Behavioral Conditioning, Not Awareness, Is the Answer to Phishing

BY AARON HIGBEE AND SCOTT GREAUX

You don’t stop phishing attacks by raising user awareness. A recent study conducted by a German university confirms what we at PhishMe have known all along: Focusing on awareness isn’t the point. The real solution is behavioral conditioning.

The study, conducted by Friedrich-Alexander University (FAU) of Erlangen-Nuremberg, Germany, used 1,700 students to simulate spear phishing attacks. An August 31 Ars Technica article published preliminary results of the study showing at least 50% of students clicked simulated phishes, even though they understood the risks.

With its headline, “So Much for Counter-phishing Training: Half of People Click Anything Sent to Them,” the article appears to suggest training is pointless. But we see it differently. While the article confirms what our own research has revealed – that awareness isn’t the problem – the proper conclusion to draw isn’t that training is futile. PhishMe tends to agree with this sentiment and encourages organizations to focus on conditioning their employees to identify and report security risks.

We focus our training on conditioning human behavior, and the results speak for themselves. Our customers spend 22 seconds reviewing phishing education, and yet their susceptibility to phishing decreases significantly. Why? It’s the experience we put them through that changes behavior. Even when they are aware of the risks, as studies show, they are susceptible to opening email from unknown users and clicking suspicious links. But conditioned through the real-world examples we provide in our simulations, users are much less likely to click.

Enterprise Relevance

The FAU study focused on students, who were sent emails and Facebook messages with links purporting to be for photos from a New Year’s Eve party held a week before the study. “Links sent resolved to a webpage with the message ‘access denied,’ but the site logged the clicks by each student.”

It’s dangerous to use research results conducted on a student population to Enterprise workers. We have several problems with the approach as described. For starters, it wasn’t created by people in the trenches who understand real-world threats, but by academics in a computer science department. We already know the bait used by the study’s authors works on students, as well as consumers, but is far less effective with enterprise users. Yet, readers of the Ars Technica article are concluding the study’s results apply to enterprise environments.

We know that because we’ve started to get messages with their reactions. So we feel an obligation to point out the study didn’t use a realistic scenario, from an enterprise point of view. Real-world enterprise phishes are more likely to be emails pretending to be files from a scanner, a document with a job evaluation, or a message that someone has signed for a package addressed to the user.

There’s also a difference of perspective between students and enterprise users. Students, whose primary experience with computing revolves around mobile devices such as tablets and smartphones, don’t worry about cyber risks. Clicking a link from a smartphone isn’t going to compromise the device because such devices are nearly impervious to attacks. But click the link from a computer, and the story is quite different.

It also appears the FAU study focused only on clicking links, but phishing threats aren’t limited to one vector. Others include data entry, password credentials, clicking attachments, and email conversations that don’t involve links or attachments. Replicating some of these vectors in a real-world simulation is a bigger challenge than the method used by the study.

Focus on Reporting

A PhishMe-commissioned study found 94% of office workers know what phishing is and the risk it presents to organizations. The study also found that 94% of office workers know how to report suspicious emails in their organization. And that’s where the focus of training needs to be – reporting. When users are conditioned to report suspicious email, even if they do so after already clicking on it – maybe they had a lapse – the reporting is still valuable because it helps your security operations teams.

Learning to identify suspicious emails through conditioning is far more effective than general efforts to raise awareness. PhishMe simulator provides customers with templates that include the exact content used by threat actors.  By deriving content from our Phishing Intelligence platform we provide experiences that are relevant to enterprise users.   This method allows customers to condition users to spot potential phishes, avoid interacting with them, and report them to their security teams.

While we appreciate the FAU’s study’s confirmation of what our own research has shown about awareness, we fear it may lead enterprises to make decisions based on the erroneous conclusion that training doesn’t matter. This perspective could lead to the compromise of a network with disastrous results. To avoid such an outcome, we at PhishMe stand ready to work with any academic institution or researcher that could benefit from our experience in the trenches to produce meaningful research about phishing.

