A Different Kind of Fishing (Part 1 of 3)
There is an activity, other than fishing, that takes a similar approach but has much more dire consequences— phishing. Phishing is an email based cyber-attack that can expose networks, lead to ransom attacks, and become a giant pain. When you look at what hackers have been using that’s been effective, it’s phishing.
Instead of embedding a document that might have some kind of malware in it, you’re going to have an embedded video or voice message (that might sound like your boss). Phishing will become more advanced to get more people to click or open the document, open the video, or listen to the voicemail, that will launch the malware into their system.
Identity-based scams often slip through legacy controls because those controls were designed to detect and prevent technically sophisticated attacks rather than socially-engineered threats, which are now the attack-type-of-choice for many email scammers.
A Texas school district, Manor Independent School District based outside of Austin, Tex., has lost $2.3 million after falling victim to an email scam. The incident started in early November 2019 and continued through December 2019, before it was discovered by the district. An attacker compromising an employee at a company involved in billing or payments. After the target’s email account is compromised, attackers add a forwarding or redirect rule on the account that passes copies of all incoming emails to another account controlled by the attackers. Other victims of scams include the City of Ocala in Florida, which was swindled out of $742,000, and a church in Brunswick, Ohio that was scammed out of $1.75 million in August 2019.
There's no way around it. Sending emails with attachments, downloading web files and using shared folders are a part of how we conduct business and that's not going to change.
The attackers goal is to trick the email recipient into believing that the message is something they want or need — a request from their bank, for instance, or a note from someone in their company — and to click a link or download an attachment. The attackers masquerade as a trusted entity of some kind, often a real or plausibly real person, or a company the victim might do business with. It's one of the oldest types of cyber-attacks, dating back to the 1990's.
Generally, a phishing campaign tries to get the victim to do one of two things:
Hand over sensitive information. These messages aim to trick the user into revealing important data — often a username and password that the attacker can use to breach a system or account. This scam involves sending out an email tailored to look like a message from a bank. The victim clicks on a link in the message and is taken to a malicious site designed to resemble the bank's web page, and then hopefully enters their username and password. The attacker can now access the victim's account.
Download malware. These types of phishing emails aim to get the victim to infect their own computer with malware. Often the messages are "soft targeted" — they might be sent to an HR staffer with an attachment that purports to be a job seeker's resume, for instance. These attachments are often .zip files, or Microsoft Office documents with malicious embedded code. The most common form of malicious code is ransomware — but some phishing attacks aim to get login information from, or infect the computers of, specific people.
Think about what you received and is it legit. No you did not win a lottery in a foreign country (especially since you did not play) or someone you do not even know left you money; nor does bank XYZ or company ABC know the email account that the email came in on.
Per CSO Online, Phishers’ Top Favorites from “What is phishing?” article Nov 22, 2019
Editorial note: Our articles provide educational information for you. Our goal is to increase awareness about cyber safety.
Marilyn Sousa, CISA, CISM
Senior Cyber Security Engineer