The SecureWorks Counter Threat Unit (CTU) reported that the North Korean cybergang, Lazarus, targeted financial executives of cryptocurrency companies with the lure of a job opening for a chief financial officer at another cryptocurrency firm. The cyberfraudsters successfully infiltrated scores of computers via enticing emails. When victims opened Word attachments in the phishing emails they were presented with a pop-up message encouraging them to accept “Enable Editing” and “Enable Content” functions. The document then embedded a malicious macro that created a separate professional-looking, LinkedIn-style, CFO job-lure document and installed a remote-access Trojan [through which the fraudsters could download additional malware to steal cryptocurrency and personally identifiable information (PII)]. (See Secureworks Discovers North Korean Cyber Threat Group, Lazarus Spearphishing … Dec. 15, 2017.)
This spear-phishing attack is representative of the many types of phishing that hacking gangs and other cybercriminals use to invade networks of organizations and individuals to find vulnerabilities in software and gain access to PII so they can reap in the money and engage in other fraudulent activity.
Because they’re so successful and lucrative, phishing attacks are responsible for most data breaches (probably explaining why they hit a record high of 1,579 in 2017, which represented a 44.7 percent increase over the record high in 2016, according to the Identity Theft Resource Center).
Phishing, which remains the most commonly exploited of all vector attacks, accounts for 90 percent to 95 percent of all successful cyberattacks worldwide, according to the Ironscales Ransomware Report 2017.
The report, based on the result of a survey of 500 cybersecurity professionals, indicates that — via hackers’ sophisticated phishing campaigns — malicious emails continue to slip by spam filters and firewalls.
“… Due to human nature, unaware or preoccupied users, even those actively engaged in an awareness training program, are easily lured into downloading an attachment or clicking on a malicious email link to inadvertently provide attackers with access to sensitive corporate networks and data,” according to Phishing Remains Top Cyberattack Vector in 2017, by Tara Seals, Sept. 27, 2017, Infosecurity Magazine, Sept. 27, 2017.) I emphasized “even those actively engaged in an awareness training program.”
The 2018 Verizon Data Breach Investigations Report, 11th edition, (DBIR) shows that, on average, 78 percent didn’t fail a phishing test (clicked on a malicious link or opened an attachment). Unfortunately, on average, 4 percent still will click for any phishing campaign. “The vampire only needs one person to let them in,” according to the report.
The Verizon report also shows that ransomware is the most prevalent variety of malicious software — found in 39 percent of malware-related cases in 2018. Cybercriminals use ransomware scams to lock up computers or data files of individuals and organizations, and then demand ransoms to unlock them.
The report also says that financial pretexting and phishing represent 98 percent of social incidents and 93 percent of all breaches investigated. Email continues to be the main entry point — 96 percent of the cases.
The Verizon DBIR lists the top industries by sector, those in each sector that reported and the number of breaches in each of the sectors. (See chart below.)
Top industries within social breaches (source: Verizon's "2018 Data Breach Investigations Report, 11th edition")
Verizon reported that the more phishing emails someone has clicked, the more likely they’ll click in the future. If a user has clicked on a phishing email 20 times, their click rate will be 20 percent for future emails, the report says. Verizon also says that only 17 percent of phishing campaigns were reported. And when a cybercriminal launches a phishing campaign the first click comes in 16 minutes most of the time. Verizon says that most people who are going to click a phishing email do so in just over an hour.
Hackers are becoming even more sophisticated in continuing to develop fraudulent scams that might seem to be very complex but are, in reality, very simple to design.
What is a phishing attack? It represents an attempt by an individual to steal valuable information such as corporate secrets, bank account/debit/credit account numbers, passwords etc. from an individual or organization via an email, text or telephone by masquerading as a known entity, such as PayPal, your bank, place of employment etc.
Phishing attacks are the underlying driving force for many internal data breaches and most of the external ones, which lead to billions of dollars in financial losses and other fraudulent activity, including espionage, every year. No individual or organization is exempt from phishing
Most phishing attacks use the directed email method to contact potential victims. Fraudsters design emails that resemble legitimate ones to fool their targets. The success of a directed email phishing attack is usually based on the quality of the design and content of the fake email as well as the ability of the targeted user not recognizing it as fraudulent.