Computing Security Awards Finalist

PhishMe Shortlisted as Finalist in Two Categories at Coveted 2016 Computing Security Awards

We are proud to confirm that PhishMe has been named as a finalist in two categories at the 2016 Computing Security Awards. PhishMe Simulator is shortlisted for ‘Anti Phishing Solution of the Year’ and ‘The Human Factor Award’ at a ceremony set to take place at London’s Cumberland Hotel on October 13th, 2016.

The Computing Security Awards champions the solutions and providers that help to keep organizations secure. Shortlisted for two distinct categories, PhishMe has been recognized not only for developing innovative human phishing defense and intelligence solutions, but also for its services to help organizations reduce phishing risk and susceptibility of human error-related data breaches.

With over 20 million employees trained in 160 countries, PhishMe Simulator has been proven to reduce the threat of employees falling victim to advanced cyber-attacks by up to 95%. The shortlisting at the Computing Security Awards is a credit to the hard work of the PhishMe research teams who use real phishing emails to create timely examples and content focused on today’s greatest threats such as Business Email Compromise (BEC) and Ransomware, transforming the entire workforce into an empowered line of defense against phishing.

Voting is open to the public so don’t forget to lend your support for us here and you can share on Twitter @PhishMe to help spread the word! The winners will be announced on 13 October at the Cumberland Hotel in Marble Arch, London.

Computing Security Awards Finalist

PhishMe Announces New Excellence Awards Program for Customers

PhishMe is proud to announce our first-ever PhishMe Excellence Awards, taking place at our inaugural phishing defense summit and user conference, PhishMe Submerge, this September.

The PhishMe Excellence Awards showcase the outstanding achievements of security professionals to defend their companies against the damages of phishing. The companies and individuals recognized by the PhishMe Excellence awards are industry leaders, chosen for their innovative, successful programs to combat phishing attacks and protect their enterprise from the risks of malware infiltration and fraud loss.

Awards are distributed for performance excellence in three categories:

  • Phishing Defense Program of the Year: The most effective all-around, top performing, defensive phishing program across a comprehensive list of components including detection, alerting, reporting, employee training, employee participation, and results.
  • Incident Response Team of the Year: The top incident response team based on either of the following:
    • 1) Single Incident: scope of the incident, potential for damage, response strategy and cost/time saving value of the resolution; or
    • 2) Overall Process: the incident response team with the best ongoing process, system of detecting and deflecting the incident and minimizing the overall impact of phishing in the organization on an ongoing basis.
  • Most Innovative Phishing Defense Program: The most innovative phishing program implementation across an organization which could include contests, gamification, incentives, and other fresh approaches to improve training effectiveness and boost participation throughout the company.

All award submissions will be reviewed by an un-biased, anonymous panel of judges comprised of PhishMe product experts, industry leaders and security professionals.

Award entries open today, September 1st 2016. Deadline for submission is September 19th, 2016.

Don’t delay – download the official PhishMe Awards Form 2016 and submit your nomination.

Winners and finalists will be recognized on-stage at the PhishMe Submerge Conference Awards Opening Session on Thursday, September 29 in Orlando, Florida. You do not have to be present to win. Winners will be included in PhishMe Excellence Awards press releases, media announcement and featured on the PhishMe website. Each category winner is asked to select a charity of choice to receive a contribution in appreciation of their success.

To register for PhishMe Submerge, please visit http://submerge.phishme.com/.

Macro Based Anti-Analysis

Over the past several months PhishMe research has noticed an increase with Anti-Analysis techniques being included within Office macro and script files. This is the first post in a series where we look at the inclusion and effectiveness of these methods. Although the use of Anti-Analysis techniques is not new, they are generally observed within the packed payload in an effort to avoid detection by endpoint security solutions.

