Humans still the weakest link as phishing gets smarter and more focused

Filed Under: Featured, Phishing, Security threats, Vulnerability

The latest figures from the Anti-Phishing Working Group (APWG) show a distinct decline in the numbers of phishing sites reported to it, and in the number of separate brands targeted.

A survey compiled by Verizon, on the other hand, implies that almost all incidents of cyber espionage reported in the last year included some phishing component.

An academic study into human susceptibility to phishing has found that 92% of people misclassify phishing emails, despite efforts to educate people about the dangers.

Put together, this seems to confirm a general feeling that phishing attacks are becoming less scatter-gun, focusing more on specific targets, with more care and attention put into making them more enticing, more believable and harder to spot.

The APWG quarterly report, covering the first three months of 2013 but only released earlier this week, found that phishing attack dropped 20% between January and March, with February figures the lowest since October 2011.

The number of brands targeted is also down on the previous quarter, although 2012 numbers were considered exceptionally high.

As the stats are based on phishing pages and incidents reported to the APWG by the public, it's not clear if the drop in numbers is down to a real drop in actual attacks, or simply due to them becoming harder for people to spot, leading to fewer reports.

Ihab Shraim, CISO at news behemoth Thomson Reuters and quoted in the APWG report, talks about the trends in a way that supports both explanations:

These changes are likely due to a shift to more advanced and targeted techniques for credential theft including malware and stealthier spear phishing.

Phishing has been around for years now, with a fairly well-known set of targets, tricks and tell-tale signs, but we still see new techniques emerging, making the smarter scams harder for both machines and humans to detect.

Spear-phishing of highly focused targets has been the driving force behind a number of major compromises lately, from high-profile hacktivism like the recent Viber heist to more stealthy targeted penetrations.

Educating users to keep a wary eye out for phishing attempts has been a major focus for security admins and providers, but it seems like the bad guys are managing to keep ahead of the curve.

Academics at North Carolina State University have been looking into the characteristics of people who fall for phishes, combining personality studies with experiments using swathes of legitimate and phishing emails.

They found that confidence is high, with 89% thinking they can spot the dodgy messages, but 92% didn't get it right every time, with 52% getting it wrong more than half the time and 54% having at least one false positive incident, trashing a real email in the belief that it was a scam.

They also found that people who thought of themselves as “less trusting, introverts, or less open to new experiences” threw out more genuine mails, while women were less adept than men at spotting phishing messages.

The researchers, whose work is part-funded by the beleaguered NSA, suggest that as the human mind is the main issue, education remains the most important weapon in the battle against the phishers.

The team is working towards a system of teaching which will effectively prepare people to avoid being tricked.

While technical countermeasures such as improvements in secure browsing will play a part, as will making sure the bad guys are brought to book wherever possible, it's clear that the psychological battleground is vital.

Phishing has come a long way from the old days when simply keeping an eye out for dodgy grammar and sloppy spelling was enough. Education techniques clearly need to evolve to keep pace with the growing sophistication of phishing scams.

A major difficulty is the tendency to focus on specifics; any list of tell-tale signs is likely to date quickly, as techniques evolve and old mistakes are learnt from.

The main thing is to maintain a skeptical disposition. Social engineering relies on leveraging the most potent human emotions, its main weapons being sex, greed, fear and other basic urges. These can only be combated by logic, clear thinking and good sense.

So next time you see an unexpected message asking for your login info or other sensitive data, stop a moment. Take a few deep breaths, and have a good look around.

Ask yourself a few key questions: Am I sure I am where I think I am? How exactly did I get here? Do I really need to provide this info? What could possibly happen if this info got into the wrong hands? Am I being hurried into something I wouldn't normally do?

You may find that simply stepping back and looking at things with a cool head will keep you from blundering into danger.


, , ,

You might like

8 Responses to Humans still the weakest link as phishing gets smarter and more focused

  1. shitasa · 444 days ago

    How exactly do we defend against attacks like this--someone spoos the message headers to make it look as if your colleauge has sent a research paper,and when you download the paper you then notice malware or spyware running in the background?

