phish·ing | \ ˈfi-shin \
a scam by which an Internet user is duped (as by a deceptive e-mail message) into revealing personal or confidential information which the scammer can use illicitly.
Scams, hoaxes, and frauds are nothing new. The internet is just the latest conduit for them, with hackers playing the role of the modern day con artist. The greed, fear, and hope that online phishing exploits are as old as mankind.
Phishing has always been one of the most common and effective methods of cybercriminals. It is simple, low-tech, and exploits human nature. Its goals can include credential harvesting, malware infection, and money extortion. In 2018, the number of phishing attacks doubled, reaching nearly 500 million.
The problem affects everyone as phishers target ordinary individuals, SMBs, and large enterprises. Phishing is quickly expanding from email to new channels where users are most vulnerable. Potential victims are often targeted through mobile messaging and social media apps, many of which lack traditional security.
Reports from as early as 2006 indicated that phishing was becoming a major concern for CSPs, with pressure coming from both users who demand that service providers do more to protect them from attacks, and from the financial institutions targeted by these attacks. CSPs are starting to feel the impact of cybercrimes like phishing, and there are ways to actively participate in globally reducing phishing attempts.
Understanding the severity of this cybercrime underscores the importance of network security. This is where the true value lies for CSPs: the ability to take action to mitigate this concerning trend while earning new revenue.
Phishing comes in many forms, but these are a few of the popular variants:
Mass phishing is the prevalent form. Hackers send out thousands of fraudulent messages to a large user base, aiming for quantity over quality,
like in a Vodafone phishing campaign from 2017. Mass phishing can capture
significant amounts of information, even if only a small percentage of recipients fall for the scam.
Spear phishing targets a specific person or role in the enterprise and is used when the stakes are higher. Cybercriminals research and profile their victims by gathering personal data on social media prior to orchestrating the attack and put extra effort towards crafting and designing personalized messages. Typically, spear phishing is used as a first step to gain access to corporate networks, which can then lead to severe consequences.
DNS hijacking is very difficult to detect. The domain name service of
typically insecure home routers is hacked to redirect traffic to IP addresses
of carefully crafted phishing sites. Unsuspecting users type the correct
domain address in their browsers, have no idea they are on a malicious site,
and hand over their credentials. A DNS hack like this occurred on two of the
largest banks in Brazil in 2018.
Tech support scams are a particularly troublesome form of phishing for
CSPs. Phishers impersonate CSPs and ask customers for account credentials
or attempt to sell bogus tech support services and steal their credit card details. These scams can damage CSP reputations and generate negative
brand associations, even though the CSP is not to blame.
Knowing these scams exist is half the battle. To combat them, it is also important to understand why phishing is so successful in the first place
How Phishing Works
A “phisher” exploits human emotions like fear, to trick unsuspecting users into clicking malicious links. In a popular example, a phisher sends a fake message from an on-line service, claiming that there was a suspicious login attempt or that a password has expired, encouraging victims to click a link to update the password. The link instead takes them to a spoofed page where they are asked to submit their credentials to “log in”.
When Does It Happen?
Phishing attacks happen all the time, but are often fueled by trending topics, from thematic holidays, to pop culture and sporting events. For example, FedEx based phishing campaigns become more popular around the holidays when online ordering surges.
Where Does Phishing Happen?
Well, everywhere that communications exist. Traditional phishing messages are sent via email, however, recent trends indicate a rise of phishing attacks that use other messaging platforms. In 2018 Slack, Skype, Facebook Messenger and other communication applications become popular targets for phishing, with a 237% increase in phishing attacks against users of the SaaS industry in 2018.
Phishing has been around for over 20 years and the costs of phishing are higher than ever, with some alarming trends accompanying the rising figures.
Phishing by the Numbers
These statistics highlight the financial damage and overarching trends of phishing in recent years.
In 2018, phishing was the most popular type of cybercrime and it isn’t just a trend; phishing is here for the long haul and it is time to act.
Phishing Is Not a Fad!
Just like any marketplace, market demand applies to the monetization of malware too. With the rise in cryptocurrency valuations last year, Allot identified and reported16 a massive surge in cryptojacking malware based on Coinhive libraries. During the same period, there was a corresponding rise in phishing. This is understandable as phishing is commonly used to infect users with malware.
With the devaluation of cryptocurrencies, the appeal of cryptojacking declined 100 fold in 2019, while phishing remains stable at about 20M phishing attacks per month.