Most recently we came across a campaign of emails which included a malicious Microsoft Word document. The document contains a standard lure using an image instructing the user to enable active content as it was authored with a newer version of Microsoft Office.

figure 1

Once macros are enabled during analysis we generally see activity as the execution is triggered when the document is opened or an object is initialized and the script begins extracting or downloading a malicious payload, but we noticed with samples from this campaign that there was no activity when the macro was enabled.

Using oletools to quickly scan the document we see that the hook to trigger the macro code is using the Document_Close event instead of an event triggered using document open or object initialization. Running the sample in a sandbox further confirmed that dynamic analysis results were not available as the session timed out and the macro code was never executed.

figure 2

Visualizing the call-graph shows that the macro is composed of one main function and a de-obfuscation routine which allows us to quickly focus on the calls within the ijPql function. Analysis led us to find additional anti-analysis checks within the Macro before the payload was downloaded and executed.

figure 3

The macro first checks that the current username is not ‘USER’ and then checks that the RecentFiles count is > 3

figure 4

The macro then makes a HTTP GET request to https://www.maxmind.com/geoip/v2.1/city/me with the following custom headers:

  • Referer: ‘https://www.maxmind.com/en/locate-my-ip-address’
  • User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)

A successful request returns a JSON object which includes a traits structure containing information about the ISP, Orgainization and ASN.

figure 5

The result is then checked if any of the following strings exist within the JSON string.

“AMAZON”, “ANONYMOUS”, “BITDEFENDER”, “BLUE COAT”, “CISCO SYSTEMS”, “CLOUD”, “DATA CENTER”, “DATACENTER”, “DATACENTRE”, “DEDICATED”, “ESET, SPOL”, “FIREEYE, “FORCEPOINT”, “FORTINET”, “HETZNER”, “HOSTED”, “HOSTING”, “LEASEWEB”, “MICROSOFT”, “NFORCE”, “OVH SAS”, “PROOFPOINT”, “SECURITY”,”SERVER”, “STRONG TECHNOLOGIES”, “TREND MICRO”, “TRUSTWAVE”, “NORTH AMERICA”, “BLACKOAKCOMPUTERS”, “MIMECAST”, “TRENDMICRO”

If any of the checks fail, the macro will exit and not download the configured payload.

Conclusion

We see another example of attackers migrating anti-analysis techniques that are traditionally seen included within a packed payload, up the stack into the initial infection script. The use of a finalization event (on_close) to trigger execution, demonstrates that attackers understand the default capabilities of sandboxes and are implementing techniques to bypass automated analysis. Additionally, the inclusion of network source checks focusing on security and hosting infrastructure further indicates awareness of cloud based services being leveraged by researchers and security companies.

Although the checks are easily bypassed by researchers and analysts because they are implemented in a scripting language. They have been observed to be effective in circumventing dynamic analysis in common sandbox deployments.

Document Samples  

  • 683154fa03f494bd368042b3546f7b04
  • 3bb6807d88a7ee359d7d813e01700001
  • 4c59ccbc0c524069e46ad8d92e65a14c

PhishMe Honored on the Inc. 5000 List for the Second Year in a Row

After Posting 3-year Cumulative Growth of More than 560 Percent, PhishMe Recognized as One of America’s Fastest-Growing Private Companies

LEESBURG, VA – August 17, 2016 – PhishMe, Inc., the leading provider of human-phishing defense solutions, announced today that Inc. magazine has ranked PhishMe No. 700 on its 35th annual Inc. 5000, the most prestigious ranking of the nation’s fastest-growing private companies. The list represents a unique look at the most successful companies within the American economy’s most dynamic segment— its independent small businesses. Companies such as Microsoft, Dell, Domino’s Pizza, Pandora, Timberland, LinkedIn, Yelp, Zillow, and many other well-known names gained their first national exposure as honorees of the Inc. 5000.

