Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:30 AM
Connect Directly
E-Mail vvv

To Click or Not to Click: The Answer Is Easy

Mega hacks like the Facebook breach provide endless ammo for spearphishers. These six tips can help you stay safer.

Huge breaches have become so common that it's tempting for users to write them off as no big deal. Take Facebook's recent announcement that hackers made off with personal info of 30 million users of the platform. How bad can it be for someone to have access to the kind of basic information we all share with hundreds or thousands of our friends, anyway? It's not bank account info or Social Security numbers, right?

Well, it is a big deal — not because of what might happen on Facebook but because of how the thieves can use the information to launch spearphishing attacks. Even if you quickly changed your password to protect your privacy on Facebook, a fleeting snapshot of your Facebook activity — your name and employer, your LinkedIn URL, your religion, the people you follow, and your most recent searches — will give a good spearphisher more than enough information to craft a nearly irresistible bogus email: "Hi, Kowsik. I see that you love that new Spanish restaurant downtown. I just found a foodie site that's offering a coupon for a free meal!"

Or if you are a fan of the New York Times, you might receive an emailed security alert that appears to be from the newspaper warning you to change your password. If you clicked on a link in that email, you'd land at a legit-looking landing page where you might very well hand over your username and password — which, chances are, are the same credentials you use for your bank, your doctor, and to get on your employer's network.

For a bad guy, it's a simple, diabolically effective combination. For starters, research shows that spearphishing works. Twelve percent of all users will open a phishing email, and 4% will always click a link in a phishing email, according to Verizon's 2018 Data Breach Investigations Report. Corporate employees using their corporate email are a bit more circumspect, but still vulnerable. In the last 30 days, employees at our customers' businesses clicked on 1.2% of the URLs included in phishing emails. That's a high success rate, especially because accessing a corporate network makes targets of all of your fellow employees.

Breaches of major social networks will fuel the growth of the spearphishing scourge. After all, it makes for some easy pickings. Some types of cyberattacks, such as watering hole attacks, require victims to happen upon a malware-carrying website. But everyone uses email. And criminals are just like the rest of us — they don't want to work any harder than they have to. If they have information on what is top of mind for millions of people, why would they bother with more tiresome approaches?

It's no wonder that spearphishing is on the rise around the world. In Singapore, for example, the number of spearphishing attacks made via e-mail impersonation scams rose 20% from 2015 to 2016 (the latest data available), according to the Singapore Computer Emergency Response Team. In September, the FBI issued a warning about a rise in spearphishing attacks in which supposed human resources representatives tap directly into victims' bank accounts. Just a few weeks ago, Vanderbilt University News warned students and faculty to be on the alert of increased spearphishing activity.

Take These Steps
So, if spearphishing is a fact of life in the age of social networks, what can you do to protect yourself? Quite honestly, the only foolproof defense is to not use email. Short of that, here are some best practices:

1. Have a healthy skepticism for emails offering awards and gift vouchers. Better yet, ignore them — and certainly don't click on any links.

2. Beware of any email referencing something you posted about on Facebook or another social network, especially if you know they've been hacked. That should make your antenna go up in a big way. Be afraid — very afraid.

3. Never click on embedded links in emails — even if it appears to be from your bank, cable company, or another trusted vendor. You can always log on to those sites yourself to take care of whatever pressing business is at hand.

4. Don't use open authentication programs. Yes, it is extremely convenient to log on to sites or apps using your Facebook or Google credentials. But take the time to create your own username and password. Most people don't realize that this service allows the app developer to access Facebook on your behalf. In other words, a hacker wouldn't need to breach Facebook's defenses to see your information there — just breach that app developer.

5. Insist on good spearphishing hygiene from the companies you do business with. If that bank or cable company sends you an email with an embedded link, lodge your complaint. Tell them to direct you to log on to the site directly. If more vendors were pressured to adopt this policy, the link-clicking economy would fall apart.

6. Create fake email accounts to join social networks. Since you're never likely to check the account again, chances are you'll never see any spearphishing attacks that arrive there. And don't feel too guilty. After all, the social network's business model is probably based on monetizing your personal information.

Related Content:


Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kowsik Guruswamy is CTO of Menlo Security. Previously, he was co-­founder and CTO at Mu Dynamics, which pioneered a new way to analyze networked products for security vulnerabilities. Before Mu, he was a distinguished engineer at Juniper Networks. Kowsik joined Juniper ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
11/14/2018 | 11:03:38 AM
Your phone number is an unprotected endpoint
Treat your phone number and any calls or texts that arrive just as suspiciously as email.

Common social engineering techniques involve posing as an employee of Microsoft or Google and convincing a finance employee to install remote access software on their computer, which then allows the hacker free reign into the companies network and perhaps its finance controls.  

There are straight forward training techniques that all companies should implement to avoid these common social engineering campaigns.  Just like a consumer, when you receive a call from a contact claiming to be your bank, your credit card company, or a critical software vendor, always take their full name and contact number and tell them you will call them back. Then, try to contact them via the company's listed 800 number, or known support line.  If they are legitimate, the employee will be right back on the phone with them. If the initial call was a scam, the scam will have been averted AND the vendor will be made aware of a new threat using their identity.

Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-08-19
The rest-client gem 1.6.13 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party.
PUBLISHED: 2019-08-19
In Envoy through 1.11.1, users may configure a route to match incoming path headers via the libstdc++ regular expression implementation. A remote attacker may send a request with a very long URI to result in a denial of service (memory consumption). This is a related issue to CVE-2019-14993.
PUBLISHED: 2019-08-19
An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a malicious USB device in the sound/usb/line6/driver.c driver.
PUBLISHED: 2019-08-19
An issue was discovered in the Linux kernel before 5.2.6. There is a use-after-free caused by a malicious USB device in the drivers/media/v4l2-core/v4l2-dev.c driver because drivers/media/radio/radio-raremono.c does not properly allocate memory.
PUBLISHED: 2019-08-19
An issue was discovered in the Linux kernel before 5.1.8. There is a double-free caused by a malicious USB device in the drivers/usb/misc/rio500.c driver.