Phishing, malware attacks and now spear phishing attacks are becoming more frequent and more difficult to detect. Is your company safe?
Cybercriminals frequently use phishing attacks to “fish for” confidential information. Phishing emails often appear to be from reputable companies with which you regularly do business such as UPS, American Express, Wells Fargo, eFax, PayPal and EZ-Pass. Some emails even get past the best spam filtering technology. The emails look official, often containing the logo of the company, and they frequently ask you to click on a link to their site to log in and provide information. The links actually direct the unsuspecting victim to a site which looks similar to the authentic website and collects the login information and any other data that the user enters on the site.
Some fraudulent emails contain attachments that are a zip file (.zip) or an executable program (.exe.) or links to these types of files. Opening these files will infect your computer with malware. In a recent fraudulent ADP email scam, the malware caused the infected computer to send spam. Other phishing attacks delivered payloads which installed ransomware, like CryptoLocker, that encrypts your computer’s data files and demands ransom to provide the decryption key required to access the files.
The first clue that an email is not legitimate is that the email refers to your account or activity with the company when, in fact, you have no account or have not transacted any recent business with that company. You can be tricked, however, when you did just recently have a transaction with that company (such as expecting a UPS shipment or having just booked an airline flight).
Before you hastily click on the link, check for other signs that the email is not legitimate. In addition to containing .ZIP and .EXE file attachments, fraudulent emails can frequently be identified because they may contain spelling and grammatical errors. However, now there are research-driven, authentic-sounding spear phishing emails being sent that are much more difficult to identify.
Spear Phishing, a twist on phishing, is email spoofing that targets a specific organization to gain access to confidential organizational data. Information that is available online, such as from social networking sites, is used to target specific contacts to steal company information. These emails are successful because the emails appear to be authentic, usually mimicking normal day-to-day operational activities. The message could be as simple as “I met you at the networking event yesterday. Here is a whitepaper that might interest you.” Emails like this appear to come from a known and trusted sender, information within the message make them seem trustworthy, and the request in the email seems logical.
Spear Phishing was recently used to steal insider information from healthcare and pharmaceutical companies, and from their advisers including law firms, investor-relations consultancies and investment banks. FireEye security firm reported that a group called FIN4 used a combination of spear-phishing and malware to gain insider information from more than 100 companies. First they collected email usernames and passwords of easily identified staffers. They used the information that they read in the individual messages to compose credible spear phishing emails to higher-level executives that tricked the execs into opening attachments that contained malware. The attackers also used the information they gleaned from compromised accounts to infect other companies. The Fin4 attacks were so effective because their phony messages appeared authentic to the targeted high-level victims. Their messages used jargon and colloquialisms used on Wall Street and contained documents from actual deal discussions. By tailoring the emails to their targets, they were successful at compromising the email accounts of high-level executives who communicate about mergers and acquisitions and market-moving, nonpublic matters.
Fraudulent emails are able to bypass your company’s firewall and virus protection software by using a non-technical method of intrusion called social engineering. This technique tricks people into breaking normal security procedures and voluntarily surrender confidential information or install malicious software. How do you protect your company from being compromised by phishing attacks and malware? Stay tuned for part 2 of this blog.