“Making the Inc. 5000 list two-years in a row is a tremendous honor and a testament to all the hard work our team has been doing,” said Rohyt Belani, CEO and Co-Founder of PhishMe. “PhishMe has maintained our focus and executed cleanly over the past several years. Our strong business fundamentals have afforded us the platform for expansive growth while cybersecurity continues to be at the forefront of businesses in this digital age.”

PhishMe has recently achieved record cumulative growth of more than 560 percent over the last three years. In addition, the company has helped more than half of the Fortune 100 organizations to defend themselves against thousands of phishing attacks perpetrated by cybercriminals across the globe, helping PhishMe attain a 93 percent gross retention and negative net churn.

The 2016 Inc. 5000 is the most competitive crop in the list’s history. The average company on the list achieved a mind-boggling three-year growth of 433%. The Inc. 5000’s aggregate revenue is $200 billion, and the companies on the list collectively generated 640,000 jobs over the past three years, or about 8% of all jobs created in the entire economy during that period. Complete results of the Inc. 5000 can be found at www.inc.com/inc5000.

Connect with PhishMe Online:

Follow PhishMe on Twitter: https://twitter.com/phishme

Follow PhishMe’s Blog: http://phishme.com/blog/

Follow PhishMe on LinkedIn: https://www.linkedin.com/company/phishme-inc-

About PhishMe

PhishMe is the leading provider of human-focused phishing defense solutions for organizations concerned about their susceptibility to today’s top attack vector — spear phishing. PhishMe’s intelligence-driven platform turns employees into an active line of defense by enabling them to identify, report, and mitigate spear phishing, malware, and drive-by threats. Our open approach ensures that PhishMe integrates easily into the security technology stack, demonstrating measurable results to help inform an organization’s security decision making process. PhishMe’s customers include the defense industrial base, energy, financial services, healthcare, and manufacturing industries, as well as other Global 1000 entities that understand changing user security behavior will improve security, aid incident response, and reduce the risk of compromise.

More about the Inc. 5000
The 2016 Inc. 5000 is ranked according to percentage revenue growth when comparing 2012 to 2015. To qualify, companies must have been founded and generating revenue by March 31, 2012. They had to be U.S.-based, privately held, for profit, and independent—not subsidiaries or divisions of other companies—as of December 31, 2015. (Since then, a number of companies on the list have gone public or been acquired.) The minimum revenue required for 2012 is $100,000; the minimum for 2015 is $2 million.

 

Lastline, Mimecast, McAfee and More Join Rapidly Expanding PhishMe Technology Alliance Program

Join PhishMe at Black Hat 2016 to Learn How Joint Customers Maximize Investments in Lastline, Mimecast, IBM, McAfee and Recorded Future

LEESBURG, VA – 2 August, 2016 – PhishMe Inc., the leading provider of human phishing defense solutions, today announced the addition of further technology partners to its Technology Alliance Program (TAP), an ecosystem of the world’s leading security providers. TAP has continued to deliver exceptional value to mutual customers since its formation in March 2016, and with the likes of Lastline and Mimecast joining existing members including FireEye and Cisco, the alliance has further strengthened its ability to protect organizations from today’s advanced threats.

TAP launched in early 2016 to provide organizations with simple integrations that bolster security, improve operational workflow and manageability, maximize security investments, and reduce the risk of falling victim to phishing-driven cyberattacks. After considerable success, the program is pleased to welcome more of the industry’s leading solutions and services providers:

  • Lastline: PhishMe Triage and Lastline Analyst have partnered to provide security teams with an integrated phishing incident response malware analysis solution. The integration has made it efficient for mutual customers to automatically and accurately identify malware much faster, and increase the value from existing security investments
  • Mimecast: PhishMe has entered into an alliance with Mimecast as a go-to-market partner. PhishMe has also joined forces with Mimecast as a founding member within their recently announced Cybersecurity Resiliency Alliance Network.
  • Bay Dynamics: User Behavior Analytics (UBA) leader, Bay Dynamics, and PhishMe partner to empower security teams to conduct phishing simulation campaigns against employees based on their risk profile.
  • McAfee: PhishMe Triage and PhishMe Intelligence can send to or ingest into McAfee’s ESM.
  • ThreatQuotient and Anomali: PhishMe Intelligence can be consumed into leading threat intelligence platforms (TIPs) and cross-correlated across other sources of threat intelligence.

