Are you confident your users are security aware?
Phishing attacks are on the up. In Q3 2015 Kaspersky Labs Anti-Phishing System was triggered 36,300,537 times. This demonstrates an increase of 6,000,000 from Q2 2015.
Many cyber criminals are using targeted phishing as their preferred method of attack due to the relative ease of deployment and expected success rates.
Whilst most users are now aware of obvious phishing emails the threat landscape is changing with attackers using more sophisticated techniques.
With targeted attacks bypassing your employed countermeasures the last line of defence is your users. Can they spot an attack?
How does a cyber criminal undertake a targeted phishing attack?
A question we get asked often by our Clients is "If you were to attack our organisation how would you do it?" the current top answer would be "With a targeted phishing attack." Phishing attacks are varied, below is one method employed by cyber criminals. Let's take a look at a hypothetical attack aimed at You.com.
Step 1 - Reconnaissance
The first step in our hypothetical attack is to gain information about the target which in this case is You.com.
Our attacker would use a freely available email harvesting tool to search the internet for emails related to the You.com domain in order to find out their email structure.
In this case the much used structure has been identified. The attacker will now visit LinkedIn to select targets using the LinkedIn advanced search feature. Our unlucky targets for this attack are members of the accounting team at You.com.
The attacker may also use other freely available resources such as about.me, data.com and the You.com website to add to their attack list. A deep search of the internet can also produce interesting results from archived press releases, case studies and other published articles.
Step 2 - Building Assets for the Attack
In this example our attacker's objectives are
To deposit a payload
To gain user information
To achieve these objectives our attacker will need to construct an email and a bogus online survey.
To add legitimacy, the attacker has decided to pretend to be the off shoot of a legitimate organisation based in the USA. A quick search of a domain reseller shows that the .co.uk variant of the legitimate organisations domian is available.
After registering the .co.uk domain our attacker prepares their email. The email will centre around an online survey and a fictional Focus Group.
Notice how our attacker tries to lock out discussions with other users about the email and also entices a click with the promise of prizes. The link also contains the attacker's payload which could be malware or a trojan opening up a back door if deployed.
The attacker builds a bogus survey using a free online survey builder, you can see the full survey here,
In the full survey you will note the attacker moves his questions gradually towards You.com's computer systems as shown below. The attacker is also hoping that one or more users will volunteer the same user name and password that they use internally for the bogus Focus Group portal.
Step 3 - Attack!
So after a mornings work our attacker is ready to launch their attack. They get the list of You.com's users they prepared earlier and using the You.com email structure and a simple email merge their list is ready to go.
The attacker then waits to see if this attack proves fruitful. If any users click the link the payload is deployed. Completed surveys provide further information which can be used to escalate the attack. The fictional Focus Group provides a mechanism to build rapport and trust to exploit users even further.
If the attack is unsuccessful our attacker may try a different approach such as sending a known brand email with an offer with the payload hidden in the unsubscribe link or trying to attract users in a different department to a bogus web site.