Phishing: What Everyone in Your Organization Needs to Know
- Feb 15, 2017
- Guest Author
Do you feel confident that everyone in your organization could identify a phishing email that contained ransomware? What if the recipient is in a hurry and under a lot of stress – will they be aware of how sophisticated and authentic-looking a well-crafted whaling attack can be?
In today’s post, we share information with the goal that it will help everyone in your organization protect themselves from phishing attacks. This information isn’t only for your security team, but also the C-suite and non-technical employees. Read on to learn about three different types of phishing, techniques attackers use to craft successful campaigns, and the damage that phishing can cause to organizations.
The term “phishing” is broadly defined as sending an email that falsely claims to be from a legitimate organization. There are three main types of phishing campaigns: phishing, spear phishing, and whaling. All of them rely on social engineering, a term that describes methods of deception used to coerce a victim into giving up valuable information. Social engineering is successful because it relies on humans’ inherent desire to trust one another, as well as our willingness to help others in need. When attackers construct spear phishing and whaling campaigns, their approach usually involves asking for help or pretending to need something important in order to play on human emotions and ultimately trick their targets into responding.
The key to any good social engineering campaign is to have good data on your target. Dumpster diving (rummaging through an organization’s refuse to find sensitive data) is one effective technique, but many attackers now utilize open-source intelligence (OSINT) to formulate convincing social engineering campaigns. The more data the attacker has on their target, the more believable the phish, and the more likely the company’s data will be compromised.
Let’s explore the three main types of phishing in order from least to most complex.
Phishing is the least sophisticated of the three types, typically executed without first performing research on the victim. Phishing attacks are opportunistic; generally, emails are blasted out en masse, making it a numbers game. The victim click rate may be low, but the large volume of emails sent out in a phishing campaign can still makes it lucrative for the attacker.
Phishing emails must contain just three elements to be successful: a target, an enticing message, and a payload. The “target” could be a list of millions of email addresses harvested from numerous sources. The email may claim that the recipient has just received a large monetary payment or that a package is on its way and the victim must confirm its delivery.
Phishing is a standard method of delivering malware, including ransomware. An attacker can enjoy a large payoff even with a very low success rate. For example, imagine a ransomware email that goes out to 1 million recipients and achieves a 1% success rate. This equates to 10,000 victims compromised. Even with a low ransom price of $500 for decryption of the ransomed files, the attacker could theoretically net $5 million. You can see why phishing attacks are increasing year over year, with no signs of slowing.
Spear phishing is a more targeted style of phishing attack, and therefore tends to be more successful. A well-crafted spear phishing attack can be extremely difficult to detect because attackers perform detailed research on their victims to make the email appear authentic. For example, an attacker may access the victim’s social media profiles to learn about their friends and colleagues, and utilize that information to appear credible by claiming to be in the same social circles. Many times, attackers also register domain names that are very similar to the target company and clone company authentication portals in order to trick users into relinquishing their credentials. The attacker may utilize a website such as nwtools.com to look through the target organization’s DNS records. Attackers can then determine the IP range of their victim’s domains, WHOIS records which sometimes contain information on the technical contacts in the company, or subdomains that may contain the victim’s webmail portal, VPN login page, or a company’s Intranet.
Once the attacker has data about the domain and the company web portals, they can then begin to use OSINT tools to find data about members of the organization. With the email address format of the company, a list of victims, and an attack methodology like a cloned webmail portal, the attack can appear completely legitimate to the untrained eye.=
Whaling is essentially the same as spear phishing; the attacker performs extensive research on their victims in order to craft a believable campaign. However, the targets of whaling campaigns are C-level executives, typically the CEO. These types of attacks are called “whailing” because of the size of the attack due to the amount of information a c-level or “whale” has access to. These attacks are highly personalized, making them the most difficult to detect and they are only sent to a select few within the organization. Whaling attacks may be the most costly and damaging of the three types. The FBI estimates that from October 2013 to February 2016, whaling attacks were attributed to $2.3 billion in losses.
You might assume that attackers are going primarily after high-value industries such as healthcare, finance, and government. It is true that these verticals are heavily targeted. Consider the example of Massachusetts-based health care provider Partners Healthcare System, Inc., which reported in 2015 that they were compromised by a phishing attack that affected 3,300 patients. Some of the data believed to have been leaked included not only patient names and Social Security numbers, but clinical information such as diagnoses, treatments, and insurance information. Within the same week, Seton Family of Hospitals reported that a phishing attack had taken place around the same time and had potentially compromised 39,000 patients’ records. In both cases, the attackers had been in the system for over five months prior to being discovered.
Be aware, however, that one does not have to work in a high-value target industry to become the victim of a phishing attack. The education sector, for instance, has seen its fair share. In 2016, Tulane University confirmed that 10 employees were the target of a phishing attack that successfully tricked them into sharing their passwords to their payroll accounts. The passwords were then used to deposit future paychecks into the attacker’s account. Earlier that year, social media service Snapchat acknowledged a whaling attack in which the attacker impersonated CEO Evan Spiegel and coerced an employee in the payroll department to release payroll information for former and current employees. In short, none of the forms of phishing discriminate against a vertical.
Want to know more about how phishing attacks work and what you can do to protect your organization? Join us for our webinar with one of our Senior Penetration Tester on February 22nd at 1 PM EST. You’ll learn additional details about common methods attackers use to create phishing campaigns and examples of successful attacks. You’ll also be able to prepare your information security team and your entire organization with suggestions for:
Go here to register for the webinar.