PhishMe is also pleased to have expanded integrations with initial TAP partners:

  • Recorded Future: PhishMe and Recorded Future added to their integration for customers to continually pivot between human-verified phishing intelligence and real-time threat intelligence through the OMNI Intelligence Integration.
  • LogRhythm: PhishMe and LogRhythm completed the integration with PhishMe Triage and LogRhythm’s Security Intelligence Platform.
  • IBM: PhishMe Intelligence and PhishMe Triage support IBM QRadar.
  • HPE: PhishMe has achieved ArcSight certification for PhishMe Intelligence and PhishMe Triage.
  • Splunk: PhishMe Intelligence apps are available at Splunk

“We’re excited to be partnering with PhishMe! By combining PhishMe Triage and Lastline Analyst, we’ve made it efficient for our mutual customers to automatically and accurately identify malware much faster. An added benefit is that our customers increase the value from existing security investments,” said Brian Laing, Vice President of Business Development and Product, at Lastline.

“The PhishMe Technology Alliance Program was created to deliver security benefits that can only be achieved through close cooperation and shared intelligence,” explained Allan Carey, Vice President of Business Development at PhishMe. “By collaborating with industry leading security providers such as Lastline, Mimecast, and our existing TAP members, the alliance is actively showing what can be achieved through a shared commitment to increase security operations efficiency and maximize customer value. Together, we are giving organizations the security solutions and intelligence they need to proactively detect and quickly respond to cyber attacks.”

To learn more about the PhishMe Technology Alliance Program, visit booth 1315 at Black Hat 2016 in Las Vegas.

Connect with PhishMe Online:

About PhishMe

PhishMe is the leading provider of human-focused phishing defense solutions for organizations concerned about their susceptibility to today’s top attack vector — spear phishing. PhishMe’s intelligence-driven platform turns employees into an active line of defense by enabling them to identify, report, and mitigate spear phishing, malware, and drive-by threats. Our open approach ensures that PhishMe integrates easily into the security technology stack, demonstrating measurable results to help inform an organization’s security decision making process. PhishMe’s customers include the defense industrial base, energy, financial services, healthcare, and manufacturing industries, as well as other Global 1000 entities that understand changing user security behavior will improve security, aid incident response, and reduce the risk of compromise.

Q2 2016 Firmly Establishes Ransomware as a Mature Business Model for Malicious Actors

PhishMe Q2 Malware Review identifies key security trends including the rise of encryption ransomware and remote malware deployments

LEESBURG, VA – 2 August, 2016 – PhishMe Inc., a leading provider of human phishing defense solutions, has revealed that the second quarter of 2016 saw ransomware firmly establish itself as a mature business model, with the threat showing no outward signs of diminishing. Encryption ransomware now accounts for 50% of all malware configurations, meaning that it is no longer considered simply a means for making a quick profit, but a permanent fixture on the threat landscape.

Published today, PhishMe’s Q2 2016 Malware Review identified three key trends previously recorded earlier in the year, but now firmly established:

  • Encryption ransomware: Given the tenacity and frequency of ransomware phishing attacks, it appears cybercriminals now consider this a tried and trusted business model
  • Rise in evasion techniques: PhishMe encountered an increase in the number and volume of malware deployments incorporating simple evasion techniques to circumvent protection by security solutions
  • Simple attacks still pack a punch: Numerous deployments of malware were recorded with less sophisticated actors who still wield robust feature sets

In March of 2016, PhishMe malware analysis noted a strong diversification of ransomware strains and were responsible for 93% of all malware payloads delivered that month. The Q2 malware research shows that ransomware has begun consolidation in May and June as Cerber encryption ransomware and Locky strongly dominated in the ransomware scene. The research behind this ransomware evolution strongly supports the notion that ransomware has effectively become a major business model for threat actors, seeking the most advantageous and cost-effective means for generating sustainable profits.