Looking at the threat landscape for Q1 2019, phishing remains in first place and accounted for almost 35% of activated protections for 7 milion customers in Europe subscribed to a CSP based security service.
This data demonstrates that phishing is not a fad. The reason is one constant factor - human nature. Even though con artists have modernized their tactics, the emotions they are preying on are still the same. People are naturally prone to click on emails that are addressed to them. Bad guys will always find new, creative ways to trick victims.
Even though phishing is technically the responsibility of internet users, the cyberattacks present unique revenue opportunities for CSPs, while protecting innocent internet users that don’t know better.
A Valuable Opportunity for CSPs
Despite over a million fatal car accidents each year, people keep driving. However, through regulation and private initiatives by car manufacturers, safety technology has helped mitigate a lot of the risk. Some car companies have even made safety the focal point of their branding. Similarly, CSPs can wait for regulation to step in or take a pre-emptive step and become secure communications providers, championing safety as a key differentiator for themselves.
Here are 3 trends that can’t be ignored in 2019:
- 69% of people don’t use their smartphone for mobile payments, with 42% of them claiming security as the reason17.
- 90% of successful cyberattacks started with a phishing email, according to a 2018 report 18.
- 50B+ IoT devices are expected to be connected by 202019, creating a plethora of new opportunities for cybercriminals.
Phishing is a real problem for CSPs, but by proactively addressing internet security, CSPs stand to increase brand loyalty, generate additional revenue from added premium security packages, and differentiate themselves from the competition.
CSPs can provide continuous protection against phishing with an approach that includes the following three elements:
As documented in our recent Telco Security Trends report, Allot found that 66% of households with 1-10 devices are willing to pay monthly fees of $4.90 on average to cybersecure their connected home; 84% of households with more than 10 devices were willing to pay an average of $6.16.
By nature, people are susceptible to social engineering scams like phishing, but that isn’t the only factor in the success of these campaigns.
6 Elements of a Successful Phishing Attack
Humans may be the weakest link in cyber security, but it isn’t entirely our fault. Even highly educated, tech-savvy individuals can fall victim to these scams because of the level of complexity generally involved. How many of these factors would be able to fool you?
Email or Website Easy-to-spot fake emails with bad grammar and typos are being replaced with well-crafted, personalized messages that are harder to detect.
Today, phishers install encryption certificates to make fake sites appear more legitimate. Nearly one-third of all phishing sites observed by the end of 2017 were located on HTTPS domains, up from only five percent a year before 20.
Human Emotions and Psychology
Hackers are exploiting human emotions: fear, guilt, kindness, greed, and curiosity. Victims are tricked by a fake sense of urgency created by the messaging or imagery.
Social Engineering and Personalization
Criminals today can research and profile their victims prior to orchestrating an attack making their messages personal and timely, and therefore, more authentic and convincing.
Ties to Current Events and Holidays
Criminals typically take advantage of holidays and hyped events taking place around the world, like the 2018 World Cup in Russia, GDPR launch, new season of “Game of Thrones”, and others. During holiday shopping season users often have their guard down, leaving them vulnerable to the attacks.
Phishing campaigns exploit large-scale IoT botnets and automation to deliver messages to their victims. Hackers have used “thingbots” of smart home devices as launching pads for massive phishing and spam attacks distributing more than 750,000 malicious email since as early as 2014.
Many internet users are fooled by these elements which is why phishing continues to trend around the world.
This is Where CSPs Step In
When you look at the path a typical phishing attack takes, there are two very clear junctures where the malicious behavior can be mitigated.
Endpoint Security agents scan messages for malware as they arrive, but this relies on the users to install and update software independently. The efficacy of this type of solution is beyond the CSPs control, and adoption rates are extremely low.
CSP's can protect customer who fall victim and click on the malicious link with a network-based security solution. Such solutions do not require users to take any action, can provide engagement opportunities for CSPs and achieve higher adoption rates.
Geography of Phishing
From the Americas to Europe and the Asian Pacific region, phishing is an active threat. Some of the most affected countries in the top ten may even surprise you.
Depending on the level of research, campaigns can even be sent with specific timing to catch victims when their guard is down throughout the day.
