Phishing: What is it and how does it affect me?

Transcription

1 Phishing: What is it and how does it affect me?

2 Contents Executive summary... 2 What is phishing?... 3 Recognition factors... 4 Attacking your business: the spear phish... 5 How is phishing affecting the UK?... 7 What should my business do?... 9 Conclusion...10 CUK PD 1

3 Executive summary Phishing is a problem almost as well-known now as itself. The practice of tricking people to provide sensitive data is arguably one of the most prolific and effective types of fraud anyone will encounter, and we are falling victim in our droves. This is hardly surprising considering the volume we are up against Kaspersky Labs stated they had detected over 50,000,000 phishes in the first three months of this year alone. This document aims to re-educate readers on the basics of phishing and promote the need for training in the workplace. This is not an exhaustive document however, HMG has produced detailed guidance on spear phishing and other phishing related fraud, such as pharming. There is also information online about current phishing campaigns, such as one affecting HMRC correspondence. The fact is, phishing is all around us and it is complex; many of those complexities stem from its basic premise fooling a person. Businesses need to invest more in protecting their employees from these dangers. The report will cover the basics (and much of the information contained may seem obvious to security professionals) but should hopefully serve as a guide to less technical managers or executives as to why to invest in network defences and training. The aim is to cover: What is phishing and what is the difference to spear phishing? What motivates an attacker? How big is the problem in the UK? Employee behaviours to encourage The importance of incident management and preparation There are many companies who are taking the appropriate steps on a daily basis to mitigate against this persistent threat but we constantly see reports of successful phishing attacks leading to significant financial losses or data theft and we want the vast experience industry has gained in battling phishing to be shared and learned from. CUK PD 2

4 What is phishing? Phishing is a particular type of scam, whereby victims are targeted from seemingly genuine persons or services, with the aim of tricking the recipient into either providing personal details or clicking on something that will allow the attacker to do something you may not be aware of. Spear phishing is a more targeted version of this attack and is often directed at specific people or organisations as opposed to the more blanket campaigns associated with phishing. Some examples might include: An claiming to be from a bank requesting you log in to verify your account due to fraudulent activity that has taken place; a link provided will direct to a website that looks similar to the genuine site which logs your genuine details once inputted An stating that you have been charged for a service you didn t use, with an attached document that is supposed to be an invoice; upon opening the attachment malicious code then installs on the computer without the user s knowledge An that appears to come from a high ranking person within your own organisation that requests a payment is made to a particular bank account; this is more commonly associated with spear phishing We see examples of this nature on a day to day basis. Attackers are often seeking financial gain, be it through directly stealing money, tricking employees into sending them money, or stealing information that can be sold on. Alternatively, they may just want access to information that your organisation keeps on its networks to spy on. The SANS institute tells us that 95% of all attacks on enterprise networks gained entry through spear phishing 1. That is a worrying figure and one that highlights the fact that human error is both inevitable and potentially devastating if not mitigated. If we can raise awareness of phishing and spear phishing, we could prevent headlines such as these: 1 CUK PD 3

5 Recognition factors Think you know what to look for? Phishing campaigns are designed for mass distribution and in recent years have become more convincing. This approach relies simply on numbers; the more targets, the more likely that someone will click on something. While there are thousands of campaigns that all look and sound different, we have detailed the most common aspects of a modern phishing . HOW TO CATCH A PHISH Sender. Were you expecting this ? Not recognising the sender isn t necessarily cause for concern but look carefully at the sender s name does it sound legitimate, or is it trying to mimic something you are familiar with? Subject line. Often alarmist, hoping to scare the reader into an action without much thought. May use excessive punctuation. Logo. The logo may be of a low quality if the attacker has simply cut and pasted from a website. Is it even a genuine company? Dear You. Be wary of s that refer to you by generic names, or in a way you find unusual, such as the first part of your address. Don t forget though, your actual name may be inferred by your address. The body. Look out for bad grammar or spelling errors but bear in mind modern phishing looks a lot better than it used to. Many phishing campaigns originate from non-english speaking countries but are written in English in order to target a wider global audience, so word choice may be odd or sound disjointed. The hyperlink/attachment. The whole is designed to impress on you the importance of clicking this link or attachment right now. Even if the link looks genuine, hover the mouse over it to reveal the true link, as shown in the image below. It may provide a clue that this is not a genuine . If you are still unsure, do not click the link just open a webpage and log onto your account via the normal method. If it appears to be from a trusted source, consider phoning the company s customer service, but never follow the s instructions. Be aware that some companies operate policies stating they will never include links in s and will never ask for personal information. Again, if in doubt, open a browser and check and do not open attachments. Signature block. The signature block may be a generic design or a copy from the real company. CUK PD 4

