Phishing continues to be a popular attack method for cyber criminals

cyber risk

Phishing has been around for a while, but still poses a substantial cyber threat, as the number of phishing sites rises, criminals get craftier and employee training is lagging behind.

According to the Anti-Phishing Working Group, a record number of unique phishing sites were discovered during the second quarter of 2016. The group counted 465,000 unique phishing sites that period, which equates to around 5,000 new phishing sites per day.

The continued popularity of phishing among cyber criminals is due to it being a cheap tool that offers attackers a good return on investment. Attackers can easily send out thousands of emails and only need a small fraction of recipients to click on a link or fill in credentials.

Research done by DUO Security shows how effective phishing is from a criminal’s perspective. The cloud-based information security provider has created a tool, DUO Insight, which has sent simulated phishing emails to over 60,000 recipients.

“Of those, over 44% opened the email, 26% clicked the link the email, and 14% go so far as to enter credentials. We found that 61% of phishing campaigns capture at least one credential,” says Jordan Wright, research and development engineer at DUO Security.

“So if I’m an attacker and my goal is to get access to an organisation, phishing is a very effective way to do that. A 61% chance of capturing at least one credential – those are incredible odds in favour of the attacker which shows just how effective phishing is from a cyber-crime perspective.”

To increase chances of success, attackers are getting craftier as to how they structure phishing sites. They will for instance copy legitimate emails and only change the links within them to point to a malicious website. “So the emails look legitimate, not like the obvious phishing emails we used to get in the past, with misspellings everywhere,” Wright explains.

Despite the changing nature of phishing, he says the same rules still apply when it comes to cyber security. Employees should therefore be trained to check the ‘from’ box in the email to see if the email address is correct; trust their instincts and double-check unexpected emails with an urgent call to action; and hover over links to make sure they go where they are supposed to go.

DUO Security recommends carrying out simulation phishing exercises at least once a quarter, with the aim of getting employees to recognise phishing attempts and reporting them to the IT department. Wright stresses that the training should be about rewarding good behaviour.

“Companies should make sure that the training is not about trying to catch those who click on the link, but about teaching the right habits and focusing on rewarding those right actions being taken, such as rewarding people who report phishing emails to the IT department.”

Businesses should also ensure their software is kept up to date. “We talk about phishing in terms of stealing credentials, but there’s an entire other aspect of phishing that we’re starting to see trending upwards, which is phishing that uses so-called exploit kits. These are pieces of software that are on a malicious website that are designed to compromise devices that are running old browsers or old versions of plugins like Flash or Java. These exploit kits only require you to click the link, which can be enough to compromise your device and give an attacker access to an organisation,” Wright warns.

DUO Security’s top three phishing trends

  • Ransomware attacks are on the increase, as it is very quick and cheap to send out with a good return on investment
  • An increase in business email compromise (BEC), when attackers find out the name of C-suite executives and send emails to employees posing as one of these people, asking for some kind of action to be taken. “We have seen pretty significant amounts of companies falling victim to this. They are very effective because they rely on the authority of the person they claim to come from,” says Wright
  • Standard malicious attachments, which includes things like Word documents that contain malicious code. “However, Microsoft has put in protection to disable that code, so now whenever you open it you get a yellow bar at the top of your window saying ‘If you’d like to enable this code, click here’,” Wright explains. “So attackers have started crafting their Word documents to exploit this: when you open up the document it says it has been password protected, please click on the enable code button to unlock the document. It is almost social engineering, the way it relies on that sense of curiosity of the user to click on that button.”