Old problems, new threats
Róisín Kiberd looks at how phishing and malware remain potent threats despite their long history
he term ‘phishing’ dates back to 1990s hacker-speak; it brings together the ‘ph’ from ‘phreaking’, the practice of illegally tapping into phone networks, and ‘fishing’, because it involved luring victims with bait. ‘Phishing’ first appears on the alt.2000 hacker news group in January 1996, and by the following year, hacked AOL accounts were being traded online as ‘phish’.
A lot of 1990s tech slang seems positively quaint today (when was the last time you saw ‘netizen’ or ‘digerati’ in print?), but as a practice, phishing remains more prevalent than ever. Furthermore, it is constantly evolving, outwitting the products, services and training meant to stop it, and posing a significant threat to businesses of every size.
Research suggests that phishing currently accounts for 91 per cent of all data breaches, and that the number of phishing attacks has grown by 65 per cent in the last year. One study conducted by Lookout last year showed that 56 per cent of mobile device users received and tapped on phishing URLS, while another, conducted by Webroot, indicated that roughly 1.5 million new phishing sites are created each month. The cost of these attacks is monumental: one 2017 study by Keepnet estimated that the average successful spear-phishing attack can earn up to $1.6 million for the hackers.
Marc O’Regan, chief technical officer of Dell Technologies Ireland, warned that phishing isn’t always through the medium of email: “This was the case some time ago, but phishing as a form of cybercrime has matured. Now we see social media, apps and messaging services being used as attack platforms.”
The platform might vary but the attack tends to be the same: a victim is tricked into clicking a link and downloading malware, or giving information away through a fraudulent login page. “Anyone can be a victim,” O’Regan said, “from individuals to entire organisations and even governments. A good example of this was the 2016 Olympic games and more recently the Gandcrab ransomware attack (a ransomware-as-a-service attack, which infected users’ computers through an email attachment purporting to warn of flu epidemic issued by the Centre for Disease Control).
In recent years, ransomware attacks like NotPetya, TeslaCrypt, SamSam and WannaCry have rightly occupied headlines, propagating quickly and extorting cryptocurrency from individuals and businesses. But with the right target and the right mode of attack, spear-phishing can be even more deadly.
“In my opinion, successful spear-phishing attacks are becoming more common than successful ransomware infections,” said Angela Madden, managing director of Rits, specialists in providing information security consulting services to international companies and government departments. “Ransomware can be prevented through technologies such as anti-malware, anti-virus, patching systems and keeping them up to date. On the other hand, phishing, including spear-phishing, is down to the individual user ensuring that they know how to recognise a malicious email or phone call. And unfortunately, we are all aware that the individual is the weakest link when it comes to information security...”
We’re only halfway through the year, but spear-phishing seems to have become 2019’s dominant tech threat — a more targeted, intelligent and dangerous version of the old user-baiting approach. “A spear-phishing email generally goes to one person, or a small group of people who use a specific bank or service,” said Edel Creely, group MD of Trilogy Technologies, a managed services, infrastructure and cloud solutions provider based in London and Dublin. “The cybercriminal has either studied up on the group or has gleaned data from social media sites to con users. Some form of personalisation is included — perhaps the person’s name, or the name of a client.”
What distinguishes spear-phishing attacks, apart from their level of specialisation, is that they’re more often aimed at C-suite employees, posing as high-level individuals to manipulate those who report to them. Creely explained: “Spoofed emails are sent to high-risk employees in an organisation to trick them into accepting and acting on invalid instructions, resulting in actions like transfer of funds to the attacker’s bank, or diverting funds intended for a legitimate organisation into the attacker’s account.”
Not only is spear-phishing continuing to grow in popularity; it’s also evolving, and becoming harder to defeat or control. Des Ryan, solutions director at Microsoft Ireland, highlighted a growing tendency among hackers to disappear suddenly once they’ve accomplished their goals. “The issue these days with phishing attacks and spear-phishing attacks is that once they’ve been launched they get a lot more cryptic,” Ryan said. “Previously they would have a single source address, but they’re now using multiple ones. Where they previously had a long-term attack strategy, attacking a large number of people, they’re now becoming more precise. It varies quite a bit — the source of the malware might be only up for five minutes, for a very short period of time, until it delivers the malware payload and they switch it off again.”
