Welcome to the SecAware blog

I spy with my beady eye ...

17 Jun 2020

Phishing evolution

The Interweb drums have been beating out news of an upsurge in phishing attacks over the past month or so. I’ve certainly had more than the normal number of things along these lines lately:

As usual, these are relatively crude and (for most reasonably alert people) easy to spot thanks to the obvious spelling and grammatical errors, often using spurious technobabble and urgency as well as the fake branding and sender email address in an attempt to trick victims. The ‘blocked emails’ and ‘storage limit’ memes are popular in my spam box right now, suggesting that these are basic phishing-as-a-service or phishing-kit products being used by idiots to lure, hook, land and gut other idiots. They are, however, using my first name in place of “Dear subscriber” or “Hello, how are you doing?” that we used to see, implying the use of mailmerge-type content customisation with databases of email addresses and other info on potential victims*.

Moving up the scale, some current phishing attempts are more sophisticated, more convincing. Sometimes it's just a lucky coincidence e.g. when the lure glints alluringly because it just happens to mention something I am currently doing - for example if I am dealing with American Express over a credit card issue, a scattergun phisher based around the Amex branding has a better than average chance of hooking me at that point. COVID-19 is an obvious lure right now, along with associated collateral and concerns such as face masks, sanitiser, death rates, lockdown, WFH and so forth (lots of potential there for the more creative phishers).

Sometimes I notice spear phishing where the phishers appear to have done a bit of research, crafting the lure, personalising it around something about me and my activities, interests, social groups etc. ... and here the problem gets really interesting. 

Being a professionally-paranoid infosec geek, I wonder/worry about phishers sneaking under my radar, slipping quietly past my twitching whiskers. What am I missing? Have I been hooked already? Am I dangling on the line?

From a classical information risk perspective:
  • The threats are out there, ranging from numerous but crude scatter-gunners through the pistol-touting mid-range phishers up to the snipers and beyond, heading into the realm of organised crime and espionage;

  • The vulnerabilities flow from the interconnectedness of modern life, coupled with the naivete and socio-biology that goes with being human;

  • The personal impacts of me being phished are limited although I am more concerned about the business and third party impacts e.g. someone phishing me as a stepping stone, a means to compromise other more valuable targets in my social and professional networks.
As the phishing tools and techniques grow ever more sophisticated, our controls must keep pace but, frankly, I've seen little progress over the past decade. We're still largely reliant on anti-spam, anti-virus and vigilance. There have been advances in the technologies behind email sender authentication and message integrity, no end of 'awareness campaigns' plus a few reputation- or group-based phisher detection and response approaches. Overall, though, I have the strong feeling that we're losing ground to the baddies in respect of preventive controls, placing greater emphasis on the need for incident detection, containment, response and recovery, plus resilience. 

And judging by the continuing  slew of ransomware incidents in the headlines, we're failing in that department too. 


It's time to review what I'm doing to protect myself, my business, family and friends against being phished. How about you? If, for instance, I had encouraged you to download a free phishing response pack or explore the realities of Business Email Compromise what are the chances you'd simply have clicked one or other of those links to take a look, without even glancing at the URLs? 

Just sayin'

Take care out there. Prevention trumps cure. Go wash your hands.

* PS  The mailmerge-type technique is obvious when it fails, leading to inept phishing emails like this: 
"I would like to discuss the possibility of your company with email address: %E-mail_address% partaking in government bulk supply contracts to Iraq over 2 year period."

No comments:

Post a Comment