By Michael Osterman
Some Background Phishing attempts are widely distributed messages, normally delivered through email, that are designed to gather sensitive information from users, such as login credentials, credit card information, Social Security numbers and other valuable information.
Phishing emails are supposedly from trustworthy sources like credit card companies, banks, delivery companies and other organizations with which potential victims already have established relationships. More sophisticated phishers will use corporate logos and other identifiers that are designed to fool potential victims into believing that the phishing emails are genuine.
Phishing is not a new phenomenon – the earliest known attempts at fooling victims into voluntarily giving up their information dates back to about 1995, and the first mention of phishing occurred on January 2, 1996 in a Usenet newsgroup focused on America Online (AOL). AOL was the first substantial venue for phishing attempts by the “warez” community, or the community of individuals who deal in pirated software.
The growth and impact of phishing emails is substantial. For example, an Osterman Research survey found that there have been a variety of security incidents that were attributable to malicious emails, such as 41% of organizations that have lost sensitive data on an employee’s computer and 24 percent that have lost sensitive data from a corporate network.
A more targeted variant of phishing is “spear phishing”, which is normally directed at a smaller group of potential victims.
These potential victims might be senior officers within a company (Malwarebytes’ CFO was hit with one a few months back) or a government organization that are likely to possess sensitive information, such as login credentials to corporate financial accounts.
Spear phishing emails are generally quite focused, reflecting the fact that a cybercriminal has studied his or her prospective victims and has crafted a message that is designed to have a high degree of believability and a potentially high degree of successfully stealing sensitive information.
Phishing is Quite Successful One of the primary reasons that phishing is so successful is that many email users are not sufficiently skeptical or discriminating about suspicious emails, often because they lack training about how to identify phishing attempts. Our own research has found that once users are trained about phishing, they are less susceptible to these attempts.
Spearphishing, on the other hand, has become such a successful threat vector because many potential victims provide phishers with much of the information they need to craft messages that will seem to be genuine.
For example, Facebook, Twitter, LinkedIn and other social media venues contain large quantities of valuable information about personal preferences, travel plans, family members’ names, affiliations, and other personal and sensitive information that can be incorporated into spearphishing emails to make them seem more believable.
An Example To demonstrate how phishers might use personal information to their advantage, I found someone on Facebook who I do not know personally, who has an active presence, and provides a significant amount of information on his public Facebook page, including:
- He visited Tapley’s Pub in Whistler, British Columbia on September 20.
- He visited The Brewhouse Whistler on September 16.
- The names of at least some of the people he was with on September 13.
- He visited the 192 Brewing Company on September 12.
- He visited the Chainline Brewing Company on September 11.
- He visited American Pacific Mortgage on September 9.
- He went to a Seahawks game on September 3.
Moreover, based on his Facebook profile, I know the company for which he works, the city in which he lives, his wife’s name, and lots of other information about him. If I was a phisher attempting to gain access to his corporate login credentials, for example, I could craft an email with the subject line “Problem with your credit card charge at Tapley’s Pub” – a subject line that would likely resonate with him given his recent personal experience at that restaurant.
I could provide a short, believable message about a problem in running his credit card, and provide a link asking for him to verify the charge. That link could be to a site that would automatically download a keystroke logger to his computer, after which I would be able to capture every keystroke he made from then on, which might include login credentials, credit card numbers, etc.
Given that most smaller organizations often do not have the training or technology in place to detect phishing attempts, my chance of success at infecting his computer would be reasonably high.
In short, phishing and spearphishing are serious problems that will get worse in the future, often because victims are not sufficiently trained and because many provide key information to cybercriminals.
Michael Osterman is the president and founder of Osterman Research. He has more than 27 years of experience in the high-tech research industry and has spent nearly 16 years following the messaging and collaboration industries. Prior to founding Osterman Research in 2001, Michael was the Vice President of Market Research for Creative Networks, and has held senior analyst positions with SRI International and Ryan Hankin Kent. Follow him on Twitter: @mosterman
You can also check out Malwarebytes CEO Marcin Kleczynski interview Mike Osterman of Osterman Research: