Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:30 AM
Connect Directly
E-Mail vvv

To Click or Not to Click: The Answer Is Easy

Mega hacks like the Facebook breach provide endless ammo for spearphishers. These six tips can help you stay safer.

Huge breaches have become so common that it's tempting for users to write them off as no big deal. Take Facebook's recent announcement that hackers made off with personal info of 30 million users of the platform. How bad can it be for someone to have access to the kind of basic information we all share with hundreds or thousands of our friends, anyway? It's not bank account info or Social Security numbers, right?

Well, it is a big deal — not because of what might happen on Facebook but because of how the thieves can use the information to launch spearphishing attacks. Even if you quickly changed your password to protect your privacy on Facebook, a fleeting snapshot of your Facebook activity — your name and employer, your LinkedIn URL, your religion, the people you follow, and your most recent searches — will give a good spearphisher more than enough information to craft a nearly irresistible bogus email: "Hi, Kowsik. I see that you love that new Spanish restaurant downtown. I just found a foodie site that's offering a coupon for a free meal!"

Or if you are a fan of the New York Times, you might receive an emailed security alert that appears to be from the newspaper warning you to change your password. If you clicked on a link in that email, you'd land at a legit-looking landing page where you might very well hand over your username and password — which, chances are, are the same credentials you use for your bank, your doctor, and to get on your employer's network.

For a bad guy, it's a simple, diabolically effective combination. For starters, research shows that spearphishing works. Twelve percent of all users will open a phishing email, and 4% will always click a link in a phishing email, according to Verizon's 2018 Data Breach Investigations Report. Corporate employees using their corporate email are a bit more circumspect, but still vulnerable. In the last 30 days, employees at our customers' businesses clicked on 1.2% of the URLs included in phishing emails. That's a high success rate, especially because accessing a corporate network makes targets of all of your fellow employees.

Breaches of major social networks will fuel the growth of the spearphishing scourge. After all, it makes for some easy pickings. Some types of cyberattacks, such as watering hole attacks, require victims to happen upon a malware-carrying website. But everyone uses email. And criminals are just like the rest of us — they don't want to work any harder than they have to. If they have information on what is top of mind for millions of people, why would they bother with more tiresome approaches?

It's no wonder that spearphishing is on the rise around the world. In Singapore, for example, the number of spearphishing attacks made via e-mail impersonation scams rose 20% from 2015 to 2016 (the latest data available), according to the Singapore Computer Emergency Response Team. In September, the FBI issued a warning about a rise in spearphishing attacks in which supposed human resources representatives tap directly into victims' bank accounts. Just a few weeks ago, Vanderbilt University News warned students and faculty to be on the alert of increased spearphishing activity.

Take These Steps
So, if spearphishing is a fact of life in the age of social networks, what can you do to protect yourself? Quite honestly, the only foolproof defense is to not use email. Short of that, here are some best practices:

1. Have a healthy skepticism for emails offering awards and gift vouchers. Better yet, ignore them — and certainly don't click on any links.

2. Beware of any email referencing something you posted about on Facebook or another social network, especially if you know they've been hacked. That should make your antenna go up in a big way. Be afraid — very afraid.

3. Never click on embedded links in emails — even if it appears to be from your bank, cable company, or another trusted vendor. You can always log on to those sites yourself to take care of whatever pressing business is at hand.

4. Don't use open authentication programs. Yes, it is extremely convenient to log on to sites or apps using your Facebook or Google credentials. But take the time to create your own username and password. Most people don't realize that this service allows the app developer to access Facebook on your behalf. In other words, a hacker wouldn't need to breach Facebook's defenses to see your information there — just breach that app developer.

5. Insist on good spearphishing hygiene from the companies you do business with. If that bank or cable company sends you an email with an embedded link, lodge your complaint. Tell them to direct you to log on to the site directly. If more vendors were pressured to adopt this policy, the link-clicking economy would fall apart.

6. Create fake email accounts to join social networks. Since you're never likely to check the account again, chances are you'll never see any spearphishing attacks that arrive there. And don't feel too guilty. After all, the social network's business model is probably based on monetizing your personal information.

Related Content:


Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kowsik Guruswamy is CTO of Menlo Security. Previously, he was co-­founder and CTO at Mu Dynamics, which pioneered a new way to analyze networked products for security vulnerabilities. Before Mu, he was a distinguished engineer at Juniper Networks. Kowsik joined Juniper ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
11/14/2018 | 11:03:38 AM
Your phone number is an unprotected endpoint
Treat your phone number and any calls or texts that arrive just as suspiciously as email.

Common social engineering techniques involve posing as an employee of Microsoft or Google and convincing a finance employee to install remote access software on their computer, which then allows the hacker free reign into the companies network and perhaps its finance controls.  

There are straight forward training techniques that all companies should implement to avoid these common social engineering campaigns.  Just like a consumer, when you receive a call from a contact claiming to be your bank, your credit card company, or a critical software vendor, always take their full name and contact number and tell them you will call them back. Then, try to contact them via the company's listed 800 number, or known support line.  If they are legitimate, the employee will be right back on the phone with them. If the initial call was a scam, the scam will have been averted AND the vendor will be made aware of a new threat using their identity.

For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-14
An issue was discovered in idreamsoft iCMS v7.0.14. There is a spider_project.admincp.php SQL injection vulnerability in the 'upload spider project scheme' feature via a two-dimensional payload.
PUBLISHED: 2019-10-14
An issue was discovered in MetInfo v7.0.0 beta. There is SQL Injection via the admin/?n=tags&c=index&a=doSaveTags URI.
PUBLISHED: 2019-10-14
parserIfLabel in inc/zzz_template.php in ZZZCMS zzzphp 1.7.3 allows remote attackers to execute arbitrary code because the danger_key function can be bypassed via manipulations such as strtr.
PUBLISHED: 2019-10-14
GDAL through 3.0.1 has a poolDestroy double free in OGRExpatRealloc in ogr/ogr_expat.cpp when the 10MB threshold is exceeded.
PUBLISHED: 2019-10-14
tif_getimage.c in LibTIFF through 4.0.10, as used in GDAL through 3.0.1 and other products, has an integer overflow that potentially causes a heap-based buffer overflow via a crafted RGBA image, related to a "Negative-size-param" condition.