We’re all knowledgeable people. We know about phishing. But here’s the thing: That doesn’t help much. Per Verizon’s 2016 Data Breach Investigations Report, phishing is trending up, and is among the top three causes of data breaches. Verizon looked at eight million results of sanctioned phishing tests in 2015. “About 12% went on to click the malicious attachment or link and thus enabled the attack to succeed.” This rate was up from 2014.
The report said that the main perpetrators of phishing attacks were organized crime (89%) and state-affiliated actors (9%). These are competent, motivated people. No wonder their phishing emails are well crafted.
Phishing Made Simple
In case that’s not enough, phishing is getting easy for amateur script kiddies, too. Just download an automated phishing kit like PhishLulz. Renowned ethical hacker Michelle Orru released this suite of tools at New Zealand’s Kiwicon this month. Here’s how one blog described PhishLulz:
“The Ruby-based toolkit builds on Orru’s expertise in phishing. It spawns new Amazon EC2 cloud instances for each phishing campaign and combines a GUI from the PhishingFrenzy kit with the popular BeEF browser client-side attack framework for which he is a core developer.
“It also sports a self-signed certificate authority, additional new phishing templates for various scenarios a hacker may encounter, and will in the future be even more powerful with automatic domain registration, for now limited to registrar NameCheap.
“All told hackers using the toolkit will be able to send more convincing and much faster phishing emails from seemingly legitimate domains, be alerted immediately when login credentials are received, and send exploits and gain user target configuration information such as operating system and browser versions along with other running software via BeEF.
“It also includes MailBoxBug which handles the fistful of popped email accounts that Orru says typically flows in at a rate of one a minute. It works on Office365 accounts with more support to follow.
“Phishing emails developed with PhishLulz are designed to trick discerning targets. An impressive 40 percent of staff at an unnamed Australian Government agency opened Orru’s phishing emails and sent him corporate VPN credentials during a previous security test engagement.”
So, expect to see more phishing. If you want to get started with PhishLulz, the details to access it are here. Easy as that.
How to Fight Phishing
Fighting phishing can involve a couple of approaches. One is to adopt a product like Microsoft’s Advanced Threat Protection for Office 365. This will make links clicked in Outlook messages go to a Microsoft server to be vetted before going on to their destination, which reduces the chance of downloading malware from a bad website.
The best defense, however, is to educate your users. This is easier said than done, however. Usually repeated phishing tests are required to get the malicious click rate down towards zero. But training, on phishing and more security, is necessary. After all, many social engineering campaigns, such as the CEO wire transfer scam, don’t depend on downloading malware at all.
CGNET can help with Advanced Threat Protection, phishing tests and security training, if you like…