Shield Your Business…
Shield Your Business Cover - Shield Your Business...

Shield Your Business –
Combat Phishing Attacks

By Sameer Shelke

Introduction to Phishing

The alarming increase in cybercrime rates and security breaches in recent years stresses the importance of tightening network security to protect organizations from such attacks. The rapid adaptation of mobile devices and wireless networks further intensifies the problem by providing a breeding ground for newer and much more organized forms of cybercrime. Highly sophisticated and targeted security attacks have become the norm, and ‘Phishing’ is one of the most commonly employed techniques to spread malware.
‘Phishing’ is defined as an attempt by cybercriminals and identity thieves to obtain sensitive information by masquerading as a legitimate and trustworthy source. Also known as ‘carding’ or ‘spoofing’, Phishing is characterized by attempts to acquire confidential information such as passwords or credit card details. Phishing is often initiated with an unsolicited email that contains a link to a domain name, which appears to be a legitimate site. Once the recipient clicks the link, he/she is taken to the spoofed website which resembles a genuine website where the visitor gives personal information.

Who are the targets?

According to the “Phishing Activity Trends Report – 2nd Half 2010” published by the AntiPhishing Working Group (APWG), 80% of phishing attacks target financial institutions and payment services. But, with more and more companies using the Worldwide Web to exchange and process confidential/sensitive information and move money, the scope for cybercriminals has expanded widely. In recent years, gaming, e-commerce and social network sites have become hot targets as they continue to grow in popularity.
Phishing - Shield Your Business...

Website Categories Infected With Phishing

Rank Category
1 Games
2 Portals
3 Shopping
4 Forums / Newsgroups
5 Non-profits & NGO
6 Fashion & Beauty
7 Leisure & Recreation
8 Sports
9 Education
10 Business
Social networking sites are an attractive target for Phishers because of the easy availability of a great amount of vital personal information on such sites. Phishing attacks on social networking websites are becoming increasingly common as attackers leverage this information for their own advantage. Phishers use this information to draft customized emails seeking possible sensitive information about individuals or organizations. Such emails may also contain a link that will install Trojan / malware on the end user system. The topic of the email is also usually designed to attract as much interest as possible. Some examples are:
“See who has viewed your profile” “Free Facebook Credits” “Osama Bin Laden Dead – Actual Video”

Latest Phishing Schemes: Spear Phishing and Whaling

As with advancements in any other sphere, cybercrime has also become more organized and refined. While phishing emails are generally indiscriminate, victimizing recipients randomly, attackers are now making more targeted phishing attacks aiming at specific groups or individuals.

Spear Phishing is one such form of phishing in which employees of a certain organization or members of a specific group are targeted. Emails are customized based on information publicly available on social networking sites, and these emails direct the recipient to a fraudulent site or fake login page from where sensitive information is extracted.
Whaling is another form of targeted phishing which is aimed at top corporate executives, affluent individuals, characterized as the ‘big phish’. Just like Spear Phishing, Whaling also involves sending emails customized to the specific recipient.

Solution to Combat Phishing Attacks

Tackling phishing attacks can be immensely challenging as phishing emails are usually very convincing, and it is hard to distinguish them from genuine emails. Risk management and control mechanisms against such social engineering attacks need to be dynamic in order to keep up with evolving security risks.

The security industry has used the concept of “build”, “test” and “fix” since inception. A lot of time and money is spent on identifying vulnerabilities in technologies and processes. The idea is that the flaws would be found and fixed. However, there aren’t too many ways to test people, which is why people (users) have been called the weakest link in security. While upgrading to advanced security solutions is crucial, educating people about phishing is also equally important.

The most effective people control against phishing is user education. Users are educated on the risks of phishing, how it happens, how to identify phishing attempts etc. But more often than not, these tend to be generic training. Such training is not as effective as those tailored specifically to the user’s behavior pattern. This is where solutions such as Phishnix that assist organizations in evaluating the readiness of employees against phishing and social engineering attacks could make a difference.

Phishnix is a phishing diagnostic solution that helps organizations in protecting their most valuable assets — their employees, from becoming phishing victims. It proactively educates users and helps them identify phishing attacks so they can avoid becoming phish baits in the future by simulating a phishing attack and capturing user’s potential reaction to a real attack.

Phishing solutions can be highly effective as they leverage the teaching moment created based on the user’s response, and generate an action plan that can be implemented to avoid future pitfalls. Phishnix focuses on the “Fall rate” and “Fail rate” based on actual employee behavior and helps organizations in developing specific control measures to address potential problem areas.

Phishing Fall and Fail Rates: Why they matter

In a typical phishing attack, the target is enticed to read an email, visit a website and reveal information. A common misconception is that the attack is successful only if the target reveals information. But, this is not true. An attacker essentially looks for information to plan the next move, which he can get based on user actions, even when there are no major revelations of private data. For instance, just by the mere act of visiting the malicious website, the target reveals information that could be used for fingerprinting and understanding the kind of information that attracts targets.

The Fall Rate is defined as the percentage of users (targets) who “fall” for the attack and visit the fake website.

The Fail Rate is defined as the percentage of users (targets) who “fail” in the attack, visit the fake website and reveal sensitive information.

Following is an example of statistics of Fall and Fail rates analyzed using Phishnix:
FallRate - Shield Your Business...

The two ends of the spectrum- Best and Worst- are results for specific tests, whereas the Average is computed across all tests. All percentages are computed based on total target users in the test.

Average fall rate of 61% would be startlingly high considering that a certain percentage of users have taken no action at all. Mostly, this inactivity on the user’s part is not because they have spotted an attack. It is more likely that they have an email back log or may not have had the time to see the email yet. As mentioned earlier, visiting a malicious website itself provides attackers enough knowledge to plan their next move.

Average fail rate of 21% would be a huge concern as these users have revealed sensitive information like passwords. 65% of the users who “fell” didn’t “fail”, which means that either they realized it was an attack (most likely the case) or just didn’t proceed further due to other priorities. This highlights the need for tailored education to users by leveraging the “teaching moment” created. If users are educated with examples of good and bad behavior based on their own actions, the retention of that knowledge would be far greater than the retention of knowledge gathered from generic trainings.

These statistics change as follow-up tests are performed or the parameters of the tests are changed. For instance, the fall and fail rate increase as the services (e.g. social networking) and end devices (e.g. mobiles) change. They also increase if the tests are conducted around specific incidents (e.g. 9/11 memorial or company specific events). Organizations can learn about user behavior and modify their control strategies by fall and fail rate benchmarks. As an example, if the fail rate is high in a specific department or location and it doesn’t decrease after education, then technology or process controls would need to be enhanced.

So, benchmarking is the first step in analyzing and improving metrics. As you can’t improve what you can’t measure, tracking ‘Fall’ and ‘Fail’ Rates becomes critical for an organization which is interested in introducing positive changes in user behavior.

About the Author

SameerShelke - Shield Your Business...
Sameer Shelke

Sameer is a seasoned information security professional with experience and expertise in the areas of information risk management, service management, governance, compliance and technology risk management.

He has over 18 years of experience in various functions such as consulting, service delivery, product development and was also the CISO for a larger technology major.

He has worked with leading multinational companies and with clients across regions and industry segments.

Sameer has held several industry certifications and is a regular speaker at events and contributor
to technology publications in the area of risk management and security.