There are a number of ways cybercriminals can infiltrate an enterprise, but new research suggests that the biggest weakness to most companies may be the employees themselves. Malicious actors are increasingly utilizing a technique known as social engineering. While there are multiple forms of social engineering attacks, the most common come in the form of phishing emails that use personal details to make them seem more authentic and trick readers into providing privileged information.
While most Internet users have gotten better at spotting fake sites and phony emails, social engineering enables attackers to use information readily available on the Internet to tailor an attack specifically for the victim, tricking them into thinking it’s the real deal. Other schemes use particular wording to pressure readers into clicking on the links contained in the message, such as threatening to give bad feedback on an e-commerce site or claiming to be from a utility company that is going to terminate service unless action is taken.
There is a phishing campaign currently running that uses subject lines related to the recent Ebola outbreak – things like “What You Need to Know About the Deadly Ebola Outbreak” and “The #1 Food Items You’ll Need in an EBOLA Crisis” – which claims to share information from the World Health Organization. However, the link to the attached file that supposedly contains safety tips actually installs the DarkComet Trojan malware on victims’ devices, providing attackers with remote access to the compromised machine.
Phishing schemes on the rise
Corporations and even governments are being targeted by a growing number of sustained, sophisticated spear phishing campaigns. According to research by Symantec, data breaches resulting from spear phishing have increased 62 percent since last year. Symantec’s recent “Internet Security Threat Report” found that, while the total number of emails used in phishing campaigns and the overall number of targets have decreased, spear phishing campaigns themselves saw a massive increase in 2013, growing 91 percent.
According to Kevin Haley, director of Symantec Security Response, attackers are beginning to favor the use of less frequent, large scale attacks over multiple minor ones.
“One mega breach can be worth 50 smaller attacks,” said Haley. “While the level of sophistication continues to grow among attackers, what was surprising last year was their willingness to be a lot more patient – waiting to strike until the reward is bigger and better.”
A separate study by Trend Micro found that not only are these types of attacks becoming more prevalent, IT workers are growing more worried about their effects. Trend Micro’s recent “2014 Cyberthreat Defense Report” found that malware and phishing attacks were the types of cyberthreats that caused the most concern for the IT professionals surveyed.
At the same time, the study also revealed that respondents were almost twice as concerned about external threats as internal ones, despite the increased worry related to phishing attacks. Only 5 percent of participants reported being significantly more concerned about internal threats, suggesting most decision-makers aren’t aware of where the real enterprise threats originate from.
Hackers show a shift in attack targets
While cybercriminals have changed their methods to employ social engineering and phishing attacks more frequently, and large scale attacks are being favored over frequent minor ones, hackers have also begun targeting organizations in different agencies than they once did.
“Traditionally, manufacturing and mining companies have not had to worry about information security threats as much as say, financial services, as the primary adversaries were cybercriminals,” said Rohyt Belani, CEO and co-founder of PhishMe. “However, with the rise of the nation-state actors these industries are under constant attack as the proverbial ‘pot of gold’ of proprietary information and intellectual property is very lucrative. The lack of an IT savvy workforce and appropriate budgets to fund cyber-security efforts further exacerbate the problem.”
The Symantec study found that one-third of organizations in the mining, government and manufacturing sectors have suffered at least one spear phishing attack in the last year.
Education, threat protection best best for security
One simple way for users to know if an email they’ve received is fraudulent or not is to check the address of the sender. Oftentimes a quick review of the web address hosting the email will reveal a phony shell site used for malicious purposes. Educating employees on easy tricks to remember when interacting with links in email messages can drastically improve an organization’s cybersecurity posture.
In an interview with SecurityWeek, vice president and principal analyst for Forrester Research Ed Ferrara noted that organizations that effectively mitigate the effects of a breach and properly manage the fallout from an intrusion can actually improve the customer perception of an enterprise, while poorly handling a cyber attack can ruin a company’s reputation forever. Utilizing defense techniques designed to identify targeted attacks within emails can help not only to educate workers about the risks associated with online communication but reduce the likelihood of experiencing a breach.