A new report from PhishLabs shows that Phishing remains the easiest and the most productive attack vector used by criminals
This is the first time PhishLabs has released a report of this type, and while the data shows what some might already know (namely that humans are soft target), the report highlights some interesting trends that have emerged over the years.
Before we get into the PhishLabs report, let's examine a recent data breach that was the direct result of a Phishing attack at Magnolia Health Corporation in California.
On February 3, 2016 someone impersonated Magnolia's CEO (Kenny Moyle) by sending a spoofed email. The email appeared to have the proper address, naming scheme, and by all accounts looked legitimate.
The forged email requested personal information for all active employees of Magnolia and each of the facilities managed by them, including Twin Oaks Assisted Living, Inc., Twin Oaks Rehabilitation And Nursing Center, Inc., Porterville Convalescent, Inc., Kaweah Manor, Inc. and Merritt Manor, Inc.
The Phishing attack was successful, and the attacker walked away with an Excel spreadsheet containing employee number, full name, address (city, state, zip) sex, date of birth, Social Security Number, hire date, seniority date, salary/hourly status, salary/rate, department, job title, last date paid, and assigned facility. The attack wasn't discovered until February 10.
The type of Phishing attack that targeted Magnolia would be classified as BEC, or Business Email Compromise / Correspondence. It's a more focused variant of Spear Phishing.
The attacker will spoof the look of a legit company email (address, Outlook images, etc.) or they'll compromise a key email account and use it to launch their attack. Another key identifier is that more often than not, BEC attacks are personal; they're not something that's automated or generated via a crime kit. They can be, but in order to increase the odds of success, a human has to interact with the target.
Unfortunately, the result of these types of attacks is that the use of business email led to a successful compromise.
In their report, set for release on Thursday, PhishLabs said the number of organizations targeted with BEC Spear Phishing attacks grew tremendously in 2015 as attackers refined their techniques and sought new victims. In all, 22 percent of Spear Phishing attacks analyzed in 2015 were motivated by financial fraud or related crimes.
"BEC attacks target smaller more nimble organizations, where exceptions to standard accounting processes are more likely to be made based on personal requests from members of the executive team. Analysis of attack indicators shows that in most cases, targeting requires very little effort. BEC attackers appear to glean the information they need from readily-available public sources and business networking sites," the report explains.
On the consumer front, 90 percent of the consumer-focused Phishing attacks targeted financial institutions, cloud-based storage or file hosting, webmail, ecommerce, and payment systems.
While financial institutions and payment services are the most highly targeted organizations on the consumer front, the share of overall Phishing volume declined some last year.
Rounding out some of the basics, the US was the top target of Phishing attacks by a long shot in 2015, with 77 percent, followed by China (5%), France / Great Britain / Australia (3%), Germany (2%), and Canada / Brazil (1%). All other remaining countries rounded out to five percent.
"Organizations today are spending far more on preventing, detecting, and responding to cyberattacks than ever before," the report noted.
"But amid all of this change, the use of Phishing to exploit the people that use the technology continues to be the most effective way to attack organizations and individuals."