Curiosity can kill… or at the very least take down your whole IT infrastructure. A recent German study explored the motivations behind the careless clicks that hackers count on to permit unauthorized access into your systems.
117 out of 720 respondents clicked on the questionable link provided by the study. Almost half (40 percent) of the clickers reported feeling curiosity (interest in seeing the content beyond the link). “Curiosity seems to be a very powerful driver of risky Internet behavior,” the study concludes. “People’s decisional heuristics are relatively easy to misuse in a targeted attack, making defense especially challenging.”
The more we take motivation into the picture, the more we understand the devastating effectiveness of the most pervasive kinds of phishing attacks – and more importantly, we can get closer to a solution that minimizes their impact.
“Phishing” started out with hackers stealing AOL passwords and accounts with spurious emails. While it’s evolved into an umbrella term encompassing many different kinds of deceptive methods for gaining unauthorized access to data, the subvariant known as deceptive phishing sticks closest to its dark, 90s-era roots.
Like the original phishing scam over AOL, deceptive phishing involves exploiting your trust through an email purporting to come from a trusted figure (your bank; your boss; your friend) asking you to click on a link in the email body and verify your credentials. The link is fake; the scammer uses the information you type in to gain access to your real accounts.
Spear phishing is simply deceptive phishing using personalized information: the scammer customizes the email to make it sound as if it’s coming from someone you have a relationship with.
This social-engineering trick makes it devastatingly effective: Greathorn, a cloud security company, recently released their Spear Phishing Report that revealed over 90 percent of phishing emails used impersonated emails to trick respondents into clicking on a link from a supposedly trusted source.
Phishing expeditions over the phone can be more difficult for the scammer to pull off, but it can be far more effective than email-only efforts.
Voice phishing, or “vishing”, works the same way as a spear phishing attack (by using personalized information to leverage trust), but uses a different channel: the telephone. The scammer calls an individual, pretending to be calling for a trusted organization (like the bank or your credit card company).
If the target completely believes that the caller is who he says he is, the former will happily turn over passwords and account numbers to the stranger on the other end of the line.
British entrepreneur Emma Watson lost £100,000 to a vishing attack that persuaded her to move her bank funds online to other accounts they had set up in her name. “Angela”, the fraudster on the other end, was soothingly persuasive – lulling Watson into a false sense of security.
Reporting the fraud, Watson found that her bank had no effective countermeasures against vishing attacks. “The whole fraud-reporting process was inefficient and inconclusive,” Watson later declared. The bank could only refund her a tenth of the money lost – Watson’s friends made up the difference through a successful crowdfunding campaign.
Instead of redirecting targets to suspicious links, malware-based phishing tricks targets into running malicious software – introduced in the form of email attachments, downloadable files, or other methods that exploit security vulnerabilities on the system.
Many malware-based attacks use website popups or unauthorized redirects that incite fear in the user: attention-grabbing windows that proclaim the presence of a virus, or an FBI warning supposedly detecting illegal downloads on your computer. To get rid of the warning, you’ll be asked to download a program. Many unthinkingly do – only to see the problem get even worse.
These apps contain hidden functionalities like keyloggers that can record your keystrokes and send them back to the hacker, revealing any passwords you might use for your other apps.
By taking advantage of vulnerabilities in DNS server software, hackers can redirect website traffic to their own booby-trapped (but authentic-looking) domains. Such “poisoned” DNS servers encourage targets to use their systems in the usual manner, not realizing that their confidential information is now completely visible to hackers.
The altered URL is a dead giveaway to a pharming attack, which is why the scammers use almost-identical URLs in the redirected domain (i.e. “a11covered.com” instead of “allcovered.com”). Checking the URL should be one’s first line of attack against any pharming attack; the http address should also use the secure protocol, with an “s” at the end (https:// instead of http://).
The great majority of successful phishing attacks rely not on cunning programming, but human error: they play on curiosity, fear, and misplaced trust to get over the ramparts and into your system.
That’s why the most effective defense against phishing takes the human factor into account. User security education, the kind provided by All Covered’s managed IT services (All Covered Care – Secure and Protect) teaches individual users to overcome these usual triggers, by recognizing a phishing attack in the offing.
Training and testing programs supplied by All Covered partner KnowBe4 take trainees through a three-step process: a simulated attack to set a baseline to assess the organization’s vulnerability to phishing attacks; an engaging training program for employees; and regular tests to keep employees on their toes.
KnowBe4’s effective anti-phishing training can be used in concert with other elements of All Covered Care – Secure and Protect’s most basic levels of service: 24X7 remote monitoring (RMON), protection against spam and viruses, patching IT security services, and a regular Managed Vulnerability Scan in its most basic service package.
For more information on All Covered – Secure and Protect and other services, contact All Covered Toll-Free Nationwide at 866-446-1133 or visit www.allcovered.com.