MY TAKE: A closer look at why ‘carpet bombing’ of phishing email endures

By Byron V. Acohido

Occasionally, examining something in microcosm can be more instructive than trying to absorb  a macro view that overwhelms.

Such is the case with the flurry of cyber attack reports that come out this time of year, analyzing and dissecting what transpired in the threat landscape the previous year. Last week, for instance, Fortinet and Cisco each issued their respective 2016 cyber attack retrospectives.

Related podcast: How faked personas fuel targeting attacks

Fortinet reported organizations facing the highest levels of cyberattacks in both number and sophistication, due in large part to a rise in automated swarm attacks. Exploit detections detected in their customers’ systems were up 82% from the previous quarter. For the full year, Fortinet found malware families growing in both volume, up  25%, and unique variants, up 19%.

Cisco, meanwhile, reported network breaches twice as severe in 2017 vs. 2016, with financial losses in cases reported by CISOs they polled averaging  $500,000 per business. Cisco’s crack researchers also broke down a frightening criminal advances in “burst attack” denial of service campaigns and the weaponization of encryption.

Metrics of maliciousness

Those reports hammer home this reality: the sophistication and variety of cyber threats continues to steadily escalate in lockstep with our increasing reliance on Internet-centric commerce.

Meanwhile, for a micro view, we can look to a couple of other reports — one from the U.S. Department of Defense and  the other examining how local town councils in the English countryside are doing defending hackers.

On any given day, both of these sectors are being carpet bombed by wave upon wave of cyber attacks. The Defense Department, for instance, detects 36 million malware-infested emails arriving from hackers, terrorists and foreign adversaries every 24 hours.

That translates into an onslaught of some 13 billion weaponized emails raining down on Pentagon on an annual basis. We know this thanks to a talk given last month by David Bennett, director of operations for the Defense Information Systems Agency. Bennett addressed the to the Armed Forces Communications and Electronics Association.

Meanwhile, thanks to a study by the advocacy group Big Brother Watch, we have some detail regarding a similar bombardment of some 395 local town councils in the UK. Researchers found that those small government agencies face an average of 19.5 million cyber attacks a year, or  37 attempted breaches every minute. The vast majority of these attempts were email phishing ruses.

Human zero-day threats

These two disclosures lend some color to the observation that organizations of all sizes continue to be relentlessly attacked and that social engineering, via email phishing, accounts for a vast majority of the initial barrages.

Human gullibility remain hackers’ go-to  vulnerabilities; tricking one individual to unwittingly assist in a network breach is still the most effective hack around.

“Our threat labs have observed cybercriminals recently migrating to email as the most common attack vector,” says Nick Bilogorskiy, cybersecurity strategist, Juniper Networks. “They use email because it is effective. I am not surprised the DoD is also reporting a similar increase in the frequency of email attacks.”

Phishers seek to lure a victim into opening a malicious attachment or to navigate to a booby-trapped web page. Spearphishers are more methodical; they first profile their intended victims, then send them very refined messages that often don’t even carry a malicious payload.

Instead, the spearphisher’s art is to cajole the recipient into taking steps that achieves the desired result. So-called Business Email Compromise(BEC) scams are 100 percent social engineering. A one-off message is sent to a specific employee at an opportune moment, tricking the victim into wiring funds into an account controlled the phisher. The FBI estimates BEC scams has caused more than $5.3 billion in losses since 2013.

Likewise the theft and selective public outing of the Democratic National Committee’s emails — by Russian hackers meddling in the 2016 U.S. presidential election  — revolved around singling out an unwitting accomplice as part of a phishing ruse that gained the hackers deep access to the DNC’s data bases.

“When an attacker combines knowledge of its target with timely, relevant information in a targeted phishing email, it’s only a matter of time before someone falls victim to the phish,”  says Mounir Hahad, head of threat research at Juniper Networks. “One of the lowest barriers to entry is email.”

Cashing in stolen data

It seems obvious why the U.S. military would be under continual cyber bombardment. But why the British town councils? It’s because cyber criminals understand better than anyone that sensitive data is being routinely collected and stored – but not terribly well guarded — by British local authorities.

Data stolen from ordinary citizens can be cashed in many different ways, as online fraud scams continue to multiply. And the hackers behind Russia’s election meddling have demonstrated the value of compromising the accounts of public officials.

The Big Brother study found British local authorities have been subjected to at least 98 million cyber attacks between 2013 and 2017. About one-third of the local authorities  — 114 of them — experienced at least one cyber security incident. Stunningly, more than half  of those  councils admitted that they chose not to disclose the breach publicly.

What I found most troubling about the report on UK town councils is that 75% of them – some 297 authorities — admitted to not providing mandatory training in cyber security. A sobering thought is this same level of apathy probably exists across the board for smaller companies in the private sector as well.

Far too many organizations in the public and private sectors are only lightly monitoring their networks; too few are implementing breach response plans; and too few are finding ways to inspire and incentivize their employees to practice cyber hygiene. Until this pattern changes, expect to see more of these kinds of reports.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone