In August of this year, several United Rental customers received emails with attached invoices, urging users to read the document and pay any outstanding payments. The invoices were sent from a valid email account that provided a link to the company’s web site. Within the invoices, were malicious links that downloaded payloads to execute malware with the intent of providing a foothold within the organizations network. An investigation into the incident revealed that hackers sent a phishing email to a customer of a third-party vendor with direct access to a subdomain owned by United Rental.
As a result, once the cloud-based third-party vendor was compromised, hackers went on to send phishing emails from a trusted source and convinced users to download malware. With the steady increase of companies using cloud-based Customer Relationship Management (CRM) providers to work with vendors and partners, ensuring the protection of all parties and stakeholders from phishing emails is crucial for a successful business.
What is Phishing and How Widespread is it?
Phishing is a hacking technique commonly used by attackers to trick the user into giving up sensitive information or as a conduit for downloading malicious code. The premise of the attack is to send an email that appears legitimate and from a trusted source, convincing the user that any interaction with the sender is safe. This attack exploits the human element, most often the weakest link in a network, using social engineering techniques that make it impossible for defenders to use a one-size-fits all model to mitigate the risk.
Earlier this year, Proofpoint released a phishing report detailing the statistics of the attack method, using multiple resources to emphasize the pervasive nature of the problem. Surveys reported that 83% of global cybersecurity respondents had experienced phishing attacks in 2018, whereas credentials being obtained from phishing campaigns rose 280% since 2016. Not only have the number of phishing attacks increased, but the techniques used to avoid detection have advanced. Approximately half of all phishing sites use HTTPS encryption and web page redirection, giving any user the impression that the site is trustworthy.
There are several methods that hackers can use to fool users into submitting their credentials to a malicious server. These social engineering techniques are constantly evolving and are often moulded to complement the digital footprint of the target. Two methods, named whaling and spear phishing, are used by attackers to target specific persons of interest. In contrast to the generic phishing email, that is sent to all employees of a company, these two methods require further research into the persons of interest – delving into their lives and what interests or hobbies they may have. Whaling is when an attacker sends a specially crafted phishing email to the CEO or any individual holding an executive position.
Once compromised, the attacker can then send fraudulent emails purportedly from the CEO demanding certain actions be taken that benefit the attacker. Spear phishing is similar to whaling but differs in that it doesn’t specifically look for a top executive as a target; rather the attacker will focus on a person that he or she is interested in. This can be done out of spite or malicious intent, or an individual with access to resources that a hacker is curious about. Both methods require the hacker to comb the internet – with a special attention to social media posts – to find what the target is interested in or anything that may pique their interest in an email.
Mitigating the Risk
The basis of any phishing campaign is to fool users into believing that a malicious email is a legitimate message. In order to counter this threat security awareness training must be done on an ongoing basis to help employees develop a security instinct – including those in executive positions. One of the best ways to do this is to emulate a phishing campaign by hiring an external company to send employees malicious emails. For more information on simulating a real-life cyber-attack, contact us to learn more about our objective-based penetration testing.