Gone phishing: how attackers are still outsmarting security experts

Autumn is rolling in and with it - for many devotees of the line, reel and fly - are some of the best conditions for early-evening fishing. Using juicy bait, uncomplicated equipment and by casting their nets far and wide, fishing fans around the world will be reeling in the fruits of their work and patience: the tasty, fresh personal details of thousands of internet users.

Wait! Sorry. We’re actually talking about the less noble art of phishing this week which, according to web security firm Webroot, is becoming an increasingly prevalent part of the online landscape.

Gone phishing

So, to make sure we’re all on the same page, let’s quickly define a phishing attack: it’s a form of fraud whereby an online attacker will try to learn personal information (such as, but not limited to, login information, banking details or even just passwords) by masquerading as a trustworthy organisation or person.

We’ve all had faked IM windows appear with someone who reports to be from Barclay’s, for example, or an email from a hacked acquaintance asking for personal information.

Although you might have considered this form of online fraud as outdated, researchers at online security firm Webroot report that phishing is alive and well: in May 2017, the firm’s research found, the number of new phishing sites created in that month alone reached a new high of 2.3 million.

Webroot’s research has found that phishermen (if nobody’s used that to date, we’re coining it!) are using increasingly realistic web pages that are near-impossible to find by web crawlers and other efforts to close them down. Attackers are then using harvested data to steal online identities and use work email accounts to commit fraud all the way up to the CEO’s office.

The firm also found that the most common companies being impersonated in 2017 are Google, Dropbox, PayPal, Facebook and Apple. Seeing as only one of those directly deals with a victim’s bank account, it looks as though personal data is the truly valuable asset to steal.

Don’t get hooked

So, what can you do to avoid attacks, both on a personal and at an enterprise level?

One obvious way is to spend lots of money on a holistic solution that scrapes URLs, judges whether they are malicious and feeds it back into your security set-up, allowing you to protect even a whole organisation very swiftly.

Real-time analysis is one of the buzzwords of the modern security world, and it can be a help, too. Real-time intelligence feeds are available from industry-to-industry and can be integrated into all technology, applications and existing security controls you may have. This can extend to URL filtering, too, which can block emails with nasty phishing surprises contained within. According to Webroot, fraudulent websites tend to be up for an average of 4-8 hours, necessitating proactive filtering rather than domain or IP block lists, which can be outdated within a day.

At the same time, and as Webroot’s study pointed out, phishing scams’ growing efficacy to the real deal - and speed of adaptation - is hard to get around.

There are further preparatory steps that can be taken. Practising good awareness of online security issues is of paramount importance, particularly when it comes to social media. Personnel at any level should be aware of the risks of publishing data online - beyond your boss reading your innermost thoughts about him or her - with many lacking even the most basic security precautions online, like failing to only ‘friend’ people you know already, or tweaking the viewing and privacy settings on your Facebook posts to avoid any accidental leaks of info.

Further training can be directed at executive staff and their assistants - after all, Webroot pointed out that CEO hacks were as common as those on lower-downs, and were far more damaging. Any organisation you work with could provide a list of C-level staff and other VIPs, which can be fed into any systems that monitor illegal online activity and give you and a security a heads-up on any activity relating to them. Mitigating risk - or even just shutting down compromised accounts ahead of time - is the name of the game.

In the end, widespread education and careful web browsing (the most boring superhero team-up ever) are your most powerful allies in tackling phishing. It’s that, or to get a lot better at avoiding the hooks.

https://web.archive.org/web/20170921175851/https://www.computerweekly.com/news/450426696/More-than-one-million-new-phishing-sites-created-each-month

https://www.webroot.com/blog/2017/09/19/combatting-phishing-threat-together/

https://www.techtarget.com/searchsecurity/definition/phishing

https://www.csoonline.com/article/3229067/to-combat-phishing-you-must-change-your-approach.html