The push for more widespread adoption of HTTPS has been in full-force this year as a way to increase the number of websites that securely transmit information on the Internet. In January, both Chrome and Firefox browsers began alerting users whenever sensitive information, such as passwords or credit card information, was entered on a non-HTTPS web page. In October, Google took this a step further by displaying a “Not Secure” label in the URL bar whenever a user enters any text on an HTTP website.
Have the well-meaning recommendations of the security community made web users more vulnerable to cyber attacks? Have we conditioned people to be phished?
The HTTPS Paradox
You know that little green padlock symbol that appears in your browser’s URL bar every now and then? What do you think it means?
All through October, in aid of National Cyber Security Awareness Month (#CyberAware) we’re putting phishing under the microscope. In each post we’ll take a close look at one specific type of phishing, including the actors responsible, who it targets, and how/why it works.
The fact that hackers are increasingly targeting mobile devices isn’t exactly a secret.
And really, it’s not surprising either. After all, most of us are practically glued to our smartphones throughout the day.
An SMS arrived? Better read it straight away.
New email? Let me at it.
Somebody I don’t care about updated their Facebook status? Great, let’s see what they’re up to.
The increased attack volume we’re seeing directed at mobile devices is really nothing more than recognition on the part of threat actors that mobile devices account for an increasingly large proportion of web traffic… but aren’t nearly as well protected as PCs and laptops.
So with all that in mind, it shouldn’t be terribly surprising that we have a new mobile phishing threat to tell you about.
For the past several years, we’ve released an annual report during the first quarter of the year detailing precisely how the phishing landscape had evolved during the preceding 12 months.
In the past few years, you’ve no doubt started to see some pretty strange website suffixes.
You know the ones we mean. It isn’t just .COM, .ORG, and .NET anymore. Now you’ve started seeing .XYZ .NEWS .STUDIO and plenty of others.
Phishing has proven to be a successful, lucrative, and persistent threat vector that does not discriminate by industry or size of an organization. Traditional defensive measures against phishing attacks focus on shutting down the web page. This may address the immediate problem, is that really a fight? This reaction does little to stop the cybercriminal who is able to continue launching future attacks.
For us to truly evolve the fight against phishing, we need to combine the traditionally defensive posture with a proactive, aggressive strategy. This shift will allow us to disrupt the phishing supply chain and proactively go after kits and their creators on the distribution level instead of reacting to phishing sites that have been identified one-at-a-time.
Using in-depth, comprehensive intelligence can help us do a better job of fighting phishing instead of reacting to it. If we are able to provide context to threats by understanding where and how they manifest, we are able to better prepare, defend, and prevent future cyberattacks.
While more organizations than ever before recognize the need to educate and train their employees on the dangers
of phishing attacks, it’s important that those in charge of training make sure employees understand that not all phishing probes are alike. That’s because recognizing the “smell” of a phishing attempt is a powerful defense against the malicious bag of tricks used by cybercriminals to breach your security.
In 2015, PhishLabs analyzed more than 1 million confirmed malicious phishing sites residing on more than 130,000 unique domains. While the typical consumer phishing attack has garnered much attention, the specialized business spear phishing attack poses increasing risk for a company and its employees.
Here’s a brief menu of the types of phishing attacks your employees need to recognize and avoid.
While analyzing a recent phishing campaign targeting a Canadian financial institution, we came across an interesting technique used by the phishers to exfiltrate the personal and financial data obtained from victims. Historically, phishers have most commonly used disposable email accounts to collect compromised information from phishing campaigns. Sending compromised data to a temporary email account has likely been adopted by the phishing community because email accounts are easily accessible, and mailing scripts can be used or built with very little PHP knowledge. Instead of forwarding phished data to an email account, we have also seen phishers that have stored victim information on the compromised phishing server, which allows them to consolidate all of the data into one file rather than having to sift through individual emails for each piece of information.
Recently, the media has been exploding with articles noting a massive increase in tax fraud phishing scams. The IRS publicly announced that they had seen a 400 percent increase in phishing incidents so far this year targeting taxpayers. Phishing is even on the IRS’ “Dirty Dozen” list of scams for the 2016 tax season.