People are often curious about what percentage of users will fall for a phishing attack, and it’s tempting to try to create this kind of statistic. At PhishMe, we’ve found that trying to assign a blanket statistic is counterproductive – however this hasn’t stopped others in the industry from trying to do so. The most recent company to try is Intel Security (formerly McAfee), which declared that 97% of people globally were unable to correctly identify phishing emails. While this statistic certainly makes for a nice headline, it is broad-based and flawed in a number of ways.
For those who may have lost track of time, it’s 2015, and phishing is still a thing. Hackers are breaking into networks, stealing millions of dollars, and the current state of the Internet is pretty grim.
We are surrounded with large-scale attacks, and as incident responders, we are often overwhelmed, which creates the perception that the attackers are one step ahead of us. This is how most folks see the attackers, as being a super villain who only knows evil, breathes evil, and only does new evil things to trump the last evil thing.
This perception leads to us receiving lots of questions about the latest attack methods. Portraying our adversaries as being extremely sophisticated, powerful foes makes for a juicy narrative, but the reality is that attackers are not as advanced as they are made out to be.
In the early days of malware, we all remember analyzing samples of IRC botnets that were relatively simple, where the malware would connect to a random port running IRC, joining the botnet and waiting for commands from their leader. In this day and age, it’s slightly different. Whereas botnets previously had to run on systems that attackers owned or had compromised, now bots can run on Skype and other cloud-based chat programs, providing an even lower-cost alternative for attackers.
’Tis the season for phishing emails, scams, and fake tech support calls. We recently investigated such a call received by one of PhishMe’s employees. After saying that he would call the “technician” back, the employee passed the number over to us and we began to investigate.
The number the technician provided us was “646-568-7609.” A quick Google search of the number shows that other users have received similar calls from the same number. In one example, “Peter from Windows” was the person calling. In our case, it was Alex Jordan from Seattle.
Most of us have been in an airport and heard the announcement over the loud speaker; “If you see something, say something.” The airport has security personnel; however, their agents cannot be everywhere at once. They collectively rely on travelers passing through the airport to be their eyes and ears in places agents cannot be. In this way, as an airport traveler, you are a “sensor” watching for, detecting, and alerting on suspicious behavior such as unoccupied luggage.
What does this have to do with information security? Just as passengers can help prevent an incident in the airport by reporting suspicious activity, employees can help prevent a data breach by reporting suspicious email. The key to unlocking this valuable source of threat intelligence is to simplify the reporting process for employees, and to measure the results of your program to prioritize reports from savvy users.
Using tiny URLs to redirect users to phishing and malware domains is nothing new, but just because it’s a common delivery tactic doesn’t mean that attackers aren’t using it to deliver new malware samples. We recently received a report of a phishing email from one of our users here at PhishMe that employed a shortened google URL, and led to some surprising malware.
Through the power of user reporting, we received the report, discovered the malicious nature of the shortened URL, and reported the issue to Google – all within a span of 30 minutes. Google reacted quickly and took the link down shortly after our report.
Speaking in front of the House Committee on Special Intelligence earlier this year, Kevin Mandia (CEO of Mandiant) remarked that, “One of the most valuable resources in detecting and responding to cyber attacks is accurate and timely threat intelligence.” Despite its value, many organizations don’t have a way to get timely threat intelligence.
How can organizations improve in this area? If you know anything about us, it probably won’t shock you that we’re encouraging enterprises to focus on their users as a source of real-time threat intelligence. Given that the vast majority of targeted attacks focus on the end user as the primary point of entry, many compromises go through employees first, making them a potential (and largely untapped) source of intelligence about threats. Up until now, however, we’ve focused solely on the end user’s ability to recognize cyber attacks. We’ve proven users can be trained to improve their behavior toward phishing attacks, and we believe they are capable of more.