Phishing increasingly sophisticated

Phishing is an online threat that’s been around for more than 20 years. I initially heard of it in relation to spammers taking over an AOL account to send out spam. These days phis is more dangerous and more sophisticated. Phishing is not just used to send spam. It’s used to take over elections; it’s used to steal millions of dollars. Experts estimate that globally phishing costs companies over 9 billion dollars a year.
Even in the last two weeks we’ve seen 2 major phishing incidents. One targeted Google Docs, one targeted Docusign. Reading the news reports these are different than many of the more common phishing attacks and, to me, represent an evolution in standard phishing techniques.

The Google attack in early May was an evolution in getting access to a Google account. Instead of directing users to a fake Gmail login page, the phish asked users to allow “Google Docs” (actually an app controlled by the phisher) to access to their Google account.
I’m sure all of you have used an app or website that lets you login with Facebook or Gmail or Twitter. This is all done with a protocol called OAuth. OAuth is also how you give access to mailbox management tools like I discussed a few weeks ago.  Basically, OAuth lets users grant access and permission to a site or application using a second site without revealing their username and password. (It’s more complicated than I want to discuss, but if you’re looking for some information check out some of the sites I’ve found: wikipedia, Varonis blog, Digital Ocean knowledge base, or just search google for oauth.)
The switch from asking for a password to asking for access is, to my mind, a significant change. Now we have to be aware of what we’re authorizing and make sure that app isn’t malicious.
The Docusign phish is another evolution.  As I was looking at the phish I received yesterday I realized that it was sent to a tagged address. A tagged address only Docusign had. None of my other, heavily phished, addresses received the phish. None of Steve’s addresses received the phish. This wasn’t a widespread spray and pray phishing attack. The phishers targeted Docusign users. Yesterday afternoon, Docusign confirmed that someone stole user addresses.
This is a switch from just randomly looking for victims to targeting users of a specific service.
Phishing attacks look for the weakest links to gain access to computers, information, and money. The weakest links are always humans. Phishers have adapted to security measures for the last 20 years. There is zero reason that they won’t continue to adapt.
 
 
 

Related Posts

Happy New Year!

Well, we mostly survived 2016. A year ago I was making predictions about how 2016 would be the year of email security. I was thinking of things like TLS and authentication and access to the inbox. It wasn’t out of the question, Gmail said they’d be turning on p=reject sometime mid-year. They also were suggesting that they would be putting more value on messages that aligned, even in the absence of a DMARC signature. The first still hasn’t happened, and the second doesn’t appear to be in place, either.
DataSecurity_Illustration
That doesn’t mean email security wasn’t a hot topic in 2016. In fact, the use of a private email server was a major topic during the US elections. We also had spear-phishing play a major role in the compromise of campaign systems. I didn’t talk much about that here when it happened, but news reports make it clear that Chairman Podesta and others were targeted for compromise. The NY Times has a more in depth article with broader context around the attacks and how emails were used to infiltrate a major political party.
The irony is with all the time spent talking about how insecure the private server was, that server wasn’t compromised. Instead, the compromise was at Gmail.
We all need to pay attention to our email and how we use it. It also means when we’re sending bulk and marketing email we need to consider the private and personal information we’re putting in messages. Do you send PII? Is there a way you don’t have to? What can we do to protect our brand and our users?
It’s not just bulk email we need to think about, either. Personal email can contain PII, or personal information. A common saying among some of my security friends is “never put in email anything you wouldn’t want to see on the front page of the Washington Post or NY Times.” That’s an easy thing to say, but the convenience of email makes it easy to share information that we may not want on the front page of either paper. Many of us aren’t actually targets of malicious activity so we don’t have to worry about being targeted the way elected and other officials are. But that doesn’t mean we are not at risk. It just means we’re at less risk than others.
Email is a frequent vector for malicious actors to access computers. Most, if not all of the major breeches in the last few years have started with a phishing attack of some sort. The attacks are planned out and sophisticated. This is not going to get better. The phishers are smart and plan the attacks.  We also need to be more personally aware of security given the current political climate. We need to take steps to protect ourselves more than we have in the past.
Security is more important than ever and we all need to protect ourselves.

Read More

Are you (accidentally) supporting phishing

One of the themes in some of my recent talks has been how some marketers teach their customers to become victims of phishing. Typically I’m talking about how companies register domains “just for email” and then use those for bulk messages. If customers get used to mail from company.ESP.com and companyemail.com they’re going to believe that company-email.com is also you.
There are other ways to train your customers to be phishing victims, too. Zeltzer security walks us through a couple emails that look so much like phishing that it fooled company representatives. Go take a read, they give a number of examples of both good and bad emails.
biohazardmail
I was a little frustrated that the examples don’t include headers so we could look at the authentication. But the reality is only a teeny, tiny fraction of folks even know how to check headers. They’re not very useful for the average user.
Security is something we should never forget. As more and more online accounts are tied to our email addresses those of us who market to email addresses need to think about what we’re teaching our recipients about our company. DMARC and other authentication technologies can help secure email, but marketers also need to pay attention to how they are communicating with recipients.

Read More

November 2015: The month in email

As we head into the last month of the year, we look back at our November adventures. I spoke twice this month, first at Message Systems Insight in Monterey (my wrap-up post is here) and then with Ken Magill at the  at the 2015 All About eMail Virtual Conference & Expo (a short follow-up here, and a longer post on filters that came out of that discussion here.). Both were fun and engaging — it’s always great to get a direct sense of what challenges are hitting people in the email world, and to help clear up myths and misconceptions about what works and doesn’t work in email marketing and delivery. I’m putting together my conference and speaking schedule for 2016 — if you know of anything interesting that should be on my radar, please add it in the comments, thanks!
In industry news, we noted a sharp uptick in CBL listings, and then posted about the explanation for the false positives. Steve wrote about an interesting new Certificate Authority (CA) called Let’s Encrypt, which looks to be a wonderful (and much-needed) alternative for certificates, and I put together some thoughts on SenderScore.
Steve and I did a few posts in parallel this month. First, Steve posted an interesting exercise in SPF debugging. Are you seeing mail from legitimate senders flagged as spam? This might be why. My investigative post was about ISP rejections, and how you can figure out where the block is occurring. In each case, you’ll get a glimpse of how we go about identifying and troubleshooting issues, even when we don’t have much to go on.
We each also wrote a bit about phishing. Steve posted a timely warning about spear phishing — malware attacks disguised as legitimate email from within your organization — and reminds all of us to be careful about attachments. With all of the more secure options for document sharing these days, it’s a lot easier to avoid the risk by maintaining a no-attachments policy in your company. And I wrote about how the Department of Defense breaking HTML links in email to help combat phishing. If your lists include military addresses (.mil), you may want to come up with a strategy for marketing to those recipients that relies less on a clickthrough call to action.
We amused ourselves a bit with a game of Deliverability Bingo, then followed up with a more serious look at the thing we hear all the time — “I’m sure they’ll unblock me if I can just explain my business model.” While an ESP abuse desk is unlikely to be swayed by this strategy, it is actually at the core of how we think about deliverability at Word to the Wise. Legitimate senders have many kinds of lists, many kinds of recipients, many kinds of marketing strategies, and many kinds of business goals. For us to help marketers craft sustainable email programs, we need to understand exactly what matters most to our clients.

Read More