control.

IRS W2 Tax Season Spear-Phishing Scam – In the United States, a spear-phishing attack proliferated at the beginning of tax season involved attackers sending fake emails – appearing to be from corporate executives – that requested personal information from employees for tax and compliance purposes. As of mid-March, the attack had compromised more than 120,000 people at 100 organizations.

Google Docs Hacked – Work came to halt for three million people worldwide in May when phishers were caught sending fraudulent email invitations to edit Google Docs. When opening the invitation, people were brought to a malicious third-party app, which allowed the adversaries to access people’s Gmail accounts.

If these attacks tell us one thing, it’s this: don’t be fooled into thinking attacks only happen to others. Even the most sophisticated organizations can be victims of phishing attacks by cyber-criminals.

Most approaches to phishing mitigation will leave organizations vulnerable to modern day phishing attacks. Employees are human, and it’s likely that a few will click on one of the hundreds of phishing emails sent each day.

Conversely, technology, while continuously advancing in intelligence, still requires a human touch. The combination of machine-human collaboration is the only way to implement meaningful change to preventing the scourge of email phishing attacks that propagate the majority of hacks.

What’s Hot on Infosecurity Magazine?