Websense published a brief report on the state of Phishing on Wednesday, covering Q1-Q3 2013. According to the numbers, the percentage of Phishing attempts within all email traffic fell .5 percent in 2013, which might seem like a bit of a positive. However, the decline isn't necessarily something to celebrate, because it was due to the fact that the criminals behind Phishing attempts started to get focused.
In this case, the focus was on the individual, Websense's Carl Leonard explained.
"Today’s phishing campaigns are lower in volume but much more targeted. Cybercriminals aren’t simply throwing millions of emails over the fence. They are instead targeting their attack strategies with sophisticated techniques and integrating social engineering tactics. Scammers use social networks to conduct their recon and research their prey. Once the intelligence is harvested, they use that information to carefully construct email lures and yield maximum success."
Websense says that the year's most problematic email message posed as a LinkedIn invite. The messages, with the subject of "Invitation to connect on LinkedIn" offered a classic pass at Phishing, playing on the fact that a majority of the corporate world uses the social networking portal for professionals. After that, message delivery error messages took second place, followed by "Dear Customer" letters pretending to originate from financial institutions.
The editors here at CSO have seen other Phishing scams this year, including those that claim to report CNP (Card Not Present) transactions from American Express.
These emails, which due to the use of aexp.com, bypass many corporate firewalls because of domain whitelisting policies, are sure to gain attention form those that have been issued corporate expense cards. In fact, even I opened one such message, because I had just used my corporate card to arrange travel, so I thought the message was a receipt. The timing was just right, and only my natural skepticism, along with the fact I use plain text email kept me from following links.
A couple of months ago Websense reported that a majority of Phishing emails appear on Friday, with Monday rolling in at a close second. Oddly enough, the CNP email I received showed up late afternoon on a Friday. On the other hand, you're less likely to see a Phishing attack on Tuesday and Wednesday. The reason is because criminals know you're paying attention, as Websense's Patrik Runald says:
"The bad guys know potential victim’s behavioral patterns. They know worker’s minds can stray on Fridays in a more relaxed setting. Relaxation and anticipation of the weekend can lead to more web browsing and an increased likelihood to click on links in emails. Similarly, stricken by a case of the Monday Blues, workers are also more likely to wander. By studying these behavioral elements, Phishers know that they can increase their success rate..."
When it comes to location, China has sent the most Phishing messages this year, followed by the U.S., Germany, the U.K., Canada, Russia, France, Hong Kong, the Netherlands, and Brazil.
In related news, criminals are also targeting existing corporate trust in their attacks. While Phishing through "system update" spam messages isn't unheard of, these messages are often used to deliver malware directly via user interaction. Once the system is infected, this will enable further attacks on the company, including Spear-Phishing. It's a vicious cycle that starts the moment the attacker gains access.
Just last month, analysts from Malcovery, a company that focuses Phishing trends and protection, noted an uptick in the number of "Important System Update" messages being spammed online. Each message included a "hot fix" which promised the help protect the system. Said update was actually a Zeus variant.
"Using the legitimacy of well-known brands is one way but another that seems to be gaining popularity is spamming under the guise of a "system administrator" with emails which are meant to look like legitimate IT instructions or updates. This sort of schema takes advantage of the notion that users will take and follow instructions from IT staff and system admins and the assumed level of trust user have in those groups," Malcovery's Brendan Griffn told me in an email.