Phishing Attacks: Not Sophisticated, but Successful
While companies spend big bucks on combating advanced malware, users still fall prey to email phishing scams.
Companies spend countless millions of dollars in attempts to protect themselves against the newest worms, Trojans and other malware. But perhaps even more dangerous are slight variations on some of the oldest scams – ones that existed long before the Defense Advanced Research Project Agency developed the forerunner to the Internet.
Shooting Phish in a Barrel
The Nigerian 419 scams (419 is the article in the Nigerian Criminal Code that refers to fraud) "appeal to people’s innate desire to be noticed, to be important and to be part of large deals that could be lucrative," said Robert Hansen, vice president of WhiteHat Security Labs.
These scams, which go back to when most were delivered via snail mail, typically involve royalty (or a close relative), a high-ranking official or a friend needing to move money out of Nigeria or some other foreign country. They offer a percentage of the proceeds to the mark as long as he or she first sends a significant sum of money to pay certain fees. Sometimes the scammer asks for the mark’s complete identity information.
Sometimes used in conjunction with a 419 scam are phishing and spearphising schemes that entice the target to open an email, click on a link, download material or share confidential information. These too are variants of schemes using social engineering techniques that predate the Internet. Famous fraudster Frank Abagnale, subject of the movie "Catch Me if You Can" starring Leonard DiCaprio and Tom Hanks, used similar techniques – dressing like a pilot or other professional when cashing a fraudulent check – when running his schemes in the 1960s.
"There’s a perennial appeal to offers of large amounts of money with significant liquidity," said Stephen Cobb, senior security researcher ESET North America. "All of us at various times have thought that a lot of our troubles would be solved if we only had cash."
Scams asking for money not only successfully con people, some are conned multiple times by the same scammer, according to Cobb. "A person who puts money in has a vested interest in believing that [the offer] is real. So the scam artist will often try to hit the person a second time, saying there was a roadblock so he needs more money. He (the scam artist) isn’t out any additional money."
How successful are phishing scams? In a threat report published in August, McAfee found that 80 percent of business users who took quiz designed to test their ability to detect online scams failed to detect at least one of seven phishing emails. Even more worrisome, results showed that finance and HR departments performed the worst at detecting scams, falling behind other departments by a margin of 4 percent to 9 percent.
Phish Back on the Menu
Lior Kohavi, CTO for CYREN, a MacLean, Va.-based cloud company, said that scam artists increasingly employ these schemes to persuade people to click on elements of emails that will launch macros that load malware onto the user’s computer. These scams were popular in the 1990s, then faded into the background as hackers went with more sophisticated schemes, Kohavi said. But now they have returned en masse.
Criminals like such schemes because they invest very little in social engineering to convince someone to click on an executable file containing malware, compared to the amount they must spend on developing malware designed to skirt most anti-virus, firewalls and other protections.
A recent CYREN report points out: "With a simple spearphishing email to an employee, cybercriminals can quickly gain entry to corporate systems. From there, they can build on that access and develop the threat to the point that one day that the enterprise experiences a data breach of the same score and scale as the recent one with Sony Entertainment."
Chris Steel, chief solutions architect for SoftwareAG Government Solutions, Inc. , said user education is one of the key factors in thwarting such scams. This article, based on a Derbycon presentation, shares some good tips on offering user education that really works.
While Steel is hopeful that Web browsers and email programs will advance enough to detect and block many or most of the emails triggering such dangerous behaviors, there's little doubt that these old-school scams will continue for some time.
How to Spot an Email Scam
Experts say the following are a few tips to immediately recognize a scam:
- Request to change password
- Request for money
- All caps in header, subject line, address or somewhere else prominent in email
- "Re" in an email that is not a response to another e-mail
- Messages from overseas, particularly anything from a country one has never visited
- Request for personal information
- Offer of a free gift. "There are no free gifts on the Internet," Kohavi said
- Anything that says "click here," particularly to see a video, picture or article
- Emails from a known person addressing you differently than they have before (e.g., Robert rather than Bob)
Phillip J. Britt writes for a number of technology, financial services and business websites and publications, including BAI, Telephony, Connected Planet, Savings Institutions, Independent Banker, insideARM.com, Bank Systems & Technology, Mobile Marketing & Technology, Loyalty 360, CRM Magazine, KM World and Information Today.e