Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11/14/2018
10:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

To Click or Not to Click: The Answer Is Easy

Mega hacks like the Facebook breach provide endless ammo for spearphishers. These six tips can help you stay safer.

Huge breaches have become so common that it's tempting for users to write them off as no big deal. Take Facebook's recent announcement that hackers made off with personal info of 30 million users of the platform. How bad can it be for someone to have access to the kind of basic information we all share with hundreds or thousands of our friends, anyway? It's not bank account info or Social Security numbers, right?

Well, it is a big deal — not because of what might happen on Facebook but because of how the thieves can use the information to launch spearphishing attacks. Even if you quickly changed your password to protect your privacy on Facebook, a fleeting snapshot of your Facebook activity — your name and employer, your LinkedIn URL, your religion, the people you follow, and your most recent searches — will give a good spearphisher more than enough information to craft a nearly irresistible bogus email: "Hi, Kowsik. I see that you love that new Spanish restaurant downtown. I just found a foodie site that's offering a coupon for a free meal!"

Or if you are a fan of the New York Times, you might receive an emailed security alert that appears to be from the newspaper warning you to change your password. If you clicked on a link in that email, you'd land at a legit-looking landing page where you might very well hand over your username and password — which, chances are, are the same credentials you use for your bank, your doctor, and to get on your employer's network.

For a bad guy, it's a simple, diabolically effective combination. For starters, research shows that spearphishing works. Twelve percent of all users will open a phishing email, and 4% will always click a link in a phishing email, according to Verizon's 2018 Data Breach Investigations Report. Corporate employees using their corporate email are a bit more circumspect, but still vulnerable. In the last 30 days, employees at our customers' businesses clicked on 1.2% of the URLs included in phishing emails. That's a high success rate, especially because accessing a corporate network makes targets of all of your fellow employees.

Breaches of major social networks will fuel the growth of the spearphishing scourge. After all, it makes for some easy pickings. Some types of cyberattacks, such as watering hole attacks, require victims to happen upon a malware-carrying website. But everyone uses email. And criminals are just like the rest of us — they don't want to work any harder than they have to. If they have information on what is top of mind for millions of people, why would they bother with more tiresome approaches?

It's no wonder that spearphishing is on the rise around the world. In Singapore, for example, the number of spearphishing attacks made via e-mail impersonation scams rose 20% from 2015 to 2016 (the latest data available), according to the Singapore Computer Emergency Response Team. In September, the FBI issued a warning about a rise in spearphishing attacks in which supposed human resources representatives tap directly into victims' bank accounts. Just a few weeks ago, Vanderbilt University News warned students and faculty to be on the alert of increased spearphishing activity.

Take These Steps
So, if spearphishing is a fact of life in the age of social networks, what can you do to protect yourself? Quite honestly, the only foolproof defense is to not use email. Short of that, here are some best practices:

1. Have a healthy skepticism for emails offering awards and gift vouchers. Better yet, ignore them — and certainly don't click on any links.

2. Beware of any email referencing something you posted about on Facebook or another social network, especially if you know they've been hacked. That should make your antenna go up in a big way. Be afraid — very afraid.

3. Never click on embedded links in emails — even if it appears to be from your bank, cable company, or another trusted vendor. You can always log on to those sites yourself to take care of whatever pressing business is at hand.

4. Don't use open authentication programs. Yes, it is extremely convenient to log on to sites or apps using your Facebook or Google credentials. But take the time to create your own username and password. Most people don't realize that this service allows the app developer to access Facebook on your behalf. In other words, a hacker wouldn't need to breach Facebook's defenses to see your information there — just breach that app developer.

5. Insist on good spearphishing hygiene from the companies you do business with. If that bank or cable company sends you an email with an embedded link, lodge your complaint. Tell them to direct you to log on to the site directly. If more vendors were pressured to adopt this policy, the link-clicking economy would fall apart.

6. Create fake email accounts to join social networks. Since you're never likely to check the account again, chances are you'll never see any spearphishing attacks that arrive there. And don't feel too guilty. After all, the social network's business model is probably based on monetizing your personal information.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kowsik Guruswamy is CTO of Menlo Security. Previously, he was co-­founder and CTO at Mu Dynamics, which pioneered a new way to analyze networked products for security vulnerabilities. Before Mu, he was a distinguished engineer at Juniper Networks. Kowsik joined Juniper ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WilliamS068
100%
0%
WilliamS068,
User Rank: Apprentice
11/14/2018 | 11:03:38 AM
Your phone number is an unprotected endpoint
Treat your phone number and any calls or texts that arrive just as suspiciously as email.

Common social engineering techniques involve posing as an employee of Microsoft or Google and convincing a finance employee to install remote access software on their computer, which then allows the hacker free reign into the companies network and perhaps its finance controls.  

There are straight forward training techniques that all companies should implement to avoid these common social engineering campaigns.  Just like a consumer, when you receive a call from a contact claiming to be your bank, your credit card company, or a critical software vendor, always take their full name and contact number and tell them you will call them back. Then, try to contact them via the company's listed 800 number, or known support line.  If they are legitimate, the employee will be right back on the phone with them. If the initial call was a scam, the scam will have been averted AND the vendor will be made aware of a new threat using their identity.

 
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-1874
PUBLISHED: 2019-06-20
A vulnerability in the web-based management interface of Cisco Prime Service Catalog Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protection mechanisms on the web-ba...
CVE-2019-1875
PUBLISHED: 2019-06-20
A vulnerability in the web-based management interface of Cisco Prime Service Catalog could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface. The vulnerability is due to insufficient validation of user-supplied input by t...
CVE-2019-1876
PUBLISHED: 2019-06-20
A vulnerability in the HTTPS proxy feature of Cisco Wide Area Application Services (WAAS) Software could allow an unauthenticated, remote attacker to use the Central Manager as an HTTPS proxy. The vulnerability is due to insufficient authentication of proxy connection requests. An attacker could exp...
CVE-2019-1878
PUBLISHED: 2019-06-20
A vulnerability in the Cisco Discovery Protocol (CDP) implementation for the Cisco TelePresence Codec (TC) and Collaboration Endpoint (CE) Software could allow an unauthenticated, adjacent attacker to inject arbitrary shell commands that are executed by the device. The vulnerability is due to insuff...
CVE-2019-1879
PUBLISHED: 2019-06-20
A vulnerability in the CLI of Cisco Integrated Management Controller (IMC) could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient validation of user-supplied input at the CLI. An attacker could exploi...