As the value and extent of online assets has increased over the years, the focus of criminals has shifted from attacking real-world property to targeting the online and IT infrastructure of businesses. One of the key tools hackers and hacktivists use for gaining access to organizations’ networks is phishing.
In a recent report from Mandiant, it was revealed that 44 percent of phishing attacks use IT-related issues as the pretext for eliciting desirable behavior from their targets.
Phishing is a social engineering strategy that involves sending emails or other communication to members of a company, usually containing an inducement to click on a link that will take them to a fraudulent website. Once at the hacker’s website, they may be infected with malware that enables the hacker to advance their attack or asked to supply login details, which are then harvested and used by the hacker to gain access to email accounts or other sources of further information.
The prototypical phishing attack involves sending emails that appear to be from a bank, asking users to log in to their online banking account with a provided link. Of course, the link goes to a fake site designed to look like the bank’s official site. Phishing attacks of this nature are fairly opportunistic, with perhaps tens of thousands of emails sent in the hope that some small percentage of recipients will fall for them.
So-called spear phishing, the variant of more concern to businesses, is targeted at specific individuals within a company. Targeted phishing attacks allow hackers to research individuals and companies in-depth and craft their emails so as to greatly increase the chances of success.
The report contains a fascinating timeline that details how a spear phishing attack by the Syrian Electronic Army worked against a media organization. The attack begins by sending targeted emails to a number of different employees with the aim of harvesting webmail login credentials.
When that initial breach was successful, within a few minutes, they log in to employees’ webmail accounts and use them to send further phishing emails, which are more effective because they originate from a known domain. This round supplies them with the data they needed to gain access to the organization’s CMS and social media accounts, and they were able to deface the site and send Tweets supporting their cause.
Creating IT-related phishing emails is an obvious tactic for hackers, which is why such a large proportion of attacks focus on IT issues. Employees may believe that the IT department has good reason to ask them for passwords or to carry out specific instructions such as logging into a website with their credentials.
The success rates of phishing attacks are strong evidence that employees are not being properly educated as to the risks. IT departments should make it clear to all employees that they should never hand their authentication credentials to anyone, whether inside the organization or not. Encouraging a culture in which even the “computer guy” is challenged when he or she asks for information would help employees feel more confident when denying such requests and reporting them to management.
Author: Graeme Caldwell works as an inbound marketer for InterWorx, a revolutionary web hosting control panel for hosts who need scalability and reliability. Follow InterWorx on Twitter at @interworx, Like them on Facebook and check out their blog, http://www.interworx.com/community.
Published: June 17, 2014
2558 Views
2558 Views