gone-phishing

I am addicted to fishing.

Being on the water is therapeutic for me. It’s like tending to a sickness.  I call it hydrotherapy (even though it’s just fishing). My free time is filled chasing walleye, northern pike, bass, and muskies.

Saturdays come, and I am up at 4:30am heading out to get on the water with my buddy. We make it an intensive effort, and if we could get paid for it, we would take that job in a heartbeat– all the cool gear, being paid well, wearing cool clothes, and driving a new truck and boat would be the coolest things ever. We unfortunately aren’t paid for our efforts, but that doesn’t stop us from treating it like we do.

The whole way there we chat about the upcoming day. We share what we have learned about the water temp, the barometric pressure, the clarity of the water, the wind, and many other things. I spend hours studying tactics, learning about new lures, tackle, technique, and studying how my intended targets think and react.

jim-nash-northern-pike

A Different Kind of Fishing

There is another activity that takes a similar approach but has much more dire consequences— phishing. Phishing is an email based cyber-attack that can expose networks, lead to ransom attacks, and become a giant pain in the dorsal fin.

Cyber attackers who phish use a seemingly innocuous email to get your employees to click on a link that looks like it comes from a reputable entity. This is the bait. As the City of Atlanta, the State of Minnesota, Target, and many others have found out, those emails are dangerous and will cause your company to catch hell— not a trophy.

The phisher’s comunication looks simple and innocent. It hides mayhem behind an email from the HR department, or the boss, or a vendor that you do business with. It might ask you for some information, ask you to confirm your account, ask you to log in somewhere, etc.

In a rush to complete whatever task was asked of you by the higher-ups, you’re quick to comply. That’s just what the attacker is hoping for. The email may contain a link or an executable file that can take over your network, install ransomware, or begin copying and exporting sensitive data. Soon after, your company is on the hook.

phishing-hacking

Phishing happens every day and the phishers are becoming more and more sophisticated.  The days of the poorly worded Nigerian lottery winner email are waning, and now phishing attackers are making it difficult to quickly distinguish between a valid email request or one that will take over your network. Speed is the critical breaking point. When people are in a huge hurry, are trying to make sure that they have a high level of performance, and are trying to please everyone, they stop thinking critically and the phisher catches their trophy.

Phishing can run the gamut from a broadly cast net sent to your entire company with the hopes that someone won’t exercise wise judgement and just clicks on something, to the very directed “spear phishing” and “whaling,” where specific individuals are targeted or impersonated, and the emails are then sent out to compromise the network. 

Phishing

Someone creates an email in the name of your boss Ellen Simonsen, they spell it instead Ellen Simonson and are going to hope that you don’t notice the subtle difference and that you will open the email. You follow the link to what the fake Ellen is saying is a great new app that she wants your department to evaluate. The link they clicked rather than taking them to the app they are supposed to evaluate installs a piece of malware onto their computer and then begins working its way into the corporate network. The result could be that the installed software is now soaking up proprietary data or is about to launch a piece of ransom ware that locks everything up tighter than a drum until the ransom is paid in cryptocurrency.

People rarely notice the subtle differences because they are in a rush. They will click on the link because they don’t want to let Ellen down. But once they click that link, bad things happen.

Spear Fishing

 A Sr. Vice President of your company, we’ll call him Steve, is active on social media and is a well-known classic car nut. There are pictures of him at many events and car rallies with beautiful classic cars and cars he’s purchased to restore. This one piece of information can be a great vector of attack. Because Steve is likely to open an email about classic cars, that is what he is sent— an email inviting him to enter one of his sweet cars in a well-known car show that is coming up in a few months. The link to register looks like it should go to the actual car show. But it doesn’t. Instead, it unleashes hell into the company network and takes the system hostage.

Steve was excited for an opportunity to show off one of the cars that he is proud of. Tantalized by something that he was known to be interested in, Steve was an easy target. The attackers chose him specifically, researched and played to his weaknesses, and compromised him accordingly.

How to Avoid Being Phished

Examples like these are not farfetched at all. Every day, attacks like these are launched across the globe. They can be challenging to detect, especially in a rushed state. Thankfully, taking a few steps with your emails can go a long way. Here are some ways you can avoid falling victim to one of these attacks and compromising you and your company’s sensitive data.

  • Slow down and be skeptical: Email attacks are often predicated on you being in a hurry and being a trusting individual. Stop that! Take your time when reading emails that ask you to click on anything. 
  • Check the credentials: Hovering your mouse over the email address, or expand the sender line on the email. If the email is not in the same configuration as your own email, it is not from your company. Delete that crap.
  • Hover over that link: Take your mouse, hover over the link, and see if it goes to the right domain or if it is going so some long drawn out URL that takes you to some malicious site. The organization’s name should be in the domain. If there’s too much more than that, you should be skeptical.
  • DON’T fill out anything asking for your password: This is very important, and I will be a little blunt here.  PayPal, Visa, your bank, an airline, or your controller will not be sending you an email asking you to confirm your password. They will not send you a link asking you to re-enter your login information and password. They just won’t. If you think that there is an action-item for you in that email, go directly to the sender’s website instead of taking action from the email link. If there is something you need to do, you will likely be able to find it in the customer information center. 
  • Assume every email is infected: Your company is getting probed every day via email and other vectors of attack. Various software programs are running in the background, but stuff slips through. With email, you are the last line of defense. If you understand that these risks are out there and go through the proper precautions before acting, you can make sure your company’s data stays safe.

We are often engaged to see if we can get people to fall prey to an email phishing attack, and we would offer you the chance to get that same training for your organization. In engagements where we have been hired to compromise a network via a phishing attack, we are successful in getting someone to click on the link EVERY TIME! While people continue to be our greatest weaknesses in security, they can also be a great strength. We have seen a significant reduction in successful phishing attempts once we have been able to hold a training and probe exercise. If you’d like to see how your employees would handle a real phishing attack, or to get training for your employees on how to detect and respond to these kinds of attacks, contact FRSecure today.


Jim Nash on EmailJim Nash on Linkedin
Jim Nash
Chief Storyteller at FRSecure
Jim's experiences in both politics and the InfoSec industry have cultivated him into a strong and animated communicator that has the ability to crystallize difficult concepts into digestible ideas. These skills and experiences have morphed him into a cybersecurity and information security evangelist, focusing on publicizing the need for organizations to make cyber threats a business liability and not just an IT problem.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *