It’s a few weeks before Christmas. You want to surprise a family member with a new laptop, but you can’t decide which one. To find the right brand, you innocently reach out to your social media community to crowd-source some options.
Suddenly, you receive an e-mail from a colleague, who often comments on your online posts. Apparently, they’ve got some top tips for you and here’s the link with all the details.
Merry Christmas! You’ve just been spear phished. In a matter of seconds, you’ve been hoodwinked by a carefully constructed, highly-targeted scam and your personal data is now in cybercriminals’ hands.
You wouldn’t be alone. F5 Labs’ Lessons Learned from a Decade of Data Breaches report recently revealed that phishing is fast becoming cybercriminals’ easiest and most productive attack vector, and is now responsible for almost half of all recorded breached records by root cause. According to Symantec, spear phishing is today’s dominant infection vector, employed by as many as 71% of organised cybercriminal groups.
The data is supported by figures from the Anti-Phishing Working Group (APWG), which indicates that global phishing incidents have risen a staggering 5,753% over the past 12 years. Gartner currently believes that social engineering, alongside GDPR compliance, are the two issues most likely to cause the greatest enterprise damage “if not adequately addressed by risk management leaders”.
It’s the season to be wary
Phishing in all its incarnations is undeniable and a rapidly growing menace. Unfortunately, for many, the holiday season brings perfect conditions for its nefariousness to thrive. Research from payment system firm ACI International shows that online fraud grew by 22% globally between 22 November and 31 December last year, and you can bet that trend will continue. At the same time, the potential attack surface is exponentially expanding. Extensive worldwide analysis by Salesforce suggests that the 2018 holiday season ecommerce revenue will increase 13% on last year, with AI-based product recommendations driving 35% of all revenue. For the first time ever, more purchases will be made with mobile phones (68%) than any other device.
A perfect storm is brewing. Here’s how you can prepare and stay safe:
Take care before you share. It is easy to let your guard down when you’re self-promoting or updating followers with engagement-stoking details. Even seemingly innocuous information can be weaponised by persistent hackers. Individuals need to be wary, alert and be responsible. Organisations on the other hand must run robust, continually evolving awareness-raising programmes to ensure all employees embrace a culture of appropriate social sharing. They should also double check the essential nature of business-related web content on third party properties, such as online directories and partner websites.
Think before you click. Treat any link with suspicion, particularly if you’re unsure of its origin. Hover over hyperlinks to view the destination URLs because sneaky spear phishers will often hide their URLs in email body text or via online forms that appear credible.
Sound phishy? It probably is. Spear phishing has been honed to a fine art, including the incorporation of an impressive array of personal and circumstantial details to crank up the realism factor. Question everything and try to establish sender veracity before doing anything. Canny cybercriminals often use high-ranking figures within an organisation to accelerate carefree actions, such as sending sensitive details via email.
Interrogate Email headers. Attackers frequently send email inquiries to gather IP addresses, determine mail server software, and ascertain emails traffic flow. Do not let this happen. Check all email headers before opening content from unknown sources.
Adapt or die. There is no protective silver bullet. Any claims to the contrary are lies. Make sure any endpoint protection tools are behaviour-based to help ensure lessons are learned from successful attacks. Ultimately, the onus is on you to stay educated and sensible. Demand awareness-raising and preventative training if your employer doesn’t offer it already.
Secure the network. In the business world, it is imperative that security teams regularly ensure network systems are optimally configured to withstand threats. It is also critical to note that some applications are not built with a “security by design” mindset, occasionally containing detail about the development team and organisational processes. Securing these is a priority. In addition, all domain and IP registries should be set up with generic role names and identifiers instead of individual names.
Test your limits. Businesses should consider periodically hiring a penetration tester to unearth the who, what, where, when and whys of attacker behaviours. Today’s reconnaissance and social engineering tests can, and should, furnish you with invaluable defensive insights.
Over time, we’ve become too comfortable sharing valuable information online and giving hackers a clear window into our lives. Don’t let your personal data be the gift that keeps on giving this holiday season. Stay smart, stay safe, and don’t swallow the bait!
By Simon McCullough, Technical Manager, F5 Networks