LOOKING forward to the Holy Week break. Looking forward to any holiday break for that matter. Gen-X guy right here, grew up with my Lola (God bless her soul), and Holy Week was not the Holy Week “vacation” of today, no sir! Way back when even the radio and TV stations cooperated and there was no “secular” broadcast except religious heavy drama and biblically themed movies—The Ten Commandments was a personal favorite. In those days, when they say it is a time of reflection, they really mean it! It was quiet as a ghost town.
Since it is the time of Lent and some of us are willing to forego our carnivorous ways even for a couple of days, I thought what better subject to discuss than “phishing” (yes, pun very much intended). Phishing obviously is a play on the word “fishing” and just like the intent of the original term, it is meant to ”lure,” only this time it is not fishes from the sea but personal information like birthdates, passwords, credit card details and the like from the ocean that is the Internet.
It is a trick, a con, a “misleading email message that starts it all. The email oftentimes carry the promise of beauty, success, power, love, sex and free gadgets, but other times FUD (fear, uncertainty and doubt) like fraud alert, hack and virus warnings, update credentials or lose access, relatives in distress and other subject or topic that piques the interest or elicits curiosity. It is a very dangerous and effective ploy as it plays with the hearts and minds of unsuspecting naïve individuals. Emotion is a very powerful thing indeed. Of course, SPAM also uses the same trickery but that’s another topic.
Commonly, a URL or a ‘link’ is embedded in the email and the name of the game is to make you “click” that link and bring you to their intended destination in the interwebz. To make it more convincing, they usually mimic a legitimate website to a very good degree, copying the original with such precision and faithfulness that you will actually think it is legit. Sometimes they even do a better job—the visuals are a very big factor why a lot of victims fall prey to this scam. It is that damn good!
The real fun begins as you willingly enter all your precious personal information in the seemingly legitimate website. “There, I was able to change my password before those hackers can do their thing. Thank goodness for the bank’s excellent customer support service being proactive to warn me!”. The perpetrators typically use this information almost at once, especially if it is credit card information as it has a short “shelf life” before it gets cancelled. These can be used by the hackers themselves or sold in the Internet black market or in the dark web.
That’s not all, though; most of the time the victim’s computer gets infected too! The phishing continues by using the local email directory and the vicious chain goes on and on multiplying the number of victims as it infects other victims along the way. The scammers sends out tons of email “hooks” and only a small fraction needs to take the “bait” and “click” the link. Loving the puns yet?
The past year showed no slowdown in the scale and sophistication of phishing and it will be very interesting to know how we will fare this year. Global phishing attacks rose to 13 percent in 2016 from previous years. Marketers are so envious of email phishing as per statistics in 2016, 30 percent of phishing emails got opened (source: Verizon 2016 DBIR). Phishing has several delivery methods and for the past year, the No. 1 method is email attachments at 63 percent, followed closely by web drive-by (surfing to an infected website) at 61 percent, basic email link at 39 percent, malware at 10 percent and network propagation at 10 percent.
As mentioned above you can get tricked into it by email link, visiting an infected website, downloading and executing a rogue program (email attachment) or a malware infestation. There are other types of phishing and one interesting to note is ‘spear phishing’. Standard phishing was designed as a “shotgun” approach, to target and get as much people to “hook” i.e. open them emails and do the “bait and click”. Spear phishing on the other hand is a very targeted attack – one that requires a little bit of reconnaissance. They do their homework, get contact details, names, positions and other valid information to reinforce their hook and as the name implies targets very specific individuals in the organization. Typical victims are accounting and finance people trying to get them to send money to their bank accounts. Very recently, it became scarier as phishing attacks not only makes you click links to fake websites but also infects you with ransomware. A nasty malware that will encrypt (encode it into unintelligible data gibberish) all your data and hold it hostage until you pay the ransom, only then will they send the “decryption” keys. It’s a growing economy and you can even rent phishing servers to house the fake websites and obtain phishing “kits”. A “Phisher of Men” sans the tech knowhow.
Endpoint security systems like anti-malware systems can help reduce the risk but nothing ever beats good old-fashioned user awareness.
Happy Easter everyone!