With spear-phishing on the rise and ransomware on the decline, is ‘malware’ still part of the conversation? “Phishing and malware don’t necessarily go hand in hand, but they frequently do,” said Michael Conway, director of Renaissance, a value added distributor specialising in business continuity and ICT security. “Both are cyber attacks and both aim to achieve the aims of cyber criminals. Phishing can lead to malware delivery and generate a cyber crime and a criminal revenue. Phishing can also lead to other types of attacks, such as business email accounts being compromised, or invoice redirection.”
Attacks are often generic, but are beginning to cater to specific verticals and sectors, and there’s a number of different ways in which you or your organisation can be hit. Creely explained: “Attackers utilise a wide variety of vectors to deliver malware to their victims. These include drive-by downloads, malicious links, P2P shares and removable media via USB ports. That said, the email vector is one of the most relied upon ways threat actors must compromise systems.”
The usual suspects — viruses, worms, spyware and trojans (malware disguised as a legitimate service, aka a ‘trojan horse’) — still surface as threats. “Malware is a combination of traditional malicious programs, usually presented as a Worm over the network,” said O’Regan. “We now see bots and hybrids (a combination virus/worm which can live in your computer’s memory, altering code, and propagate without any action from the user). We see trojans threatening the banking sector through digital interfaces that can enter your bank account. The method of attack is actually different for each banking trojan — how it positions itself depends on the malware, and each one has a way of taking the user’s details. Once it has the login information it needs, it can beam the details back to the malware developers to grant them access to the bank account.”
While there’s something bloodcurdling about the idea of your computer instantly falling to ransomware and being taken over by hackers, spear-phishing is a slower and more ominous threat. At first it doesn’t even look like an attack — silently, the criminals find a way into your email account and start to look around. Gradually they gather information, piecing together a network of contacts and working out who to impersonate, who to manipulate and who controls the money.
“It can be anything from spear-phishing to CEO phishing to even trying to get on to someone’s Office 365 and sitting there for a number of weeks,” said Dr Vivienne Mee, founder of VM Group, a firm specialising in IT forensics, information risk governance and electronic discovery. “We’re finding at the moment that phishing is the main area where organisations are being compromised… Eventually they determine who’s on which team, before they start worming their way around the environment within the organisation and targeting individuals.”
Hackers might not even need to look very far; the information they need is often freely available online, especially on social media sites. “They don’t need to know very much,” Dr Mee warned. “They can get a lot of information from the company’s website, and they can get a lot of information from LinkedIn, too. If they want to target one or two companies, a lot of the information is already readily available.”
O’Regan made the point that, like the hackers who infiltrate email accounts, malware downloaded through a phishing attack can spread instantly or sit around for years before affecting your network. “It really depends on the strategy set out by the attackers. Do they want to sit, wait and gather information? The hijackers tend to use highly sophisticated and customised phishing tactics, using relative detail and communication protocols gathered over time. These attacks take a little more time and effort, but the payload is usually more lucrative that way.”
Once they’ve gathered enough information to stage an attack, the cyber criminals will send an email from an address which looks familiar, but isn’t. This might sound like an obvious flaw in the plan, but it plays on clear vulnerabilities — think about how often you double-check the exact address before replying, or, if you do, how often you’re tired, or not wearing your glasses, or not fully paying attention when you read it. “There might be an extra letter,” said Dr Mee, “or a missing letter in the domain name. That won’t take much time for them to do. It’s not that it’s a convoluted process, or hard to do — usually it’s just an email. They send it out, then they sit and wait.”
“Business email compromise is the trend and threat that typically is the most prevalent and most effective at the moment,” said Conway. “Some highly technical terms like DMARC (domain message authentication reporting and conformance), SPF (sender policy framework) and DKIM (domainKeys identified mail) are elements used in delivering serious email protection technologies — if they are deployed and managed, using services like AGARI (an AI-based email protection solution), they can effectively allow us to trust our inboxes.”
Spear-phishing is targeted not only at specific, high-level individuals within organisations, but by sector and size of organisation. “Attackers are targeting specific industries and designing their malware to be more effective at penetrating those industries,” said Creely. “Banking is the most obvious target, but the expanding attacks on IOT devices connected to the internet is dwarfing this.” IoT devices have long posed a security risk, and the warnings have already been justified. Creely said: “According to the Kaspersky Lab IoT report, in the first half of 2018 IoT devices were attacked with more than 120,000 modifications of malware — more than triple the amount of IoT malware seen in the whole of 2017. Kaspersky Lab also warned against the snowballing growth of malware families for smart devices: 2017 saw the number of smart device malware modifications rise to ten times the amount seen in 2016.”
