There is a common thread that connects the recent Ubiquity Networks hack, the breach that cost them $47 million dollars (read about it here), and the increase of “ransomware” attacks that have already cost the global economy close to $1 billion dollars this year: they were all due to successful “spearphishing” attacks.
Generic – or what are now considered to be “old school” – phishing attacks typically took the form of the infamous “Nigerian prince” type scams, which attempted to trick people into responding with their financial information. “Spearphishing” attacks today are similar but far more vicious.
They seek to persuade victims to click on a hyperlink or attachment that usually deploys software (called “malware”) allowing attackers access to the user’s computer – or even the entire corporate network. Attacks like this can also be delivered by social media messages, infected USB drives, or as we’ve seen much more recently, via SMS messages.
The sobering reality is that it’s tough to defend against these types of attacks. This is partly because spearphishing involves using a technique known as social engineering, in which attacks are highly personalised, making is hard for victims to detect the deception.
Traditional technical defences, such as anti-virus software and network security monitoring, are unable to detect and prevent these kinds of attacks. This is because the exploits are often delivered using “polymorphic code“. This code follows no fixed pattern, and cannot be identified using signature based matching, the technique relied upon by the majority of anti-virus vendors.
This allows the malware to remain undetected, and operate under the guise of a trusted network user, which makes detection incredibly difficult.
That is assuming the attackers even use malware in the first place. More lucrative spearphishing scams exist which are known as “whaling” – so called because they go after the ‘big phish’. These scams (also known as CEO fraud or Business Email Compromise) impersonate senior executives within a business in order to leverage their position of authority.
In fact according to the FBI, in 2015 whaling style scams were up by 251% upon the previous year.
Scams such as this typically involve duping a financial controller into processing a fraudulent bank transfer – often using a sophisticated email attack. These emails are cunning in their prose, and will flawlessly imitate the language and style of a genuine executive, a feat achieved through meticulous reconnaissance and planning.
If detection wasn’t already difficult enough, the sender information is also ‘spoofed‘ to make it appear as though the email came from the target. In organisations where transactions are routinely approved via email, these types of attacks can prove incredibly effective.
Here’s a small selection of recent high-profile victims: –
- Ubiquity Networks (networking equippment manufacturer) $43 million (US)
- Xoom (international money transfer corporation) – $30 million (US)
- Scoular (online commodities trading company) – $17.2 million (US)
- FACC (Austrian aerospace manufacturer) – $54 million (US)
- Crelan Bank (banking & financial services) – $72 million (US)
Sadly, the majority of attacks go unreported because they target smaller businesses. I have personally seen countless examples of these scams affecting small law firms, accounting practices, construction companies, retailers and much more. The FBI estimates losses from these scams total $2.1 billion dollars (US) in the last 3 years alone. In fact according to the FBI, in 2015 whaling style scams were up by 251% upon the previous year.
Businesses aren’t the only ones at risk. Cyber criminals are always looking out for creative ways to profit from our lack of security awareness – as their latest campaign proves. SMS phishing or ‘SMishing’ as it is known involves sending SMS messages to your mobile phone which contain malicious URLs. These attacks are more effective than email based scams by virtue of the fact that the scammers have your mobile number, the piece of personal contact information we guard most closely.
In the example below we can see an SMS message claiming to be from HMRC (the British tax office). The SMS appears to be legitimate, particularly as the contact name automatically populates as ‘HMRCREFUND’. This particular scam was circulating in April / May which is the end of financial year in the UK, a time when most people would be expecting to receive their tax statements, along with any refunds.
The attack is well-timed and well targeted. By clicking on the URL in this text message you’ll be asked to confirm your personal details and provide your banking information so that your refund can be processed. Unfortunately, it doesn’t take a strong background in cyber security to figure out what would happen next.
Ransomware is fast becoming an epidemic. Last year, the Websense ThreatSeeker network detected 1.05 million ransomware attacks globally – with 60 per cent of these attacks aimed towards small to medium sized businesses. It seems that SMEs are first in line when it comes to facing off with the cyber criminals.
It is disappointing – but there is currently no bullet-proof solution in place to prevent businesses from becoming hit with these attacks. Anti-spam solutions aren’t blocking malicious emails at the gate, AV software isn’t able to detect the polymorphic code and end-users aren’t able to identify that they are even being attacked. It’s a systematic failure at every level.
Recent Example – Australia Post
I came across this example recently via a Brisbane based business that were hit with ransomware. It encrypted the data on a large number of their computers, encrypted their main file server and even spread from their main site out to their offices in Sydney & Melbourne. It all started with this email:
Upon clicking on the button to request a new shipping label we’re taken to the following website. The web page requests that you enter a confirmation code and then serves up a downloadable ZIP file.
We can see that this ZIP file contains an executable. Double-clicking on this file will launch the ransomware and begin the process of encrypting all of the files on this system.
So naturally, I decided to scan it. The results are shocking – only 03/56 AV vendors detected this application as malicious.
To confirm my suspicions, I decided to launch the malware inside my safe lab environment, and within 30 seconds everything had been encrypted.
This encryption was totally irreversible.
According to coremind.com.au, ransomware attacks in 2015 increased by 500%.
The Common Denominator
Each of these attacks were targeting a unique kind of system – the human operating system. In every single case, technical controls failed to prevent the attacks. Time and again we’re seeing that human beings are often our last line of defence. Your people are your eyes and ears on the ground, and can be a valuable resource capable of detecting and preventing cyber breaches.
However, they can also be your biggest liability, unknowingly facilitating attacks through a lack of security awareness. Contrary to popular belief, we can patch the human operating system. In fact, it’s one of the most important patch management programmes that you’ll ever implement, and will provide the greatest ROI to your organisation.
Provide relevant training via senior staff with the right skills, external experts, conferences or even online courses. Make learning modules bite-sized and easy to understand. Ensure they reflect the latest threats and make them mandatory for existing personnel. Better still – build the training into your induction process for new starters.
If you’re looking for a ready-made training solution then I’ve created The Ultimate Security Awareness Course. It’s an effective training product for businesses that helps organisations to address the human element in their security strategy. It contains 12 interactive modules and will be available for early release in October 2016.
If you’d like to champion the improvement in security for your organisation then there’s still time to register your interest. Those on the pre-registration list will gain access to the training before its mass-market release and will receive an exclusive early-bird discount. Just click on the link below to register.
User education and awareness is equally if not more effective than traditional technical controls. Your front line staff are some of the best intrusion detection and prevention systems that you’ll ever get – and they won’t cost you an additional $100,000 to set up and configure. Invest time and energy into training your employees as part of their ongoing professional development and you’ll be miles ahead of your attackers.
If you have any questions then feel free to use the comments below.
Oh – and I’d love it if you could share this with your network!