“Barely a year ago, ransomware was a concerning trend on the rise. Now, ransomware is a fully established business model and a reliable profit engine for cybercriminals, as threat actors involved treat it as a legitimate industry by selling information, tools and resources to peers based all around the world,” explained Rohyt Belani, CEO & Co-Founder, PhishMe. “Empowering the human element to detect and report these campaigns needs to be a top priority for organizations if they are to protect themselves from a threat that is here for the long term.”
The report also unveils findings on the usage of stenography and ciphers in malware delivery, both increasingly popular anti-analysis techniques designed to bypass security solutions and the efforts of security researchers. Using a common stenographic technique, threat actors are able to hide the Cerber executable of a Cerber malware payload within a seemingly harmless image file – sneaking past layers of security technologies to make its way into the target victim’s inbox. The report provides further examples on how the executables are embedded and what to look for when conducting a deep ransomware analysis.

Additionally, the Q2 2016 Malware Review also sheds light on remote access Trojan utilities which have garnered significant attention recently due to their purported use in the high profile intrusion and apparent theft of data from the Democratic National Committee. While details regarding the attack are still private, deployment of remote access Trojans via phishing email is a frequent occurrence. The risks associated with these less-sophisticated, yet feature-packed malware utilities have been underscored through frequent use by advanced actors.

To download a full copy of the Q2 2016 Malware Review, click here

Connect with PhishMe Online

About PhishMe

PhishMe is the leading provider of human-focused phishing defense solutions for organizations concerned about their susceptibility to today’s top attack vector — spear phishing. PhishMe’s intelligence-driven platform turns employees into an active line of defense by enabling them to identify, report, and mitigate spear phishing, malware, and drive-by threats. Our open approach ensures that PhishMe integrates easily into the security technology stack, demonstrating measurable results to help inform an organization’s security decision making process. PhishMe’s customers include the defense industrial base, energy, financial services, healthcare, and manufacturing industries, as well as other Global 1000 entities that understand changing user security behavior will improve security, aid incident response, and reduce the risk of compromise.

PhishMe Expands Availability of Phishing Incident Response Solution with Cloud and Managed Deployments

PhishMe Triage is now more easily deployed to meet the needs of organizations of all sizes

LEESBURG, VA – London, UK – 2 August, 2016 – PhishMe, Inc., the leading provider of human-phishing defense solutions, announced today that it has added powerful new features and deployment options to its phishing threat management and incident response platform, PhishMe Triage. PhishMe Triage users can now choose between three deployment options to fit their organization’s needs. Still available in its original form as a virtual appliance, PhishMe Triage now offers a secure cloud and a fully managed option to customers.

PhishMe Triage Cloud delivers a faster time to deploy with a dedicated instance hosted in the PhishMe secure cloud infrastructure that allows customers to continue to manage the day-to-day operational and analysis tasks. With PhishMe Triage Cloud, new customers can be up and running in a matter of days. PhishMe Triage Managed gives customers the opportunity to completely outsource their phishing incident response programs, and includes customizable SLAs, reporting and analysis of reporting phishing incidents while freeing SOC and IR teams to concentrate on other critical tasks. The additional deployment options for PhishMe Triage makes phishing incident response more available to organizations of all sizes and needs.