Clear trends are also emerging around sectors. Ryan said: “If you look at the most targeted organisations, 17 per cent of all the attacks last year were on financial organisations, and 17 per cent were technology companies. Those are the two largest target industries. Depending on where you are in the world, there has also been a huge increase in the number of health organisations being targeted — up 200 per cent in the US, year on year.”
This might seem like a comfort to smaller organisations that aren’t involved in finance or tech, but it shouldn’t be. Ryan added: “It would be naive of anybody to think that because they’re a small organisation they can avoid being targeted. We’ve seen all kinds of organisations attacked, from very small companies with just a handful of users to the very big ones. All of them, depending on the attack type, are vulnerable, and typically a smaller organisation will have lower security measures in place and is an easier target.”
Today malware and phishing confound public expectations around cyber attacks, because they don’t always spread visibly or quickly. “The rate of infection depends on the attacker’s intent,” Creely explained. “WannaCry ransomware spread very quickly when it was initially released in May 2017, infecting 300,000-plus computers in the initial few days. The intent was to infect as many computers as possible and extract as much ransom as possible. However, the mean time that a piece of malware resides on a network before being detected is 100-plus days. The intent of this type of malware is to work undetected, and not to spread wildly. Its intent is to slowly compromise the network, identify and exfiltrate valuable information. This can often be the most dangerous and damaging type of infection.”
“With previous cases we’ve come across, they were in the organisation three months or so before doing anything,” said Dr Mee, listing potential reasons for this unhurried approach. “It could be because they’ve had loads of hits lately, and they’ve just not got around to executing the second level of the attack. It could be that they’ve decided to stay and get a bit more information first, from within the mailbox or the organisation, in order to target them correctly. The third reason is that they were maybe not successful in getting any further. It really varies.”
You’re advised not to wait, however, to protect your system and scan it for potential infiltration. “Some organisations are lucky, in that the hackers wait around and then by chance they decide to enable two-factor authentication, and the hackers aren’t able to access them anymore,” warned Dr Mee, “but it’s better to be of the mindset that if hackers manage to get in, it’s likely they’ll attack almost instantly.”
Addressing an infection is difficult, especially if your system hasn’t been properly organised, monitored and reported on in the first place. “To identify this type of infection you need to get full visibility into your systems,” said Creely. “Understand and identify Indications of Compromise (IOCs), have a deep understanding of the threat landscape and be able to undertake threat-hunting. Threat hunting is, quite simply, the pursuit of abnormal activity on servers and endpoints that may be signs of compromise, intrusion, or exfiltration of data.”
While threat hunting, an ‘active defence activity’, is by no means a new concept, it might be entirely new to your organisation. Traditionally a manual process (but increasingly automated), it involves proactively searching networks for threats, detecting and then isolating them. Creely said: “The common mindset regarding intrusions is to simply wait until you know they’re there. Typically, though, this approach means that you’ll be waiting an average of 100 days between the intrusion and the first time you hear about it, and even then, it’s typically an external party such as law enforcement or a credit card company that’s telling you. Most organisations now recognise that they do not have the capabilities to undertake this work themselves and typically outsource this task to managed security service providers (MSSPs) such as Zinopy.” Advocating tools developed by anti-malware firms Sophos and Bitdefender, Conway advised a similarly proactive approach: “Once malware is identified it can be targeted to be removed, but a lot malware mutates, making it more difficult to address. The bad guys do everything to make malware undetectable for as long as possible, so that it propagates itself as quickly as possible and they can maximise possible damage.”
The other new and pervasive threat is cryptojacking, an emerging form of malware where hackers secretly hijack your computer and siphon away a small (or, sometimes, large) amount of power in order to mine cryptocurrency. 2018 saw a global rise in reports of cryptojacking, and while it seems not to have hit Irish businesses in any substantial way yet, it’s worth preparing for when it does.
“I think last year the conversation was very much about ransomware,” said Ryan. “There were some very significant global events like Petya and WannaCry, but interestingly enough, the prevalence of ransomware has declined by 60 per cent year upon year. It’s a very dramatic decline. A lot of that is through better detection, and through awareness and education. We’ve seen a massive decline. And, interestingly, when we tracked the geography of it, Ireland has one of the lowest prevalences of ransomware in the world at the moment. The flip side of that is that is, because ransomware hasn’t been paying dividends for all the bad guys out there, they’ve moved over to phishing and cryptocurrency mining. Cryptocurrency mining is now twice as prevalent as ransomware, so that’s a significant shift.” Ryan recommended Windows Defender and Defender ATP (Advanced Threat Protection), which are able to track any unusual processes taking place on your machine.
