We’ve come a long way, since the first large-scale outbreaks of advanced fee fraud and email account hacking, back in 1986. In the years to date, cyber-criminals and fraudsters have stepped up their game, considerably – to the point where (in some unfortunate organisations) it’s nearly impossible to distinguish between genuine staff and authorised users of a network, and those who are simply posing as such.
In this two-part series, we’ll be exploring the problems caused by imposters who gain access to corporate networks and identities, and the measures that may be taken to mitigate the threat that they pose. We’ll begin by exploring the nature of the imposter threat itself.
Scaling Up the Attacks
In a report titled “The Human Factor 2016“, analysts at Proofpoint have laid out the extent to which fraudsters using increasingly sophisticated techniques have escalated their assault on corporate networks. Proofpoint’s findings suggest that some 74% of the bogus web addresses used in email lures point to sites constructed for collecting user credentials and other valuable information. This contrasts with previous trends, which attempted to bait the unwary recipient to sites hosting malware.
Malicious software still figures in the fraudsters’ plans (as we shall see), but its applications have been given a clever twist.
Phishing for Credentials
Phishing is an online deception which involves inducing an unsuspecting user to reveal personal information such as credit card data or login passwords on a bogus web page or email form that’s been designed to resemble a legitimate company or organisation – like their bank.
In the past, it’s a technique that’s been employed by fraudsters as a high-volume strategy, characterised by mass mailings. The psychology of this approach is simple: if you put out enough bait, someone’s going to bite. Simple – but the hit rate for all that spam may not be as rich in data and opportunities for access, as the fraudsters might wish.
So, in recent years, targeted phishing campaigns have gained in popularity. At a larger scale, popular and reliable websites and online resources such as Dropbox and Google’s platform of tools and social media are being used as the lure, in email phishing campaigns. The idea here being that, as people have been using these services for legitimate business and trust them, they are more likely to respond to a message concerning their accounts on these sites.
For more cleverly crafted campaigns with potentially higher pay-offs, imposters are biding their time, and doing their research. By hacking into contact lists and studying user profiles on social media, they are able to identify likely correspondents (who may be organisations or specific individuals) from whom an urgent email requesting action or information will probably receive a positive response.
There are even categories, for this type of imposter activity. For instance, Proofpoint cites the case of advanced persistent threats (or APTs) which have recently targeted Indian diplomats stationed in the Middle East. And organisations have been on the alert since 2015, when the FBI warned of an increase in CEO fraud, or business email compromise (BEC).
The Second Stage
The previous generation of fraudsters used malicious software (or malware) such as web-crawlers, information extractors and keyloggers to do the work now being unwittingly performed by those who respond favourably to information requests from bogus websites and online forms.
Imposters are now incorporating malware in a second-stage process of their phishing campaigns. In its “2015 Data Breach Investigations Report”, Verizon highlighted the use of email attachments and other methods of installing malware such as remote access tools (RATs) onto a user’s machine, once they’ve been hooked into the scam by a successfully targeted email message.
Continued correspondence with the bogus individual or organisation may lead to further installations of malicious software, or simply give the malware already present in a recipient’s system time to siphon off confidential information, exert control over corporate networks, or worse.
Social Media as Infrastructure
Data security experts often advise against revealing too much about yourself or your organisation on social media – and with good reason. Scouring user profiles is one of the first items on the “To Do” list of an industrious fraudster. And for the imposter, social media represents a valuable resource in their armoury.
If your privacy settings aren’t properly configured on the likes of Facebook or LinkedIn (a favoured target for imposter research, as its subscribers are business professionals), you could be giving an imposter the kind of personal and / or corporate information they need to pose convincingly as you, in correspondence with clients, partners, or junior members of your organisation.
The External Insider
Again, cyber-security assessments often focus on the threat posed to an enterprise by those within its ranks – be they disgruntled employees, or simply workers exercising lax user authentication or network access protocols.
With an imposter in your midst, you have the situation of a malicious outsider who’s actually posing as someone within. In our next instalment, we’ll be discussing how to identify any bogus users or employees in your network, and the measures you can take to protect your organisation from becoming a victim of their schemes.
For now, we’ll leave you with some best practice tips for avoiding the phisher men and women, out there.
- If an offer or business opportunity sounds too good to be true, it probably is.
- Never click on a link or download an attachment from an unsolicited email. Ever.
- If you receive an account enquiry or other request from one of your online services, go to the website direct (preferably in another browser window) and check it out, rather than clicking through from the email.
- If an email request for information or funds from a senior member of your organisation sounds completely out of character, do the sensible thing: get a printout of the email text, and speak to the official directly – preferably in person.