6 Attacking your business: the spear phish So how do you actually suffer from phishing? Here is a narrative of an attacker targeting a business (in this case, the fictional Company.Inc ) and subsequently stealing money. Company.Inc has been the subject of much investigation by an attacker who is using tools freely available on the internet in order to footprint the company s network. The IP ranges (the network addresses) used by the company have been discovered but existing cyber defences have so far stopped any attempts to gain access to the network. Gaining access to the company network is the goal here. Think about what information you have on your work computer and what someone could do with it payment details, personal records, phone numbers, company documents all potentially sellable, or could be ransomed. The attacker now tries vishing whereby he will use a phone conversation to try to legitimise a story to get the company s front desk to forward on a malicious for him. The attacker calls pretending to be an acquaintance of the company s CEO, but rather than wanting to speak to him, the attacker asks would you mind forwarding on this important for me? He has focussed his efforts on the CEO, David Smith, having read all about him on his completely open social media profiles. By publishing so much personal information in open social networks, and even on the company s own website, the attacker is able to come up with a genuinely convincing story, which adds pressure on the front desk to help. This time, however, the attack is thwarted by staff rightly challenging the anonymous caller about how he was unable contact the CEO in the first place. The attacker, undeterred, then changes tact by registering a fake domain that looks like (but is not the same as) the company s domain. With little effort made to style, he then sends an (below) hoping that the recipient will obey the instructions without question, having supposedly just received an from the boss! Several employees click on the attachments to open them. CUK PD 5

7 Regardless of their visible content (the attacker may make up something that looks genuine), upon opening the attachments a remote access tool (RAT) is automatically installed on the victim s machine, essentially allowing free access to the network (the attacker can log in and use the computer as though he was sat at the desk). A company domain is the end part of your work . In the image above you ll see company.co.uk whereas the genuine domain might be companyinc.co.uk easy to miss at a glance! You ll even notice there s a typo in the name of the . The warning signs are there if you are vigilant! Employees at Company.Inc enabled macros to automatically run on their machines, meaning when they open excel sheets (for example) some content is automatically triggered. This allowed the RAT to be installed without the user knowing. This particular RAT is exploiting a vulnerability (some misconfigured code) that had not been patched by the local system administrators (not keeping patching up to date is a common problem). The attacker, now with complete access to users computers, gathers as much information as possible by going through files and folders, potentially installing keyloggers to ascertain logins and passwords. At this point his options are wide open. He discovers the identity of a staff member with authority to make payments and, using their line manager s account, sends a completely legitimate from the line manager instructing a payment to be made for 10,000 to the attacker s account. Once payment is received, the attacker then deletes any evidence of wrongdoing from the network and vanishes. CUK PD 6

8 How is phishing affecting the UK? CERT-UK has been in contact with national and international partners to gather a realistic view of phishing in the UK to understand what the scale of the problem is and what businesses are doing about it. We have gathered views and experiences of network defenders from large and small organisations and have drawn the following five key points: Half of everyone who uses the internet will be sent a phishing today 1. Phishing is extremely widespread Phishing s are often sent in campaigns, and an enormous amount of the same will get sent to potentially millions of people. Most commonly, s are short and to the point and impress strongly the need to click a link, usually for the purposes of fraud prevention or saving an account from deactivation, and will often focus on personal accounts. 2. But we are actually quite good at spotting them. The vast majority of phishing s received each month are swept up by network defenders who set up rules in their own systems. Using signatures, such as headers, any matching incoming messages can be disregarded before appearing in the inbox. This system is perhaps the most popular and widely used to combat phishing in the workplace and is arguably the strongest tool for protecting employees. Generally, employees are good at spotting the majority of obvious phishing s. The Centre for the Protection of National Infrastructure (CPNI) endorses the Critical Security Controls 2 as an effective way to protect against spear phishing as well as other cyber-attacks. These are an in depth set of controls that can reduce your risk. 3. Training is effective. Almost all of the responding organisations said that their employees received some sort of training related to phishing. Those who ran specific training sessions on phishing found them to be most effective, as well as those who heard real-life examples of compromise. Many large organisations ran phishing exercises which involved sending a mock phishing to all employees in order to ascertain the current risk from those clicking on things they should not and some established mandatory training for those who clicked the link. A key part of training is establishing an environment where employees have the confidence to challenge s if they do not look right. Without the right training and awareness, that communication will not happen, either through apathy or ignorance. Using the Cyber-security Information Sharing Partnership 3 (CiSP) is a great way to stay informed of current campaigns CUK PD 7