Geography of Phishing
Operation Phish Phry (2009)
Operation Phish Phry was the largest international phishing case ever conducted at the time, according to the FBI. The hackers successfully targeted
hundreds of US bank account holders who received official-looking emails directing them to fake financial websites. Victims entered their account numbers and passwords into fraudulent forms, giving the attackers easy access to their private data. Nearly 100 people in the USA and Egypt were arrested for stealing $1.5 million through this phishing scam.
In 2011, an American network security company called RSA reported a data breach following a spear phishing attack. The attack exploited an Adobe Flash
vulnerability that was unpatched, which resulted in a backdoor being installed on the compromised machine. The email had a single line of text that said: “I forward this file to you for review. Please open and view it.” The attack enabled criminals to get hold of master keys for all RSA SecureID security tokens, which were then subsequently used to break into US defense suppliers’ networks.
The huge Target data breach that affected 110 million customers in 2013 began with a simple phishing attack. Hackers stole network credentials through an email phishing attack against a third-party heating, ventilation, and air-conditioning vendor, that began at least two months before they started stealing card data from thousands of Target cash registers. The breach cost Target hundreds of millions of dollars, and the firm fired its CEO and CIO.
Sony Pictures (2014)
The largest data breach at Sony Pictures was caused by phishing emails used as an initial attack vector. Using social engineering, hackers convinced employees to open a malicious attachment that infected Sony with the malware. Over 100 terabytes of Sony’s data were stolen, which
cost the company an estimated $100 million
The Clinton Campaign (2016)
On March 19, 2016, Russian intelligence services sent Hillary Clinton’s campaign chairman, John Podesta, a carefully crafted spear-phishing email. The fake message looked like Google was urging him to reset his password. He fell for it and gave criminals the access to his email account. Two days later, they swept up his inbox of more than 50,000 emails.
Google Doc (2017)
1 million Gmail users were impacted by a major phishing attack that hit Google Docs in 2017. The attack sent victims an emailed invitation from someone they may know, took them to a real Google sign-in screen and asked to “continue to Google Docs.” This granted permissions to a (malicious) third-party web app that had simply been named “Google Docs,” which gave phishers access to the email and address book of the victims.
Notorious Brazilian phisher Valdir Paulo de Almeida was arrested in 2005 for leading one of the largest phishing campaigns. Between $18 and $37 million USD were stolen over two years. Valdir sent up to three million messages a day with sophisticated Trojans attached, targeting Brazilian bank customers and led a gang of up to 18 hackers.
Brazilian Bank (2016)
Hackers hijacked the entire online operation of one of the major banks in Brazil by using DNS manipulation to reroute all customers to perfectly reconstructed fake copies of the bank’s sites. Aside from mere phishing, the spoofed sites also infected victims with malware.
Nordea Bank (2007)
In 2007, Swedish Bank Nordea lost about $1.1 million in a phishing scam. Going on for over 15 months, the scam infected customers with a Trojan called “haxdoor.ki.” masquerading as an anti-virus package. The virus was designed to redirect to a fake bank page when they tried to use the website. Approximately 250 bank customers were said to be affected by it.
This phishing campaign impersonated Vodafone, a major international phone company, in a very convincing example of a fraudulent email. It claimed that the customer needed to pay a bill of over £400 - a high amount designed to send users into panic and click on the links. The scammers sent these emails out by the thousands in the certainly that some would reach real Vodafone account holders.
Yahoo! Japan (2008)
This phishing attack impersonated the Japanese localized site of Yahoo! Auctions. The phishing emails were delivered to users with a subject title in Japanese “To Yahoo! Japan site users” appearing to come from the Yahoo! Japan Support Center. The phishing site was designed to mimic the real Yahoo! Japan site layout and some of the links were even connected to the legitimate Yahoo! Japan site.
Russia World Cup (2018)
Last year, cybercriminals heavily exploited the World Cup event in Russia, creating numerous fake FIFA partner websites to gain access to victims’ bank accounts. The criminals sent a large amount of emails promising vacation rentals, free tickets, and more, to World Cup fans. The FTC issued a special note guiding fans to FIFA. com, the only official source for tickets, and giving tips on how to avoid the scams
Phishing Around the Clock
In today’s world, millions of people are on a device of some kind from the moment they wake up to right before bedtime.
Jane gets a personal email from “PayPal” asking her to verify a suspicious login to her account. She clicks through to a fake copy of the real site, and then hands over her login and password unknowingly
On the Commute to Work
Fred is on the bus and gets an email notification from his phone company with a huge bill. He panics, clicks to view the claim and inadvertently downloads malware to his phone.
