2 simple tips to avoid being robbed by phishing

The biggest security hole in a computer system is between the chair and the keyboard - Kevin Mitnick

Mafias and cyber criminals are getting lazy. They are going easy, the days of taking risks with dangerous bank or business robberies where they could be caught are behind them. Why should I go there when I can rob them online without leaving my home? And, of course, it can be stolen from countries where the victim's justice or police have no authority, so even if the thief is caught, it is quite unlikely that anything will happen to him. A golden age for cyber theft. 

Even on the technical side things are relaxing. When it comes to internet theft, the first approach was to do it using the equivalent of the "hole made to break in" technique. Sneaking into the victim's systems by exploiting vulnerabilities or breaking into their computer network security. But who wants to waste time drilling holes in safes and walls if we can persuade the guard to take the money out and send it to us by bank transfer? Or better yet, send us the keys so we can help ourselves.

When thieves realized this, the technique known as Phishing was born.

So, what is Phishing? It is a technique by which a fraudster uses social engineering techniques to trick a user (victim) usually through email, a phone call or text message. 

Right now, if someone wants to steal money from you, will use any of these techniques ordered from least to most difficult:

1. They will try to trick you (or someone in your organization) into sending them money or goods. As deception technique, they're usually going to impersonate someone the victim trusts, or should trust.

2. They will try to trick you (or someone in your organization) into sending them your bank credentials so they can rob you at their convenience. If this is the case, they usually use techniques known as "salami" which consist of stealing a small amount of money from you many times and in a sustained manner over time so that you do not realize that you are being robbed.

3. They will try to trick you (or someone in your organization) into clicking on a link that leads to a fraudulent site, downloading malware, infecting you so they can get into your computer and steal everything you have access, from your bank credentials to your personal privacy. They can also trick you into clicking on an attachment with the same results. This technique is interesting because it also opens the door to extortion or system hijacking and ransom demands.

4. They will try to hack into a server and/or network device to break into your systems and steal your bank credentials or sensitive information that they can extort. This technique is the least attractive to cybercriminals as in most cases it is the one that needs the most work.

5. You're going to get mugged the old-fashioned way.

The first 3 are forms of phishing. How do you protect yourself?:

Tip 1: Train your employees in security awareness

We have to train our employees to recognize the anatomy of this type of fraud and to recognize fraudulent emails, messages and calls. A well-trained employee can stop the most sophisticated phishing attacks as these attacks basically try to trick you with simple but tremendously effective techniques. They usually exploit feelings such as; urgency, desire to please, greed, curiosity, complacency or fear, to induce a user to do something the attacker will take advantage of. Usually their success rate is 1 out of 10 emails (very high) so in a campaign of millions of emails you can imagine how lucrative it is.

Tip 2: Hire an effective anti-phishing mail gateway

Your last line of defense is your employees, and as we have mentioned before, they are vulnerable since their performance at any given time depends on several random factors and is directly connected to very primitive instincts that are difficult to control. From the point of view of your security, it would not be desirable that an attacker reaches your last line of defense, and for this reason, it is advisable to install some lines of battleships in front of you.

To ensure that no phishing message reaches us, or if we can protect ourselves adequately without human intervention, is usually an exercise in strength rather than intelligence. Having muscle is important since the attacks are massive, perpetrated by armies of bots and use a large amount of brute force and artificial intelligence.

The solution is to install an additional mail gateway. This gateway inspects your mail when it comes in and when it goes out and reinforces the security of your usual mail gateway (Outlook, Gmail, etc.). The areas where a protection gateway should act effectively are the following:

• It MUST control the sources of attacks. These campaigns are launched from domains and ip addresses that change every moment and are counted by millions. Maintaining a constantly updated list of these sites and blocking communications from them is fundamental and requires exceptional strength, speed and force.
• it MUST analyze the context and form of the messages. Everything that a human must analyze can and must be systematically preanalyzed with artificial intelligence techniques. Misspellings, rare but very similar to legitimate domains, urgency and deadlines to respond or promises that sound too good to be true are factors that should raise red flags and possible message blockages.
• It MUST inspect where every link in the message goes. Attackers often put links with forged addresses to either download malware or try to trick the user into impersonating another website. The use of masked links or url shorteners is common. If this is the case and whether the user clicks or not, the gateway must anticipate and block the link or connection.
• It MUST check that file attachments are free of malware. All files attached to the email should be scanned. Normally mail providers already cut executable files such as .exe .bat or .zip but now most malware comes in office files (Word, Excel or Powerpoint) and PDF files. This is much more common and more difficult to detect and requires special expertise.
• It MUST have sandboxing capabilities. Due to the complexity mentioned in the previous point, it is often very difficult to know if a file contains malware simply by passively analyzing the file. The way to be sure is to run this file and observe its behavior. In a gateway this must also be done in real time and almost instantaneously; examine the file, if I am not clear that it is good, create a virtual machine (sandbox), execute the file, see what it does and issue a verdict. If it's good, let it go, and if it's not, block it. Doing this quickly and effectively with hundreds, thousands or millions of emails a day also requires muscle.

Grayhats helps you protect against phishing and its potentially devastating economic consequences by implementing and maintaining security awareness and mail gateway solutions from Proofpoint, a global leader in email and personal protection. We also include Proofpoint as an addon of our solution Secure Workplaces. 

Request a no-obligation business case at: info.proofpoint@grayhats.com