The Life Of A Phish

Over the past few years, the practice of phishing, the attempts by Internet attackers to illegally obtain sensitive information, has dramatically increased.  According to fresh information from Osterman Research, since mid-2014 phishing has been the number one vector for infiltrating a network with malware. So what can you do to prepare your employees against phishing scams? Because all you need is a single employee to click on that link or download that attachment.

To understand what protections you can put into place, it is important to understand the stages of delivering a phish. There are four major stages to a phishing campaign as shown below.

The first stage is generating a list of email addresses that the criminal is going to phish. Some may believe that it is a quantity of quality addresses, others will play the odds. While there are many different ways to generate lists, I want to focus on a category of hacking tools called harvesters. Email harvesters are programs in which one will enter a domain name and the program will scour the internet looking for email addresses and then compile a list. These tools will even provide a list of employees found on LinkedIn where the “quality criminals” will get to know their future victims more intimately and customize the phishing campaigns to them. This is commonly called spear-phishing.

Now that the email list has been generated, the criminals need to decide how they are going to send the phishing email. They have to decide if they want to spoof an email address or purchase a valid domain name. Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source. These can be some of the most difficult to identify with the human eye because the “from” address can look EXACTLY like the one being spoofed.

Once the emails have been sent and delivered to the potential victims, the criminal waits to see how effective they are in convincing someone to click the link, download the attachment, or send the requested information to carry out their final objective.

So what can you do to protect your employees from falling prey?

First, it is important to understand that security should be applied in layers. There is no “silver bullet” or single solution to immunize yourself. Below is a figure showing the opportunities to protect yourself from the stages of a phish.

Controlling the proliferation of your organization’s email addresses across the Internet is necessary and very under-discussed. Go to just about any law firm’s or accountant firm’s website and you are almost guaranteed to see everyone’s biography including his or her email addresses. Could you make it any simpler? I will concede that there is a “not-so-good” reason that it has to be there. But here are ways that you can still have your email addresses out there with some degree of protection:

  1. Create an alias! – An alias is an alternative email address that can only be used for inbound delivery to a real email address. Most organizations are using <first initial><last name>@<domain> these days. Create an alias for <first initial><middle initial><last name>@<domain>. Then have your employees’ set up a mail rule that any emails sent to the alias email address go to a different folder than the inbox. Finally, educate your employees that any emails that are delivered to that custom folder should be treated with extra scrutiny because they are available to the public.
  2. Use an image! – Since email addresses are text in nature, most websites have them displayed as text on the website. This is done using html most of the time. This is what the email harvesters count on. They know an email address uses the syntax <user>@<domain>. Often email harvesters will search the website code looking for text in the format <user>@<domain> where the <domain> equals what was entered by the criminal. By using an image, the text cannot be extracted easily.
  3. Use JavaScript! – Okay, this one is technical. However, if you tell your website developer to make sure all email addresses are displayed using JavaScript instead of html, mission accomplished. The reason for this recommendation is because JavaScript does not use the same syntax as <user>@<domain> behind the scenes to have it displayed as such to the web visitor.
  4. Go For ASCII! – ASCII codes are translated by browsers into the readable character form for visitors. However, they will reduce the chances of a spam bot or harvester picking up the address.
  5. Use Contact Forms! – Secure email forms are the best and most professional way to protect email addresses while soliciting information. You can even implement a further barrier of a CAPTCHA to prevent auto-populating bots from attacking the system.
  6. Create Policies! – Granted you don’t always have control of how the website is developed. But what if an employee’s work was published or recognized by a newspaper or magazine? This is why you need to have an alias address or a general mailbox like contact@domain. Create a policy on which email addresses are allowed to be used on the public Internet.

Okay, your Internet exposure is under control; however, a business that you email frequently was hacked and the criminals compiled your email list through that channel.

What can you do to prevent the phishing campaign from being delivered?

Many email providers offer email filtering with their email package. This basic filtering, however, is not sufficient for sophisticated phishing attempts. For less than a dollar per month per email address you can implement a filtering system that not only filters inbound emails but also outbound. Perhaps you do not think about filtering outbound emails, but imagine the potential liability if one of your emails was hacked and used to send malware to your customers, clients, vendors, or other companies. You can look into services such as EveryCloud, MailRoute, or Barracuda.

These are some of the reasons why it is important to consider security in terms of layers. What everyone has learned in recent years is despite all of the sophisticated technical measures we can implement, there always seems to be a way around it. That is what social engineering is based on. Sometimes the easiest way to figure out a password is to ask for it! Implementing a security awareness program has become one of the most important things you can do, regardless of size or industry.

Security Awareness Programs have evolved over time. Until recently, most training has been done without continual monitoring of one’s Internet vigilance and savvy. Effective training these days includes components that are embedded into employee’s daily activities. Take, for instance, a simulated phishing email. If an employee clicks on the link or opens the attachment, it will take them to a remedial training page on why they should not have responded to the attachment. The system will also report to management which employees fell victim to the phishing. When employees know their company sends simulated emails sporadically, they tend to think twice for fear of being reported. In addition, it serves as a continual reminder to be careful. For a demo, please contact us.

