We tend to think of phishing in terms of an email or SMS made to look as though it’s from our bank to trick us into revealing our banking credentials. But phishing is much broader and more sinister than that, and unless you’re on your guard, you can easily fall for an attack without realising it.
On average, it takes most victims about eight months to realise they’ve been victimised, whereas it can take a cyber criminal a day, or less, to pull off an attack. This is according to Chris Novak, the director of the investigative response unit at Verizon, an international company that specialises in information security. Novak was one of the speakers at the PCI Cyber Security Conference in Cape Town this week, where he delivered a compelling presentation on the current cyber-breach landscape.
While phishing emails purportedly from banks are still common, “because they are so successful”, he says, there are other more sinister ways of phishing for data.
“We’re seeing attacks that are a combination of threat and extortion. You’ll get a message supposedly from a law enforcement agency, regulatory agency, or Interpol, and it will say, ‘We’ve detected unusual or illegal activity coming from your computer’. They may say they’ve detected someone viewing child pornography, or making threats against another person, or using your computer to steal information or to hack into others.
“They use claims like these to get you nervous and anxious. Then they’ll say, ‘In order to prevent your assets from being seized or frozen by the government, click here and fill out this affidavit’, which will ask you for your personal information. Or they may ask you to install software to allow them to do a quick scan to prove it wasn’t you. People do it and unwittingly install malware,” Novak says.
“We also see people getting notices from what appears to be a shipping or a courier company. The notice will state that they tried to deliver a package to you, but no one was there to receive it, so please click on the attachment to reschedule a delivery date. And that attachment is malware.”
Novak says that most of these attacks start with someone calling on you to answer a question. “You need to slow yourself down for a minute... pause and think: does the person asking me for this really need it? And most of the time they will try to convey a sense of urgency: you need to do this right now, or else bad things will happen. When those are the prompts you’re getting, it’s because they’re trying to get to you, psychologically, so that you will quickly hand over your private information.”
For a phishing attack to be fully successful, “generally you have to go one step further than merely opening the email”, Novak says. In other words, you have to click on a link embedded in the email or download an open an attachment.
“When there’s a link embedded in the email, the moment you visit that site, they start installing software on your device, and you don’t even know it. It’s called a ‘drive-by download’. The site doesn’t even have to finish loading on your screen. The first thing it does is install the malware. So there might be a slight pause while it does that. If they [the cyber criminals] were to bring up the site immediately, you might close it before they got the chance to install the malware.”
A more sinister type of attack can happen when you visit innocuous websites that typically attract a lot of traffic from the public looking for information.
“Cyber criminals will hack the site and have it serve out drive-by malware to all visitors to that site,” Novak says. Sites that are commonly targeted are municipal websites.
“When we detect regional infections, it’s usually from an information site that doesn’t collect any interesting data.” So even without you having downloaded anything, your PC or device can get infected. Your only defence from this form of phishing is up-to-date anti-virus software.
But people are complacent about updating software promptly , including anti-virus software, Novak says. “We see it all the time and I know from talking to family and friends. They’ll ask me, ‘Is it worth me paying for another year of anti-virus protection?’
“The fact that they ask means there are probably many more people who will spend that $50 on something else. People think because they haven’t been hit for the last couple of years, they won’t get hit in future.”
It’s like insurance, he says. We tend to think we don’t need it until we suffer a loss. Then we wish we had had it .
While it’s imperative that you make sure your software is up to date and that you install security patches promptly, you also have to guard against trusting technology too much, Novak says. When we place all our faith in technology, we may be more inclined to fall for social engineering.
Social engineering is easier than trying to hack through a pass wall, he says. “I’ll just ask you for your information and if you give it to me, it’s like handing me the key to your house and the alarm code. You can have the most sophisticated alarm system in the world, but if I have the key and the code to disarm it, it does you no good.
“I tell people all the time, ‘If someone were to call you on the phone and pretend to be your alarm company and say, ‘I just want to check your alarm is working, what’s your deactivation code?’ are you going to tell them? No. Yet people will do that with bank account passwords and all sorts of other things. If the conversation is fluid enough, they believe who they are talking to, or get caught at a weak moment.”
This slide shows that, of one million recipients of a phishing email, half will open the email within 24 hours of receiving it, and 25 percent will go one step further and click on an embedded link in the email. The average time it takes to open an email and click on a link is three minutes and 45 seconds.
MOST CYBER CRIME IS NOT AN INSIDE JOB
Eighty percent of the time, the perpetrators of cyber crime are external to the organisation that is hit, as opposed to being insiders or people colluding with insiders or suppliers. This is according to data from Verizon, an international company specialising in information security.
Chris Novak, the director of the investigative response unit at Verizon, says that most cyber criminals are looking for easy-to-exploit vulnerabilities.
While there may be certain industries or parts of the globe that are harder hit by insider or collusion-type activities, research by Verizon over the past 20 years shows that the perpetrators of cyber crime are not usually insiders or people colluding with insiders, he says.
“We work with 67 organisations, from law enforcement agencies to the private sector, in 82 countries, and we’ve investigated more than 100 000 incidents, so ours is a big data set,” he says.
He concedes that the financial sector is more prone to attack by insiders than other sectors, but he says this sector tends to do a better job than most of identifying and stopping cyber crime. “For example, most retailers don’t have an insider threat programme, meaning people deployed to watch for insider and collusion activity. Their biggest concern is a cashier stealing money out of the till. But when you look at banking, you find regulations compelling people to take time off, so that people can check what they’ve been doing to see if they’ve been setting up other apparatus internally.
“Most financial service providers have departments dedicated to watching what employees are doing. That is something we don’t see in a lot of other industries,” Novak says.
Individuals who have been the victims of online banking fraud usually personalise the attack, believing it was an inside job and that they were targeted specifically.
But Novak says very few attacks happen in isolation, with one perpetrator attacking one victim. “It’s usually one perpetrator attacking dozens or hundreds of victims, and using the same techniques,” he says.
“It’s much like when your home or car is broken into. It’s very infrequent that it is just you. Usually you find the whole street was hit. It’s the same with cyber attacks: when criminals find something that works, they want to do as much damage as possible, because, at some point, law enforcement or the community will increase their defences or increase their ability to detect you.
“That’s why when one street gets hit, it doesn’t usually happen again the following day again, because everyone’s on guard.”