PhishMe Triage Cloud and PhishMe Triage Managed are already in use by dozens of customers today.  John Helt, Cyber Security Analyst at Scripps Networks Interactive, a leading developer of lifestyle-content for television and the Internet, said: “PhishMe Triage allows us to encourage our users to report suspicious messages knowing that each will be carefully analyzed with prompt feedback returned to each individual. The solution provides our response teams the rapid, detailed information they need to address e-mail threats quickly and efficiently without wasting time chasing false positives.”

Further strengthening the Triage capabilities, PhishMe has added new significant features to the solution, these include:

Reputation Prioritization with VIP Reporter

PhishMe Triage now prioritizes suspicious activity reported by trusted “VIPs” within an organization. The ability to set reputation and trust levels for VIPs  helps operators quickly assess and respond to possible threats as reported by the most vigilant and astute reporters in the company.

Streamlined Management with Syslog Alerts

PhishMe Triage can now proactively provide timely threat information to SOC operators even if they are not actively monitoring the solution when a threat is reported. With Syslog Alerts, PhishMe Triage can drive a pre-configured alert into the customer’s SEIM to trigger workflows established to handle security alerts.

Lastline Analyst Integration

PhishMe Triage and Lastline Analyst have partnered to provide security teams with an integrated phishing incident response malware analysis solution. The integration has made it efficient for mutual customers to automatically and accurately identify malware much faster, and increase the value from existing security investments

“As malware attacks continue to grow exponentially, it is important for businesses to rely on a solution that is widely available and accessible. The expansion of PhishMe Triage deployment options enables businesses to scale up and scale down their security efforts for a leaner experience,” said Aaron Higbee, CTO at PhishMe. “Updates to our Triage offerings will also enable our customers to significantly reduce incident response times, whilst allowing them to obtain accurate threat information for timely security alerts.”

For more information on PhishMe’s enterprise phishing defense solution, please visit http://phishme.com/product-services/pm-solution/.

Connect with PhishMe Online:

Follow PhishMe on Twitter: https://twitter.com/phishme

Follow PhishMe’s Blog: http://phishme.com/blog/

Follow PhishMe on LinkedIn: https://www.linkedin.com/company/phishme-inc-

About PhishMe

PhishMe is the leading provider of human-focused phishing defense solutions for organizations concerned about their susceptibility to today’s top attack vector — spear phishing. PhishMe’s intelligence-driven platform turns employees into an active line of defense by enabling them to identify, report, and mitigate spear phishing, malware, and drive-by threats. Our open approach ensures that PhishMe integrates easily into the security technology stack, demonstrating measurable results to help inform an organization’s security decision making process. PhishMe’s customers include the defense industrial base, energy, financial services, healthcare, and manufacturing industries, as well as other Global 1000 entities that understand changing user security behavior will improve security, aid incident response, and reduce the risk of compromise.

PhishMe Triage™ Advances Malware Investigation with Lastline Analyst

Phishing Incident Response – Through Automated Malware Analysis

Conditioning employees to detect and report suspicious email is a strategy security leaders have adopted through PhishMe’s innovative solutions. CISOs have realized that while technology continues to get better at preventing malware, the attackers continue to elevate their game and never rests, and neglecting people as defenders would be a mistake.

Cyber Crime: The Unreported Offense

On July 22, 2016 the UK’s Office for National Statistics released crime details for the year ending March 2016.  For the first time, this data included information about fraud and computer misuse offenses, which was compiled in the National Crime Survey for the first time in October 2015. While the police recorded 4.5 million offenses from March 2015 to March 2016, the survey indicates there were likely 3.8 million fraud instances and 2 million computer misuse instances during that same year, with the vast majority of these crimes being unreported to law enforcement.  The report has caused for a new call for additional cyber crime reporting at all levels.  In the UK, consumers and businesses alike are encouraged to submit suspicious activities and cases of loss to ActionFraud: the National Fraud & Cyber Crime Reporting Center.  ActionFraud also offers a Business Reporting Tool for bulk submissions by businesses of both fraud and scam emails.*

Earlier in July, the UK’s National Crime Agency also released their report “Cyber Crime Assessment 2016.”   The primary point made by the NCA report is the “need for a stronger law enforcement and business partnership to fight cyber crime.”