If the quality is good, then it increases the probability that it’ll pass through the spam filtering system of the compromised organization and end up in the inbox of the targeted individual.
At that point, the targeted individual is caught — hook, line and sinker — if they provide requested information on a form in the body of the email and then submit it. Or they’re cooked if they click on a malicious link in the email that downloads malware or takes them to a corrupted website.
According to the InfoSec website a typical phishing email will:
Individuals and employees in organizations must understand how the various types of phishing attacks work and how to recognize them if they’re to protect PII.
Short-run hackers gain access to PII or commit other fraudulent activity and then abandon their efforts before being discovered. But long-term hackers use an advanced persistent threat (APT). According to the FireEye website, these six steps are included in the rollout of an APT attack:
A fraudster will attempt to gain access to computers by sending thousands of emails with “spoofed” familiar names in the “from” fields that potential victims know. If the victims click on a link “to upgrade personal information,” they’ll be redirected to the fraudster’s website that masquerades as one known to the victims.
Instead of targeting 10,000 or more in a mass-mail phishing campaign, the fraudster might find it more profitable to spear phish by targeting specific names and organizations.
In May of 2015, a former employee of the U.S. Department of Energy (DoE) and U.S. Nuclear Regulatory Commission sent spear-phishing emails to 80 specific DoE computers to gain classified information that he intended to pass to a foreign embassy. The FBI uncovered the plan before any computer viruses or malicious code was transmitted to government computers. (See Spear-phishing case shines spotlight on insider threats, May 18, 2015, Security Info Watch.)
“One of the real dangers of spear phishing attacks is that they can be very targeted, very personal, and very compelling to recipients,” said Franklyn Jones, CMO of Spikes Security in the Security Info Watch article. “If 10 employees are targeted, chances are good that at least one might click on a link that initiates delivery of malicious web content. Once that happens, the attacker wins and the organization loses. This is another reason why businesses and government agencies should adopt technology that isolates the web browser and all malicious content safely outside the secure network.”
“Whaling,” which is when a fraudster sends a spear-phishing email to a top-level executive, can lead to the “business email compromise” (BEC) scam, which has escalated to financial losses of more than $5 billion in the past three years. This sophisticated fraud targets businesses that typically pay bills via wire payments. A subset of the BEC scam is the “email account compromise” (EAC) that targets those who are responsible for wire transfer payments for a business.
To learn more about the BEC scam, see my September/October 2017 Fraud Magazine “Taking Back the ID” column.
Spear-phishing fraudsters can spoof email accounts and websites by creating slight variations on legitimate addresses (john.kelly@abccompany.com vs. john.kelley@abccompany.com) to fool victims whose email responses are sent the fraudsters’ accounts. Victims think they’re corresponding with their CEO or CFO, but they’re sending info to dangerous cybercriminals.
This method is a step above the traditional phishing types. The fraudster targets a company’s domain name server (DNS) and alters the IP address related to an alphabetic web address, which gives the fraudster the opportunity to redirect a user to a malicious website where malware can be downloaded.
A cybercriminal will traditionally use a DNS to convert a typical alphabetic web address to an IP address every time we target a website. This process allows the user to use computer service and devices.
A fraudster contacts a victim via the telephone, a text message or sometimes an email informing them that they have some sort of problem and, to resolve it, he must call a given automated telephone number and provide PII such as a credit or debit card number etc.
This scam uses Short Message Service (SMS) to send fake text messages on mobile phones that prompt potential victims to call a given telephone number or visit a website, both of which provide the mechanism to give up PII.
Here are the steps in a spear-phishing attack:
Step one. A fraudster selects an organization and then targets an individual within it to which he sends the corrupted email. That person is typically someone who has direct knowledge about the company’s network data systems or has the authority to access important and sensitive information in the network, and transfer money within or out of the company. A fraudster often searches social networks to find information about the targeted individual and their workplace.
Step two. The fraudster continues to use social networks and other sources to find information about others who work with the targeted individual, such as an executive who has the authority to email the targeted individual requesting the transfer of money.
