Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:30 AM
Connect Directly
E-Mail vvv

To Click or Not to Click: The Answer Is Easy

Mega hacks like the Facebook breach provide endless ammo for spearphishers. These six tips can help you stay safer.

Huge breaches have become so common that it's tempting for users to write them off as no big deal. Take Facebook's recent announcement that hackers made off with personal info of 30 million users of the platform. How bad can it be for someone to have access to the kind of basic information we all share with hundreds or thousands of our friends, anyway? It's not bank account info or Social Security numbers, right?

Well, it is a big deal — not because of what might happen on Facebook but because of how the thieves can use the information to launch spearphishing attacks. Even if you quickly changed your password to protect your privacy on Facebook, a fleeting snapshot of your Facebook activity — your name and employer, your LinkedIn URL, your religion, the people you follow, and your most recent searches — will give a good spearphisher more than enough information to craft a nearly irresistible bogus email: "Hi, Kowsik. I see that you love that new Spanish restaurant downtown. I just found a foodie site that's offering a coupon for a free meal!"

Or if you are a fan of the New York Times, you might receive an emailed security alert that appears to be from the newspaper warning you to change your password. If you clicked on a link in that email, you'd land at a legit-looking landing page where you might very well hand over your username and password — which, chances are, are the same credentials you use for your bank, your doctor, and to get on your employer's network.

For a bad guy, it's a simple, diabolically effective combination. For starters, research shows that spearphishing works. Twelve percent of all users will open a phishing email, and 4% will always click a link in a phishing email, according to Verizon's 2018 Data Breach Investigations Report. Corporate employees using their corporate email are a bit more circumspect, but still vulnerable. In the last 30 days, employees at our customers' businesses clicked on 1.2% of the URLs included in phishing emails. That's a high success rate, especially because accessing a corporate network makes targets of all of your fellow employees.

Breaches of major social networks will fuel the growth of the spearphishing scourge. After all, it makes for some easy pickings. Some types of cyberattacks, such as watering hole attacks, require victims to happen upon a malware-carrying website. But everyone uses email. And criminals are just like the rest of us — they don't want to work any harder than they have to. If they have information on what is top of mind for millions of people, why would they bother with more tiresome approaches?

It's no wonder that spearphishing is on the rise around the world. In Singapore, for example, the number of spearphishing attacks made via e-mail impersonation scams rose 20% from 2015 to 2016 (the latest data available), according to the Singapore Computer Emergency Response Team. In September, the FBI issued a warning about a rise in spearphishing attacks in which supposed human resources representatives tap directly into victims' bank accounts. Just a few weeks ago, Vanderbilt University News warned students and faculty to be on the alert of increased spearphishing activity.

Take These Steps
So, if spearphishing is a fact of life in the age of social networks, what can you do to protect yourself? Quite honestly, the only foolproof defense is to not use email. Short of that, here are some best practices:

1. Have a healthy skepticism for emails offering awards and gift vouchers. Better yet, ignore them — and certainly don't click on any links.

2. Beware of any email referencing something you posted about on Facebook or another social network, especially if you know they've been hacked. That should make your antenna go up in a big way. Be afraid — very afraid.

3. Never click on embedded links in emails — even if it appears to be from your bank, cable company, or another trusted vendor. You can always log on to those sites yourself to take care of whatever pressing business is at hand.

4. Don't use open authentication programs. Yes, it is extremely convenient to log on to sites or apps using your Facebook or Google credentials. But take the time to create your own username and password. Most people don't realize that this service allows the app developer to access Facebook on your behalf. In other words, a hacker wouldn't need to breach Facebook's defenses to see your information there — just breach that app developer.

5. Insist on good spearphishing hygiene from the companies you do business with. If that bank or cable company sends you an email with an embedded link, lodge your complaint. Tell them to direct you to log on to the site directly. If more vendors were pressured to adopt this policy, the link-clicking economy would fall apart.

6. Create fake email accounts to join social networks. Since you're never likely to check the account again, chances are you'll never see any spearphishing attacks that arrive there. And don't feel too guilty. After all, the social network's business model is probably based on monetizing your personal information.

Related Content:


Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kowsik Guruswamy is CTO of Menlo Security. Previously, he was co-­founder and CTO at Mu Dynamics, which pioneered a new way to analyze networked products for security vulnerabilities. Before Mu, he was a distinguished engineer at Juniper Networks. Kowsik joined Juniper ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
11/14/2018 | 11:03:38 AM
Your phone number is an unprotected endpoint
Treat your phone number and any calls or texts that arrive just as suspiciously as email.

Common social engineering techniques involve posing as an employee of Microsoft or Google and convincing a finance employee to install remote access software on their computer, which then allows the hacker free reign into the companies network and perhaps its finance controls.  

There are straight forward training techniques that all companies should implement to avoid these common social engineering campaigns.  Just like a consumer, when you receive a call from a contact claiming to be your bank, your credit card company, or a critical software vendor, always take their full name and contact number and tell them you will call them back. Then, try to contact them via the company's listed 800 number, or known support line.  If they are legitimate, the employee will be right back on the phone with them. If the initial call was a scam, the scam will have been averted AND the vendor will be made aware of a new threat using their identity.

Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-23
GetSimpleCMS <=3.3.15 has an open redirect in admin/changedata.php via the redirect function to the url parameter.
PUBLISHED: 2021-06-23
A cross site scripting (XSS) vulnerability in Catfish CMS 4.9.90 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "announcement_gonggao" parameter.
PUBLISHED: 2021-06-23
Cross Site Scripting (XSS) vulnerability in GetSimpleCMS <= 3.3.15 in admin/changedata.php via the redirect_url parameter and the headers_sent function.
PUBLISHED: 2021-06-23
Cross Site Scriptiong (XSS) vulnerability in GetSimpleCMS <=3.3.15 via the timezone parameter to settings.php.
PUBLISHED: 2021-06-23
Cross Site Scripting vulnerability in GetSimpleCMS <=3.3.15 via the (1) sitename, (2) username, and (3) email parameters to /admin/setup.php