NCA Cyber Crime Assessment 2016The NCA report called special attention to the sophisticated abilities of international crime groups, making them “the most competent and dangerous cyber criminals targeting UK businesses.”  These groups are behind the most sophisticated financial crimes malware.

“This malware is a substantial source of financial crime in the UK, with three variants: DRIDEX, NEVERQUEST and DYRE /DYREZA, appearing frequently and responsible for many hundreds of thousands of individual crimes in 2015.”

The report also highlights the danger of ransomware and Distributed Denial of Service (DDoS) attacks.

While arrests were made in the DRIDEX case, the same botnet is now the leading source of the Locky ransomware family, the focus of more than 50 PhishMe Intelligence reports in the past month alone!

Statements made in March by Sir Bernard Hogan-Howe, the police commissioner of the Metropolitan Police of London, received mixed reviews when he said that banks that refunded their customers after cyber incidents were “rewarding them for bad behavior” instead of teaching them to be safer online.  The GCHQ suggested that 80% of consumer-facing cyber crime could be stopped just by choosing safer passwords and keeping one’s systems updated with current security patches.

The NCA report points out, however, that it isn’t just consumers who are not pulling their weight in the fight against cyber crime.  Businesses also have a responsibility to do more.   The report urges corporate board of directors to make sure that their information technology teams are not merely checking the boxes required of compliance regulations, but taking an active role in assisting the cause by ensuring that their businesses are reporting cyber crime incidents.  As widely seen in the United States, one may be compliant with PCI, Sarbanes Oxley, HIPAA, and other regulatory standards yet still be extremely vulnerable to the type of sophisticated cyber attacks presented by these sophisticated international crime groups.Moving beyond Box-Ticking cyber security

“Directors also have an important role in addressing the under-reporting of cyber crime which continues to obscure the full understanding of, and hence responses to, cyber crime in the UK. In particular, we urge businesses to report when they are victims of cyber crime and to share more intelligence, both with law enforcement and with each other.”

– NCA Strategic Cyber Industry Group

Dridex, NeverQuest, Dyre, Ransomware – Meet PhishMe Reporter & Triage

At PhishMe, we are intimately familiar with the prevalence of the malware families discussed in the UK government’s reports.  We provide detailed intelligence reports to our customers about all of those malware families, which are among the most common email-based threats that we encounter as we scrub through millions of each emails each day to identify the greatest threats and get human-driven analysis about those threats back out to our customers.

We support the security strategy and defense posture recommended by the NCA Strategic Cyber Industry Group.  Our industry must move from reactive, check-box security mentality to a proactive method of gathering and analyzing security incident reporting.  PhishMe customers not only have the ability for every employee to become part of the solution to “under-reporting” with a click of the mouse on the “Report Phishing” button, but also to share that information back to PhishMe to allow us to provide indicators that help protect ALL customers and to help inform our law enforcement partners.

PhishMe Reporter

The PhishMe Reporter Button

PhishMe Triage provides a single place for all of those employee reports to be integrated, if your business would like to answer the call to do more information sharing about these top malicious threats. By providing a dashboard-driven interface to all employee-reported malicious emails, the security team can quickly spot the most dangerous trends, confirm the facts, and report to law enforcement, as recommended in the UK’s National Crime Agency report.

In addition, PhishMe Intelligence customers received over 2,500 malware email campaign reports in addition to more than 600,000 individual phishing reports that can be used as an intelligence feed to strengthen your corporate defenses against these malicious actors.

We look forward to partnering with our UK-customers, and all of our customers, who choose to take an active stance in the fight against cyber crime by answering the call for increased vigilance and reporting.

 

* – U.S. businesses are encouraged to report cyber crime and fraud to the FBI’s Internet Crime & Complaint Center, IC3.gov.