An Example Phishing Attack

Or, Why it's not always a user's fault

Or, How the concept of identity can help thwart phishing attacks

At Infranet, we routinely help our customers to prevent and respond to #security incidents. One of the most common is a phishing attack. When I talk with CIOs and IT Directors, one of the most common misconceptions is that phishing attacks are successful primarily because of a lack of user training or awareness. We want the problem to be that simple: users need to pay attention. But of course it's not.

Today we allowed several phishing attempts through our filter to use as real-world examples. The emails impersonated our CEO and were sent to several of our administrative staff. Interestingly, the emails had different messages, an ingenious mechanism for bypassing many spam filters. Here are two of the example messages.

Note something that I've brought up before: emails that are read or displayed on a smartphone do not include the reply-to address by default. Here is an example from one of my recent presentations. Without clicking on the DETAILS link, the recipient doesn't know the address that sent the email and assumes the display name is accurate.

Back to our example phishing attack. We had one of our administrative staff reply to the message, which of course went to the impersonator. It is worth noting that the perpetrator understands responsiveness is important and replies very quickly, within 4 minutes of receiving an answer.

At this point in the interaction, the impostor has established an identity and is in an active conversation. The odds of a successful phishing attempt have improved, and it is time to strike. We also learn the currency of choice (gift cards!) and have a call to immediate action: "Which of the following gift cards can you pick up with in the hour?"

So there you have it, a simple, real-life example phishing attack. I would be remiss if I didn't offer you a solution to this problem, though. The cornerstone of #phishing (and #whaling or #spearfishing) attacks is impersonating an identity. Regardless of the training that end users receive, social engineering will continue to prey on your users' instincts to do their jobs. If an administrative employee receives an email from the boss, that person wants to be useful and demonstrate competence.

We need better technical solutions, which is where the concept of identity enters the picture. In this example, the impostor used our CEO's identity, a task as simple as creating an email address and putting in his display name instead of theirs. How hard is that to do?

So what can a CIO or IT Manager do to thwart attacks like this? Implement tools that understand identity instead of merely filtering out bulk email. One simple pseudo code algorithm flags messages that come from the name of someone internal but originate from the outside world:

If (the Sender's Display Name matches an Internal User's Display Name)
  and (the Sender's Email Address is NOT Known and Trusted)
    then (prepend a disclaimer to the message to alert the recipient)

This approach reduces "alert fatigue" that occurs when every message from the outside world is flagged as potentially fraudulent. Another recommended test is for "near-miss" domains and usernames. For instance, our domain is infranetgroup.com, so a near-miss domain would be infarnetgroup.com. Presented as pseudo code:

If (the sender's domain is SIMILAR to an internal domain)
  or (the sender's name is SIMILAR to an internal user's name)
    then (prepend a disclaimer to the message to alert the recipient)

At Infranet, we find specific, informative, targeted alerts to be more effective than blanket statements like, "This email originated outside of Infranet. Use caution when responding." By combining #Identity with other email filtering techniques (spam, virus, and content filtering), the solutions we implement, like Cisco's Cloud Email Security #CES, can help ensure that your users are able to make informed decisions on how to respond to an email from their CEO.

If you would like to learn more about advanced email security solutions, please visit our website at www.infranetgroup.com and let us know how we can help.