Gone phishing again – the return of old school attacks

There’s been a big upsurge in the amount of phishing attacks – particularly on Google properties.  As the 800lb gorilla of the internet, it’s perhaps not surprising that Google ranks high on many hackers and cybercriminals hit list. So far, it has remained pretty impervious to breaches. So how concerned should users be?

For the uninitiated, phishing is the practice of sending legitimate-looking emails to end-users with the intention of gathering up their personal or financial data, with the emails being designed to look as though sent by well-known, trustworthy originators. As the name implies, it’s about baiting the hook and hoping the duped end-user bites.

A recent high-profile spate of attacks focused on Google Drive and has been a particularly sophisticated batch; the hack was designed to circumnavigate Google’s anti-spam defences and send official-looking emails to users which then linked them to fake Google Drive pages. At this point they were invited to enter their username and password, revealing these vital personal details to the phishers. The attack fooled seasoned security specialists and had the added impact of undermining end-user trust with Google.

What wasn’t clear was who was behind the attacks but it was nonetheless a massive and advanced campaign; by working out how to fake Google’s trusted secure socket layer (SSL) encryption the phishers got themselves access to potentially hundreds of millions of user accounts. Google’s Gmail has around 900 million users who could have been under threat.

Phishing getting smarter

One of the continuing problems around IT security is that the attackers don’t sit around idle – they are always looking for new ways to ‘improve’ their threats. This use of Google to mask phishing attacks shows a whole new level of sophistication on the part of the attackers, prompting IT industry security firms to warn governments and companies to be more alert than usual.

More platforms means more potential threats

And this is where the impact on the enterprise environment could be huge. The rise of mobile working, mobile device proliferation and schemes like bring your own device (BYOD) mean that attackers have more targets than ever.

BYOD began life as a user-driven phenomenon that the enterprise and CIOs then embraced. BYOD helps make employees be more productive and enjoy more flexibility and agility in their work, but it does also present challenges to corporate data security. And the new generation of phishers knows this. In 2014, business email compromise attacks, or ‘man-in-the-email’ phishing scams, were estimated to have cost businesses around $215 million. The phishing threat is very real.

How the enterprise can fight phishing

Completely preventing phishing attacks impacting corporate users may not be possible, but organizations can implement measures to minimize the threat.

Phishing and spear phishing have become particularly successful methods of attack because they generally take advantage of what is often the weakest link in any IT security chain – people. To help mitigate the likelihood of attacks on the enterprise, organizations should take a two-pronged approach. Naturally having the right IT security tools and defences in place is one, but another way is to do everything possible to ensure situation awareness among employees. Teams should be trained to know how to spot potential phishing attacks and to question suspicious communications. Also encourage double-checking – if a communication seems suspicious staff can contact the supposed sender by phone or another means to confirm that the email is legitimate.

Further general good practices can include intelligence-led approaches to organizational security to complement the technology-based approach, while a robust mobile device management (MDM) policy also helps strengthen your defences. Geolocation tracking as part of your MDM suite also helps you reduce the threat.

Ultimately every stakeholder in the organization should be aware of the phishing threat and how they can help restrict the damage phishing can do to a company. It’s highly unlikely that phishing threats will go away any time soon so enterprises need to be ready.

To find how the Orange CyberSOC can help your people defend against phishing threats.

 

 

Steve Harris

I’ve been writing about technology for around 15 years and today focus mainly on all things telecoms - next generation networks, mobile, cloud computing and plenty more. For Futurity Media I am based in the Asia-Pacific region and keep a close eye on all things tech happening in that exciting part of the world.