There are simple, accessible and effective measures you can take to protect yourself against malware, phishing, cryptojacking and other evolving risks. “Go for the quick wins,” said Dr Mee. “Enabling two-factor authentication will stop any spear-phishing. Then block malicious sites for users — that should be a given with a firewall. If there are patches available, don’t wait to do them, patch them immediately. Finally, make sure users are aware of what phishing is, and tell them that if they receive a suspicious email, they should ring a help desk or call up someone else to make sure. With things like Office 365 you can easily use two-factor authentication. I’ve yet to come across an organisation with two-factor identification enabled that have been the victim of malware attacks or phishing. It makes a big difference, and it’s free; it usually comes with the platform, or is easy to enable, so really there’s no excuse not to enable it.”
Creely advocated Zinopy’s five-part method — “Identify; Protect; Detect; Respond; Recover” — and Ryan advised a multifaceted approach: “If you look at Microsoft’s local security report, 50 per cent of the people we surveyed had received no security training whatsoever from their organisation. That’s not good enough in a market like the one we’re in, and with threats the way they are now. We found a lot of data was leaking out of organisations due to use of personal devices. People need to be more careful with personal devices, and more careful about clicking on anonymous links and opening files that seem unusual. Get the basics right — beefing up security and creating better passwords. We found that 16 per cent of organisations surveyed didn’t require passwords to change at all.” Finally, Ryan stressed that it’s important to use the latest technology: “The platforms delivering us our data are all cloud solutions; Office 365, for instance, can leverage incredible security response capabilities if you enable them. Windows 10 has ATP built in to block these processes at the source. All of these things are available if you move to the latest technologies. You need to move quickly, because the threat evolves constantly. You need to keep up.”
Fresh phish: how phishing is evolving
Over the years, phishing has developed and diversified, appearing in different permutations suited to specific targets and modes of attack. A list of some — but not all — phishing-attack styles to watch out for would include spear-phishing (a phishing attack targeted at a specific individual, often someone high-ranking within an organisation); pharming (directing internet users to an imitation of a well-known website, then harvesting their credentials and personal information); whaling (big-league spear-phishing, also known as CEO fraud attacks and BEC/Business Email Compromise Scams — since 2015, such attacks have risen by 1,300 per cent and cost businesses $3.1 billion); malware-based phishing (Symantec estimate that one in 131 emails contain malware); and, finally, the luridly-named smishing (SMS-based social engineering attacks) and vishing (phishing with voice technology).
The technologies enabling such attacks are now freely available to rent on the dark web: “Attackers of all skill levels can now access a whole range of online black-market tools,” said Marc O’Regan, CTO of Dell Technologies, “including how-to guides, AI-enabled programs, and cloud-based phishing-as-a-service solutions that enable anyone to orchestrate complex attacks.”
Machine learning and deep learning can be used to combat attacks, but they might just as commonly be used by the attackers themselves: “We’ve done work for our financial services customers using AI to detect and prevent all manner of threats including phishing attacks, but it is also being used as a tool to aid cybercriminals. Attackers are using these technologies to scan for vulnerabilities and then create malware that can better avoid detection.”
While the attacks are varied, the way to protect yourself against them tends to be the same; be suspicious, ask questions, avoid clicking links, double-check any odd URLs, and call the person in question if you receive any unexpected emails asking for payment or sensitive information. “Obviously user awareness is the number one priority,” said Dr Vivienne Mee, founder of VM Group. “Companies need to make sure their employees know that, if they’re not expecting documents, or an email, they should make a phone call to check that it’s real.”
“The most effective way is awareness, awareness and more awareness,” said Angela Madden, managing director of Rits. “When you think you’ve enough training, then start again.” Hackers slip through an infiltrate organisations by creating a false sense of urgency, claiming their requests are time-sensitive or made in extenuating circumstances. You can’t afford to make exceptions: “In addition to verifying website links and email addresses,” Madden said, “it is vital that you have proper procedures in place when it comes to business operations and that your employees do not deviate from them. For example, when setting up or modifying supplier or customer account details, this should not be undertaken simply on an email request, nor should the processing of invoices. Have your formal processes and stick to them, even if the email request looks like it is coming from the CEO!”
