Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
11/2/2016
10:00 AM
Malwarebytes Labs
Malwarebytes Labs
Partner Perspectives
50%
50%

Phishing Threat Continues To Loom Large

Phishing and spear phishing will only get worse unless companies proactively train employees to recognize a scam when they see one.

The growth and impact of phishing emails is on the rise. A recent Osterman Research survey found that there has been a variety of security incidents attributable to malicious emails. For example, 41% of organizations surveyed have lost sensitive data on an employee’s computer, and 24% have lost sensitive data from a corporate network.

Also on the rise: spear phishing, typically directed at a smaller group of potential victims, including senior officers within a company. In fact, Malwarebytes’ own CFO Mark Harris was hit with one a few months back. Government organizations that are likely to possess sensitive information such as login credentials to corporate financial accounts are also highly targeted.

One of the primary reasons that phishing is so effective is that many email users are not sufficiently skeptical or discriminating about suspicious emails, often because they lack training about how to identify phishing attempts. Our research has found that once users are trained about phishing, they are less susceptible to these attempts.

Spear phishing, on the other hand, has become a successful threat vector because many potential victims provide phishers with much of the information they need for them to craft messages that will seem to be genuine. For example, Facebook, Twitter, LinkedIn, and other social media venues contain large quantities of valuable information about personal preferences, travel plans, family members’ names, affiliations, and other personal and sensitive information that can be incorporated into spear-phishing emails to make them seem more believable.

To demonstrate how phishers might use personal information to their advantage, I found someone on Facebook whom I do not know personally but has an active presence and provides a significant amount of information on his public Facebook page, including:

  • He visited Tapley’s Pub in Whistler, British Columbia, on Sept. 20.
  • He visited The Brewhouse in Whistler on Sept. 16.
  • The names of at least some of the people he was with on Sept. 13.
  • He visited the 192 Brewing Company on Sept. 12.
  • He visited the Chainline Brewing Company on Sept. 11.
  • He visited American Pacific Mortgage on Sept. 9.
  • He went to a Seattle Seahawks game on Sept. 3.

Moreover, based on his Facebook profile, we know the company for which he works, the city in which he lives, his wife’s name, and lots of other information about him. If I were a phisher attempting to gain access to his corporate login credentials, for example, I could craft an email with the subject line “Problem with your credit card charge at Tapley’s Pub” -- a subject line that would likely resonate with him given his recent personal experience at that restaurant.

I could provide a short, believable message about a problem in running his credit card and provide a link asking him to verify the charge. That link could be to a site that would automatically download a keystroke logger to his computer, after which I would be able to capture every keystroke he made from then on, which might include login credentials and credit card numbers.

Given that smaller organizations often do not have the training or technology in place to detect phishing attempts, my chance of success at infecting his computer would be reasonably high.

Phishing and spear phishing are serious problems that will get worse in the future, often because victims are not sufficiently trained and because many provide key information to cybercriminals. Organizations must work to raise awareness among their employees or risk the exploitation of sensitive company data. 

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...