9 4. Someone at your organisation WILL click on a link they should not. Every organisation that responded said that, at a minimum, a small percentage of staff (that they were aware of) had clicked links, while other organisations stated up to 30% of their workforce had clicked links. Of those that clicked links, a small percentage went on to enter sensitive details into forms. Conversely, some organisations saw a massive increase in reporting of exercise phishing, suggesting training was very effective. 100% of responding organisations had an employee that clicked a link that they should not have Your company s cyber defences need to be as good as they can reasonably be. However, with the threat phishing poses, you should expect to be compromised and therefore employees should know how to handle an incident. CESG provides a brief overview of steps to take to properly handle an incident 4 and CERT-UK s incident handling guidance can be found on CiSP. 5. Money is usually the target but not always! CERT-UK is aware that the majority of phishing and spear phishing is aimed at stealing or fraud but would like to remind readers that they also remain key tools of state-sponsored espionage. In fact, according to Verizon, 95% of espionage attacks involved phishing 5. Businesses will need to consider the risk of not only financial theft, but also of IP theft; something that other states are aggressively pursuing in the UK. Consider in your risk assessment the value of the information you hold to determined actors. Even if you are not the target, you may be the gateway to another organisation. You can help your organisation by signing up to the Cyber Essentials scheme 6 which is aimed at helping businesses protect themselves from cyber-attacks by implementing essential controls. By sharing information on CiSP about phishing you can have a wider impact outside of your organisation and by warning the community about phishing campaigns attacking your business, you can use advice provided by others and tap in to their skills and experience. All organisation victims, regardless of size, should contact Action Fraud if they have lost money or had their network compromised CUK PD 8

10 What should my business do? This report has highlighted some in depth reading from CPNI and CESG, which CERT-UK recommends fully. As an overview, the following diagram shows how we would like, and expect, organisations to continue to protect themselves from the dangers of phishing. It s not exhaustive, and can require a good amount of resource, which we know small and medium enterprises can struggle to maintain. We hope that, where this is not possible, the CiSP community can be a powerful resource. THE MODEL ORGANISATION Network defenders. Several different phishing and spear phishing s should be crafted by network defenders and sent out at irregular intervals. The employees should never be aware that exercising is being conducted. It is not necessary to exercise all employees at the same time and different office sections can be given differing qualities of phishing depending on past results or identified risk. The network defender can learn about new threats on CiSP. Employees. The recipients of the exercise phishing s will take one of three actions. It should be expected that the majority of employees will delete the without interacting with it. Some employees will recognise the phish and report it back to network defenders in these cases consider a reward system for those employees. By flagging up genuine phishes they may be preventing a network breach and saving the business money! Inevitably however some employees will fall victim. Trainers/line managers. It is important that employees who click are not reprimanded but given further training. Remember someone will click the link. This training could come in the form of an informal chat with a line manager reminding the employee of the dangers. Repeat offenders should be sent on a training course for recognition. One of the most overlooked aspects of training is what actions an employee should take upon realising they have perhaps entered sensitive details and this policy should be made clear to all in order to get more employees reporting phishes back to network defenders. Just one correct report could give the network defender the information necessary to block all other employees from receiving it. CUK PD 9

11 Conclusion Train your staff. That s it. Simply put, phishing is not going anywhere - we all know something about phishing, but statistics tell us we are still falling victim. As we rely more heavily on automated cyber defences we cannot forget the human element. Defences in the UK are generally good but are reactive to emerging threats, and this means we will always be vulnerable to unknown or undiscovered threats, and phishing is a common way to exploit these. Staff training is highly effective at reducing the risk. Training on phishing should be at the heart of a security culture whether by online training, demonstrations, exercises all of which should be periodic. We do know however, that training cannot eliminate the risk: someone will click a link they should not and then it is important your employees know, and feel confident using, the reporting procedures in place. Your business should remain vigilant and monitor your network proactively, making sure you have effective ways to process the data and tackle any issues that are flagged. There is much guidance available from trusted sources such as CPNI, CESG, and the gov.uk websites. Make sure your security teams are aware of recent campaigns and techniques by using CiSP where they can learn from others experience as well as share their own. And, after all that, if (or when) the time comes, use the help available to your business. Fraud is a crime, report it to Action Fraud or the police. CUK PD 10

12 A CERT-UK PUBLICATION COPYRIGHT 2015 CUK PD 11