    • John Hawes · 441 days ago

      That's a tricky one. I guess being cautious and skeptical should get you a long way here too though - ask yourself, does Dave usually send me papers? In this format, with this sort of filename? Does the intro in the mail sound like the sort of thing Dave would say to me? Could this be something generic that just happens to sound like it's for me? If there's any suspicion, just ping Dave back and check he sent it.

      Then, if you're worried that the software you're going to open it with might not be fully patched, or might have some unpatched vulns (generally pretty likely), maybe try opening the file in a scratchable VM, or using a remote viewing utility so the file is actually opened server-side, if it's something that can be trusted to such a utility - if not, if it might be company-sensitive or something, get your company/organisation to use a (secure) central hosting area for shared docs, so they're never shared via email - Dave can then say "I've dropped that interesting paper on the intranet", and you can be sure that at least someone in the company posted it.

      We can never be completely secure, only more secure than we were - the point of being careful and skeptical is to add to the overall security level, it's not going to be a panacea that will defeat all technical and social engineering tricks I'm afraid.

  2. Worried1ask'n4many · 443 days ago

    Are the rumors true or is it now hot news that a virus/malware,etc that was here B4 that put FBI over screen&said to unlock send $ is here or coming? We were warned that paid hackers are already working on the "CURE" for this monster. Say it isnt so? Although I was also told some kid porn pervs turned themselves in & we got some busted,YAH! What about the innocents crushed by such an attack? Some disabled,elderly or ppl w/o autos,that depend on a computer for day to day living, could be crushed by such an ordeal.On that side of the coin,it's already a costly thing for ppl that have no control over their circumstances,they're already trying to change the fact that they dont seem to get the discounts or early bird deals already but to fight this too, is just to much. I hope you can clear this mystery up. Sincerely,Thank-you

  3. Ellie Hurst · 441 days ago

    I think this is true and that phishing is being used in a very specific targeted way as part of a broader social engineering attack to faciliate a hack or cyber attack at a future point.
    One of the reasons it is still working after all this time is partly as described above that the attacks are so specific and careful that they would fool people more easily (here I wold site the marvellous Graham Cluley and his BBC pal and the Press Release based 'hack' last week). But also the lack of ingrained and regular security awareness training in business.

  4. John Beatty · 441 days ago

    1) Back in the day when your best protection was a five metre thick stone wall, castles were often captured by simply bribing a susceptible inmate.

    2) I always operate my email client in text-only mode, with the display of remote images turned off (boring - but safer).

    3) Would it help if email clients automatically opened all attachments in a sandbox?

  5. Guest · 439 days ago

    Recently I received an email offering me a large salary for work for an undisclosed 'big company". I noticed that the mail was much longer than the text shown, and when I went over it with my cursor while clicking left, it revealed an enormous amount of random newsheadlines in blue.
    What is the reason for this? Why fill a mail with invisible text?
    Thanks for your answers.

    • Steve · 439 days ago

      My guess would be that the hidden text was "fluff" to help fool spam filters. By increasing the amount of "legitimate" content, the amount of suspicious content then becomes comparatively smaller and thus less likely to trigger a filter.

    • haskbuster · 439 days ago

      "The advantage of this type of filtering is that it lets ordinary users help identify spam, and not just administrators, thus vastly increasing the pool of spam fighters. The disadvantage is that spammers can insert unique invisible gibberish—known as hashbusters—into the middle of each of their messages, thus making each message unique and having a different checksum. This leads to an arms race between the developers of the checksum software and the developers of the spam-generating software."

      From: http://en.wikipedia.org/wiki/Anti-spam_techniques

      I suspect it was the use of hashbusters, but strange they weren't put in the middle of the message.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

John Hawes is Chief of Operations at Virus Bulletin, running independent anti-malware testing there since 2006. With over a decade of experience testing security products, John was elected to the board of directors of the Anti-Malware Testing Standards Organisation (AMTSO) in 2011.