Operations
7/30/2014
12:00 PM
Dave Kearns
Dave Kearns
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Phishing: What Once Was Old Is New Again

I used to think the heyday of phishing had passed. But as Symantec notes in its 2014 Internet Security Threat Report, I was wrong!

Symantec just recently released its Internet Security Threat Report for 2014. It’s a review of 2013’s threats, a comparison with earlier years, and a look into the crystal ball for the current year with a nod to the direction of trends beyond that.

You can get your own copy here, but be warned that it’s 98 pages (in pdf format) and is not a quick read. Set aside a couple of days to fully digest it.

I wouldn’t think about trying to summarize it for you, there’s that much information. But I was taken with one section, which demonstrates how old, successful schemes can be recycled.

It’s the section on phishing. Now I’m old enough, and been around in the industry long enough (over 30 years now), that I still think of phishing as a recent addition to the criminal’s arsenal. But, as Symantec reminds us, phishing has been around since the early part of this century, easily 10 years or more. In terms of the threat landscape it’s definitely old-school. Or maybe the better term is tried-and-true. Symantec notes that the number of phishing attempts via email increased in 2013 over 2012, from one in 414.3 emails per day, to one in 392.4, a 5 percent increase.

Traditionally -- and it feels odd to speak of “traditional” phishing -- the attack took the form of a notice from your bank, like this:

Clicking the link took you to a web page that looked remarkably like the bank’s own login page. Once you filled in the information requested, the bad guys had full access to your account, and usually more.

The saving grace for most people was that, usually, the bank identified in the email wasn’t one with which you had an account. And we quickly learned to “sandbox” any links in those emails by examining them, or typing the bank’s URL into our browser to see if it really had limited our access. I guess that’s why I’d thought the heyday of phishing had passed. But, as Symantec notes, I was wrong. They write:

Over time, phishing attacks have expanded in the scope of their targets from not only banks, credit unions and other financial institutions, to a variety of other organizations. The social engineering involved has also grown more sophisticated in recent years and recent examples include phishing for online accounts of customers of domestic energy companies and loyalty card programs. More energy utility companies are encouraging their customers to move to paperless billing, enabling an attacker to retrieve utility bills. They can potentially use these bills in the money laundering process such as in creating a bank account in someone else’s name and using the online bill as proof of identity.

This has sustained, and even increased, the amount of email phishing in the past year but probably the biggest growth factor, according to Symantec, is social networking:

Many of these phishing attempts consist of fake login pages for popular social networks. In addition to just spoofing login pages of legitimate sites, phishers began introducing baits relevant to current events to add flavor to the phishing pages. Celebrity promotions, popular community pages, social networking applications, and other related material were introduced into phishing sites as bait.

Just one example: A fake charity site for relief of some disaster (earthquake, tsunami, hurricane, fire, etc.) or “humanitarian” organization could easily harvest your bank or PayPal credentials in the name of giving a donation. And getting you to go to these fake sites and cough up your login details had the added benefit (to the criminals) of allowing them to push malware onto your computer, turning it into another bot on their network ready to push out hundreds of thousands more phishing emails. It just goes on and on.

What can you do? Educate users to not click on a link in an email. Even better, see if your email server software will allow you to disable links in the emails (and turn them into text URLs). And remember to tell them that very few English majors send phishing emails -- if the grammar is bad, then the purpose is bad. And you can take that to the bank.

Dave Kearns is a senior analyst for Kuppinger-Cole, Europe's leading analyst company for identity-focused information security and networking. His columns and books have provided a thorough grounding in the basic philosophies of directory technology, networking, and identity ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
place4papers
0%
100%
place4papers,
User Rank: Apprentice
8/6/2014 | 9:53:22 AM
Re: Not to think...
I always knew that history is repeating itself. However, I would never think that it can be the case with phishing. Not so long ago I bought a brilliant research paper from place4papers.com, the best paper writing service I ever used.
dak3
50%
50%
dak3,
User Rank: Moderator
8/1/2014 | 10:35:25 AM
Re: Creating a bank account with an online bill as a proof of identity???
It doesn't take much to open a bank acct, and a utility bill is one of the "proofs of identity" that's accepted by almost all of them....
DarkReadingTim
100%
0%
DarkReadingTim,
User Rank: Strategist
7/31/2014 | 3:12:15 PM
Re: Not to think...
One thing about phishing -- it works. Almost all of the recent major breaches we've reported have started with some element of phishing -- 1 or 2 people fooled into giving away their credentials or clicking on a link. And the resources devoted to finding and fooling those particular individuals that hold the keys is impressive. A criminal may know everything there is to know about an admin or an IT person who has access to the credentials they want.
prospecttoreza
50%
50%
prospecttoreza,
User Rank: Moderator
7/31/2014 | 9:47:05 AM
Creating a bank account with an online bill as a proof of identity???
"They can potentially use these bills in the money laundering process such as in creating a bank account in someone else's name and using the online bill as proof of identity."

I really hope that bank regulations do not allow for this.

And if you thought that paying with a personal check is getting outdated - think again.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/30/2014 | 3:50:54 PM
Re: Not to think...
I can remembver when my 20-something sat on my lap while I was sending emails on my desktop, looking into a big blocky CRT screen.  Her phone is never off today. I can only imagine what the world will be like for your kiddos...
D.M. Romano
50%
50%
D.M. Romano,
User Rank: Apprentice
7/30/2014 | 3:38:03 PM
Re: Not to think...
@Marilyn - You mentioned tweenies, heck my 6 and 4 year olds play with my phone maybe as much as I do. And that includes apps and the internet (youtube, mainly). Either way, the time has indeed come. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/30/2014 | 3:31:02 PM
Re: Not to think...
@D.M. Romano Yes, I think the time has come that kind of preschool education.

As for Robot & Frank, @dak3,that's a new one for me! I'll put it on my watch list!

D.M. Romano
50%
50%
D.M. Romano,
User Rank: Apprentice
7/30/2014 | 3:22:20 PM
Re: Not to think...
I'll tell you what, an internet safety "children's book" is a hot idea. Matter of fact, I'm getting on that ASAP!
dak3
50%
50%
dak3,
User Rank: Moderator
7/30/2014 | 3:21:43 PM
Re: Not to think...
See the moive "Robot & Frank"....
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/30/2014 | 3:08:51 PM
Re: Not to think...
I've seen tweens with smart phones. The education really needs to be drummed in as soon as kids start dealing with the Internet. We tell our toddlers, not to talk to strangers, don't we? How long before tablets totally replace children's books.  Or has that already happened? 
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
10 Recommendations for Outsourcing Security
10 Recommendations for Outsourcing Security
Enterprises today have a wide range of third-party options to help improve their defenses, including MSSPs, auditing and penetration testing, and DDoS protection. But are there situations in which a service provider might actually increase risk?
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

CVE-2014-2716
Published: 2014-12-19
Ekahau B4 staff badge tag 5.7 with firmware 1.4.52, Real-Time Location System (RTLS) Controller 6.0.5-FINAL, and Activator 3 reuses the RC4 cipher stream, which makes it easier for remote attackers to obtain plaintext messages via an XOR operation on two ciphertexts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.