How to apply technical implementations.

Somehow, the criminal managed to generate an email list of your organization, bypassed your email filters, and tricked your well-trained employees. Depending on the final objective, you may still have one more layer of defense: technical implementations. This is where I am usually greeted with a blank stare. For that reason, I will briefly touch on a few more high level protections.

  1. Firewall protections – Firewalls provide many different mechanisms to help protect your network. Technologies such as sandboxing, GeoIP blocking, network-perimeter antivirus, network intrusion prevention, and access control lists are just a few.
  2. Prevent executables from running in temporary directories. This can prevent the execution of malicious code when opening an email attachment or going to a malicious website.
  3. Renaming the default name of vulnerable services such as Volume Shadow Copies will neutralize malware that exploits services by name.
  4. Implementing role-based permissions will contain the damage any single employee causes to the scope of information to which they have access.
  5. Creating honeypot shared folders diverts malware to spend time on useless data and increases the time one has to react before useful data is affected.

I hope that you heed these warnings and implement some of the suggestions I’ve outlined. If all has failed and a compromise is success, having an incident response plan will help your company know what to do next. Most organizations only consider the industry they operate in and the regulations that apply to that industry (i.e. HIPAA, SOX, GLBA, PCI). However, there are often state laws that are industry independent and apply to all. Know all your legal requirements in a breach and have a pre-established relationship with a security firm that can respond quickly and identify exactly what was compromised. It could mean the difference between closing the doors or staying in business!

For more information, please contact us.

Defending Against Modus Operandi

You work for a small to mid-sized business and outsource the support of your IT systems to a vendor. How do you gauge if your vendor is doing the job you pay them to do? How do you know they are implementing proper security measures? Let us face it, these questions become secondary or tertiary to questions like…..”Are my computer systems working properly?” or “What do I need to do, for what client today?”

The problem that I see many businesses face, is the overwhelming needs to worry about in a day. Cyber security is not an immediate requirement, protects against something that may or may not happen, and does not help a company generate business. Most companies by now have realized that the “I’m not a target because….” attitude is not realistic in practice. If you still think this way then please, call me and let us discuss that.

If you are still with me, it is probably because you can relate to the things that I have said thus far. Now, let me explain what you can do that will give you an 80% solution for 20% effort. Many trend research papers have concluded that the majority of compromises these days start with two common modus operandi or “m.o.” for short. As depicted in the figure below, the initial engagement starts with a malicious email or website. From there a victim is found leading to a compromised computer that then allows the perpetrator to carry out their final objective, which can be any number of things.

Let us focus on the malicious emails and websites. What is the first thing that must happen to allow a perpetrator to start a phishing campaign? They have to have your email addresses right? If you are interested in seeing how perpetrators generate their email list and what you can do to protect yourself come to one of our upcoming seminars. For more information click here.

After an email list has been generated, what is the next step in a phishing campaign? The perpetrator needs to create a phishing email and have it delivered to the email addresses and wait for their next victim. So what can you do to protect against this step? How about implementing an email filtering system that will not only filter malicious emails but also all of that spam you receive on a daily basis. Who said security can’t help productivity? Imagine the time savings when you no longer have spam or unwanted emails being delivered to your inbox. A word of warning, email filters are not created equally and some are more effective than others. Interested in knowing what to look for in an email filter? Come to one of our upcoming seminars. For more information click here.

Can you guess what the final step of the initial engagement is? It must happen before the computer can be compromised. The victim must fall for the email by clicking a link, downloading an attachment, or responded with the requested information. The defense against this phase is a multi-pronged approach. It first starts with training the employee to identify malicious emails, but let’s say they are still tricked. They are some technical steps that can be implemented to minimize the chances that the malware can execute successfully. If you are interested in knowing more about security awareness programs or these technical steps come to one of our upcoming seminars. For more information click here.

Now that we have talked about malicious emails, what about malicious websites? This as well is a multi-pronged approach as well. It does start with training the employee but also has a technical component. Features such as Geo-IP blocking, Gateway Antivirus, Content Filtering Systems, Intrusion Prevention Systems can sound highly technical and seem to go against the “20% effort” referenced at the beginning. The truth is that it’s not. Vendors have implemented these filters into their firewalls and for the most part can be self-managed. If you are interested in learning more about what these features are come to one of our upcoming seminars. For more information click here.

Hopefully I’ve provided you with insight into the steps of falling victim to cyber criminals and teased you enough to motivate you to come to one of our seminars. I can tell you one thing we excel at…..is visual demonstrations on what cyber criminals do. This helps make “cybersecurity” something that is more tangible increasing your level of understanding and motivate you to take appropriate measures to make sure that you continue to do what you do best. Sign up today!