Lunch in a Cafe
Keisha sits in a café and gets a phishing SMS asking her to claim a free gift. She excitedly clicks the link which turns out to be malicious and her phone is infected.
In the Office
Pedro sits at his desk and gets a spear-phishing email “from the CEO” asking him to transfer a payment to a new partner company, which is a scam.
At a Bar
Emma already had her first martini, when she gets a Facebook message from a distant cousin who she hasn’t heard from. The “cousin” invites her to download the video of her recital, but in fact, Emma has downloaded malware.
CSPs can take steps to protect their customers from these situations, while simultaneously increasing brand loyalty and engagement.
Best Defense Tips
To successfully deal with phishing, CSPs can embrace the following three-pronged approach:
Creating an opt-in mailing list, and proactively alert customers to help them avoid getting caught in the latest scams.
- Inform customers in real-time about specific phishing campaigns that are going on, especially if the campaigns are relevant to their interests.
- Anticipate upcoming phishing attacks. Traditionally, waves of phishing attacks increase around the holidays and during pop culture events.
Find ways to educate customers on using practical tools and best practices for browsing the web and staying safe.
- Encourage customers to learn more about phishing and test themselves with interactive tools, like free interactive quizzes or games. This quiz by Google and this game by the FTC are good examples, or even better, make your own.
- Offer your customers the chance to opt-in to your own phishing awareness program for customers. These programs are designed to train participants in a safe environment, by sending fake phishing emails out periodically, with feedback and scoring relayed to the user.
Even with better education, the best thing you can do for your customers is to protect them.
- Implement anti-phishing technology, such as Allot NetworkSecure and Allot HomeSecure. The most effective defense against phishing is to protect customers from within the network, with in-line content and header inspection that blocks phishing, malware and other types of
- Encourage customers to install end-point security solutions to fight phishing and keep themselves protected when they access the internet from multiple accounts that may not reside on the CSP infrastructure.
CSPs have a valuable chance to be trend setters instead of followers, by championing cybersecurity and rolling out security-as-a-service packages to protect their customers.
Phishing is the most prevalent form of cyberattack that exists today, but it is only the tip of the iceberg when we look at the threat landscape for 2019. As our society continues its rapid transformation into a hyper-connected digital age, we are more exposed than ever to the dangers of criminal activity on the web. Weak network security can make it just as easy as it is for cybercriminals to access your personal data as it is for you.
The key to strengthening the weak link that is human nature, is consistent education to raise awareness. Ongoing anti-phishing campaigns that regularly send test emails combined with computer-based training have been found to dramatically decrease careless clicking to just 13% in 90 days, with a steeper drop to 2% after 12 months
CSPs have two primary ways to capitalize on the dangers of cybercrime:
- Raising awareness about the dangers of phishing and other cybercrimes, to increase brand loyalty and consumer satisfaction, and differentiate themselves from the competition, and
- Bundling security value-added services (VAS) into existing internet
plans for consumers, generating incremental ARPU and simultaneously
These initiatives can result in a safer, and therefore more satisfied, customer base. Our data has shown substantial interest from consumers in purchasing network security services from their Internet Service Providers. To these consumers, ISPs are the experts at everything internet-related, which includes security. CSPs are uniquely positioned to make a difference with their massive subscriber lists who already look to them as the experts. By embracing the burden of protection and educating customers, CSPs can make a tremendous impact on the cybercrime footprint and make the internet a safer place for the everyday digital consumer.
"People are prone to taking mental shortcuts. They may know that they shouldn’t give out certain information, but the fear of not being nice, the fear of appearing ignorant, the fear of a perceived authority figure - all these are triggers, which can be used by a social engineer to convince a person to override established security procedures.”
Cybersecurity Consultant and former hacker
Allot Ltd. (NASDAQ: ALLT, TASE: ALLT) is a provider of leading innovative network intelligence and security solutions for service providers and enterprises worldwide, enhancing value to their customers. Our solutions are deployed globally for network and application analytics, traffic control and shaping, network-based security services, and more. Allot’s multi-service platforms are deployed by over 500 mobile, fixed and cloud service providers and over 1000 enterprises. Our industry-leading network-based security as a service solution has achieved over 50% penetration with some service providers and is already used by over 20 million subscribers globally. For more information, visit www.allot.com or Contact Us.