Step three. The fraudster designs a corrupted email to include a fake but recognizable address so it appears to be coming from a trusted employee, such as a vice president of finance who’s requesting that the targeted individual transfer money to a bank. The fraudster spoofs the targeted organization’s email address.
Step four. The fraudster sends the corrupted email to the targeted individual in the organization.
Step five. The targeted individual receives the fake email in their inbox after it passes through the company’s spam filter.
Step six. The targeted individual opens the email because it appears to be legitimate.
Step seven. The victim clicks on a link or opens an attachment that opens a corrupted website, which allows the fraudster to steal credentials or download malware that infects computers, smartphones or networks.
Case in point: Hackers stole $1 billion from 100 banks in 30 countries after gaining access to the computers through spear-phishing attacks. The fraudsters fooled targeted bank employees into allowing them to download malware into the company networks and enabled the fraudsters to study the financial services software and network. The fraudsters took screen shots and videos of keystrokes that the targeted individuals would use when they transferred money. The hackers then programmed ATM machines to dispense money at predetermined times or created fake accounts to transfer money into them. The hackers usually limited the theft of money from each bank to $1 million. (See “ Hackers Hit 100 Banks in ‘Unprecedented’ $1 Billion Cyber Heist: Kaspersky Lab,” by Mike Lennon, Feb. 15, 2015, Security Week.)
Step eight. The fraudster uses a “back door” with the stolen credentials from banks, fake wire transfers or other sources to bypass typical security mechanisms to gain access to a computer system or encrypted data. The fraudster might sell the stolen credentials on the black market or use them to plan future attacks.
The steps in a mass-mail phishing attack are similar to those in a spear-phishing attack, but there are some differences in steps two, four and seven. For example, in step two, the fraudster picks a brand name such as PayPal to distribute the mail. A commonly known brand name creates the impression that the email is legitimate. Then the fraudster creates fake PayPal (or other brand name) webpages with a newly created domain that can also link to the real website.
In step four of the mass-email phishing attack, the fraudster sends the mass distribution email that includes the brand logos/name and links to fake webpages. He also uses banner ads, social media and text messages to place links to fake webpages. In step seven, victims enter sensitive credential information into a fake webpage by clicking on a link in the corrupted email.
Why are phishing attacks so successful? A major reason is that the weakest link in the security chain is people. Fraudsters are adept at using social engineering techniques to determine who to target en masse or individually and then exploit their weaknesses.
The obvious solution to significantly reduce this egregious activity is a major effort to educate the public. Also, encourage more organizations to develop an effective phishing awareness training program (PATP) and for those who’ve initiated a program, continue to improve its effectiveness. At a minimum, a strong PATP should:
As always, I’d like to create an awareness of the havoc that phishing schemes have created on individuals and organizations throughout the world. They play a major part in most cybercrimes, continue to grow in sophistication and have resulted in billions of dollars in annual losses and other major fraudulent activity.
We’ll never eliminate phishing attacks. But to help curtail this malicious activity we must be more effective in educating the public and strengthening the weakest link in the security chain of organizations — people — by adopting a strong PATP as part of a comprehensive fraud awareness program.
Robert E. Holtfreter, Ph.D., CFE, CICA, CBA, is distinguished professor of accounting and research at Central Washington University in Ellensburg, Wash. He’s also on the ACFE’s Advisory Council and the Editorial Advisory Committee. Holtfreter was the recipient of the 2017 Hubbard Award for the best Fraud Magazine feature article in 2016. He’s the author of the “Taking Back the ID” column in Fraud Magazine. His email address is: doctorh007@gmail.com.
Unlock full access to Fraud Magazine and explore in-depth articles on the latest trends in fraud prevention and detection.
Read Time: 6 mins
Written By:
Patricia A. Johnson, MBA, CFE, CPA
Read Time: 6 mins
Written By:
Felicia Riney, D.B.A.
Read Time: 7 mins
Written By:
Patricia A. Johnson, MBA, CFE, CPA
Read Time: 6 mins
Written By:
Patricia A. Johnson, MBA, CFE, CPA
Read Time: 6 mins
Written By:
Felicia Riney, D.B.A.
Read Time: 7 mins
Written By:
Patricia A. Johnson, MBA, CFE, CPA
