This blog was written by an independent guest blogger.
You can install the latest generation of security software to protect against evil hackers, but what is the use of it if your employees continue to follow phishing links?
Several security companies conduct social and technical research of real-life phishing attacks aimed at different businesses and are impressed with the scale of the problem. The purpose of such studies is not only to understand how hackers deceive the staff and which hooks do they use but also to draw the right conclusions about what type of security awareness training to use and how often it is needed. One of the security companies I work with sent more than 15 thousand “phishing” emails to corporate mailboxes in 2019. Let’s see their results.
What is inside the phishing email?
According to statistics, last year, phishing became the most popular tool for penetrating the companies’ infrastructure. Attackers used this method in 70% of attacks. The second place took RDP hacking.
Globally, all phishing emails are trying to provoke a user to one of two actions - click on a phishing link or open a malicious attachment. During pentest projects, depending on the final task, researchers send employees several letters with a link to a web form for entering account credentials or Microsoft Office documents with malicious macros.
Most messages use harmless files that allow researchers to track only the fact of following the links or opening attachments. But sometimes, researchers send documents that contain macros that allow them to get remote access to workstations. Using such messages, researchers can check not only the vigilance of employees but also the reliability of the means of protection.
The main task of each such project is to make the “phishing” email to look as realistic as possible. Researchers try to craft letters and build the overall logic of the attack in the way a real cybercriminal would do it, assuming, for example, that the goal of the attacker is to gain access to the correspondence of the company’s top management personnel.
Usually, attackers start with harvesting information about the company using open sources. In one of the cases, our “attackers” discovered Outlook Web App, as well as news about the presence of a 0-day vulnerability in a browser used by this company. An attacker, preparing for an attack, considers all possible ways to achieve the desired goal and selects the most suitable and effective way.
What was found?
From our experience, users are more likely to open file attachments rather than provide their data via a web form. In each of the companies that were tested, several employees open attachments without any delay.
Among email topics used, corporate bonus programs (employee discounts, corporate offers from partner companies) turned out to be the most effective. About 33% of addressees reacted to such letters. The second place took letters that asked employees to read the new corporate rules or other important corporate documents.
Especially successful are attacks that have to do with current events. For example, in December, it is highly effective to offer the victims to check the work schedule for the upcoming holidays or find out about discounts on holiday events. This spring, the hottest topic, of course, was COVID-19. 15% of the recipients trusted our letters with the alleged memo about the protection measures taken by the company (that is, they opened the message and followed the link or opened the file attachment).
It is important to note (and it is predictable enough) - the more personalized the letter is, the higher the effectiveness of the attack.
In mailing lists sent to 1-3 recipients, the proportion of those who committed potentially dangerous acts can reach 100%. Such letters are highly targeted as it is clear that real cybercriminals can easily found the data about two or three employees using open sources. The larger the group of recipients, the more general the content of the letter becomes and its effectiveness decreases.
The results of the sociotechnical studies show that the main problem of employees when working with emails is their complete carelessness. All emails sent contained several signs of phishing: unknown sender address, non-existent contact information, prompting to disclose account credentials, masked links, the twisted domain name of the company.
The level of security of the system is determined by the security of its weakest link. Often these weak links are people, therefore:
- Employees should work with email responsibly.
- Management should not forget that emails need to be protected.
- Management should regularly conduct training of employees using harmless letters, as modern technical means cannot always provide full protection against social and technical attacks.
- Management should follow the news and timely notify employees of new types of phishing and malware attacks.
- Management should use relevant materials for training as phishing, like other hacker attacks, is regularly changing, adjusting to new situations.