This also means asking employees to check links by hovering over them before clicking, scanning attachments before opening them and preparing a plan of action, involving people from every level of your organisation. “I would suggest that organisations conduct a round-table scenario so that they can practise what they would do if they were to be infected by malware,” said Madden. “This should be followed up by documenting your incident management procedures and training the relevant staff on what to do.” If you outsource your IT management services to a third party, they should also be involved. “You need to have a level of assurance that irrespective of who is going to manage and contain a malware incident, they are prepared and up to the task. As Benjamin Franklin said ‘Failing to prepare is preparing to fail’.”
A brief history of cryptojacking
As with phishing and ransomware, cryptojacking allows hackers to remotely get into your computer or your cloud. The victim is tricked into clicking on a link in an email, which rapidly loads code on to their computer from a website or online ad. It downloads and executes, setting them up as part of a system. Unlike phishing and ransomware, however, there’s no dramatic loss — only a slow, gradual compromising of the processing power you pay for.
Decentralised and potentially anonymous, cryptocurrencies have become the default mode of payment among cyber-criminals using ransomware to extort money from victims. Cryptojacking, however, allows them to earn money without so much as issuing threats. Also known as malicious cryptomining, cryptojacking harnesses stolen computing power to ‘mine’ Bitcoin and other cryptocurrencies (in this case, ‘mining’ refers to the energy-intensive process of verifying and adding currency to the blockchain digital ledger).
“Once it’s there it works in the background, and the computers are used as normal,” said Dr Mee. “The user might not even notice a difference in the performance of the machine, but it’s in the background using everything, using their processing power. This isn’t a new concept — it was around years ago. Remember years ago, there were malware attacks where people downloaded a screensaver, and that screensaver was actually part of a distributed network, a kind of bigger engine hacking. This mimics that. Once it gets onto the machine it’s a bit more clever — where before users downloaded a screensaver because they liked the look of it, now they just click on a link or visit an infected website.”
Cryptojacking has dominated headlines over the last year, but there’s a widespread misconception that it only happens to larger organisations, the kind with processing power to space. “Not the case!” warned Marc O’Regan, CTO of Dell Technologies. “Cryptojacking is targeting many and often, and it’s making quick kills — in fact, small companies are a more common target for hackers. We see this all the time and we believe that the main reason for it is that small organisations, like SMBs and start-ups, don’t have the personnel or platforms to help safeguard against cyber-attacks.” The result can be catastrophic: “Over 60 per cent of small organisations affected by such attacks go out of business within under a year of being infiltrated. This crisis has now overtaken even ransomware as primary cyber threat.”
Unfortunately, the world’s growing number of connected devices will potentially help cryptojacking spread further, as the compute power available rises exponentially. O’Regan said: “On a technology level, the crisis deepens as we start to look at the world of distributed architecture, IoT, mobile phones, smart metering, smart cities and more. Cybercriminals will infiltrate these environments and ecosystems in an indiscriminate but effective way. Remember, they are not after your money, or even your data. They are stealing resources.”
Cryptojacking can be hard to detect, Dr Mee warned, but it can be addressed with the right security products: “You have to detect it first, in order to remove it. With good anti-malware, good antivirus, and good CPU or trend analysis on the network, then you’ll be able to detect it.” Vigilance, through both security programmes and user education, is paramount here. O’Regan said: “The key is awareness. If you notice unwarranted behaviour on your compute platforms, this needs to be looked at quickly and preventative measures need to be put in place to secure your environments.”
Is that email really from your chief executive?
Whaling, also known as CEO Fraud and Business Email Compromise, is an especially effective and increasingly common form of phishing attack which involves targeting employees who control or access company finances. After gathering information on social media or through a previous attack, hackers use social engineering and email spoofing (the use of a forged email address) to trick their target into transferring money.
Between 2016 and 2018, this variety of attack earned criminals over $5 billion worldwide, including €130,000 unfortunately lost by Dublin Zoo, after a contractor’s email address was hacked in 2017 (the attack aimed to steal a total of €500,000, but gardaí were able to freeze bank accounts before any more could be taken). Common attack scenarios include the criminal posing as a foreign supplier with a long-standing relationship to your business, an executive asking for an urgent wire transfer request (their email address will be spoofed), criminals impersonating lawyers, and criminals sending out invoices to company suppliers having taken over an employee’s email account.