Think your employees are too smart to fall for a targeted email scam? Think again. Recent figures from the US FBI suggest that fraudulent emails – sent by cybercriminals impersonating CEOs and other key executives – costed US businesses $US2.3 billion between October 2013 and February 2016, during which time the FBI received some 17,642 reports of such scams.
And that's just the fraud that the FBI knows about. The true extent of financial losses to targeted attacks is likely to be much larger – but their victims either don't know about it, or are too embarrassed to front up with the truth. They may also be unaware that one of the key reasons cybercriminals are getting so good at extracting money has nothing to do with programming skill – and everything to do with social media.
Simple mathematics suggest that most if not all of your employees have a presence on Facebook – which with well over 1.25 billion users theoretically represents nearly 18 percent of the earth's population – as well as LinkedIn, Twitter, Instagram, and other social networks.
Regular use of such networks fills them with a cornucopia of personal details that cybercriminals use to fake familiarity with their targets. Individuals with particular job functions can be identified with a few clicks, and their social connections mapped out to develop frighteningly detailed organisational charts showing reporting structures as well as details of recent trips to conferences, shared posts, individual interests, and the like.
Once this information has been collected, it's a small step for cybercriminals to craft emails with enough personal detail to be convincing. Spoof the sender's name and email, mention a few recent shared experiences to lessen scepticism, and concoct a story about needing a wire transfer to be executed urgently – and you've got a successful 'whaling' attack of the type that is rapidly showing that the ' human firewall' still cannot protect businesses from harm.
“Most people have seen this in some incarnation,” says Ben Adamson, APAC technology lead with email-security firm Mimecast, which recently released a tool to ferret out whaling emails as they are received.
Such attacks have “definitely hit the radar pretty hard,” he says, citing a recent customer survey that found domain spoofing was rife: 72 percent of attackers pretended to be the CEO and 35 percent of respondents had impersonated the CFO to target key finance and other executives.
“There are really massive, tangible amounts of money changing hands on the back of this. And once it happens, it's nearly impossible to get back because of the number of countries involved and the mobility of the people who are perpetrating these sorts of attacks.”
Anecdotal reports cybercriminals' increasing whaling success came in Symantec's recent Internet Security Threat Report (ISTR) 2016 – which noted that the average number of email attacks per phishing campaign had dropped from 122 in 2012, to 25 in 2014 and just 12 last year. This coincided with a surge in the number of campaigns, from 408 to 1305 over the same time period.
Cybercriminals wanting to spread ransomware and targeted malware are launching fewer, more detailed attacks than ever before – and the approach is working, with carefully-worded emails routinely tricking staff into initiating dodgy wire transfers or opening malicious attachments. Ethical hackers with FireEye's Mandiant Red Team Operations recently peppered a client organisation with a carefully-worded email and found that 400 of 600 employees clicked on the attachment; just one would have provided access to the network.
“This is all about end-user training,” says Adamson. “We're seeing this taken with a great deal of seriousness, and having a human firewall is quite important – especially when you've got these emails coming through and they look absolutely legitimate.”
More-convincing email fraud isn't the only emerging consequence of broader social media usage – and the concomitant tendency of many employees to implicitly trust what they read online. This all-too-human trait leads many employees to fall prey to scams or malvertising campaigns perpetrated through social-media platforms themselves; the result can be a local malware infection, a ransomware lockout, or worse.
Symantec's ISTR found that Australia is the top ransomware target in the southern hemisphere, with a 141 percent jump in the volume of ransomware attacks per day over a year earlier. Many older scams were coming back into fashion, notes Symantec senior principal systems engineer Nick Savvides, who warned that marketing-savvy cybercriminals were reviving tech-support scams and offering early-payment discounts to push victims into paying to unlock ransomware-infected computers.
“They're taking the best experiences that you have from marketing and applying those to their criminal enterprises,” Savvides says, noting that small businesses are particularly vulnerable to attacks fuelled by intelligence garnered from social media.
“The attackers' intelligence is getting a lot better, and the reality is that these attacks are very well crafted, very convincing, and people do fall for them.”
Attacks fuelled by exploitation of social media information are likely to get worse before they get better – and they present an even bigger obstacle to user training because they do not rely on obvious mistakes on users' part. Combatting such attacks can be helped by an emerging category of anti-whaling technologies, but in the longer term companies worried about their vulnerability to such attacks need to look well beyond the simple threat posed by social media.
Instead, they should be considering how internal controls can be tightened to fight the types of activities that whaling involves. This includes processes that restrict the flow of funds to new accounts, approval processes necessary to action funds transfers, and methods to evaluate out-of-routine instructions that can often be confirmed or denied with a simple phone call.
These types of controls have little to do with security staff directly; rather, CSOs should take the initiative to start engaging with business leaders to identify potential weak spots where funds transfers, customer details, sensitive business data and other corporate assets may be exfiltrated.
Even then, however, the human element – represented by the unpredictability of social media and its increasing availability to cybercriminals as a form of conceptual blueprint – mean efforts to contain the issue will take time. “If documentation and checklists and compliance regimes were the answer, than you would have solved this 20 years ago,” says Chris Pogue, senior vice president for cyber threat analysis with security-intelligence firm Nuix.
“What's missing is this almost cognitive bias that we as human beings have against implementing those things holistically at scale. We know how these attacks are going to take place, but we're collectively not even really putting up a good fight. All attackers need is one single point of entry and they can gain access to your data.”
A good place to start, says Savvides, is not only in educating employees about smarter use of social media – but also changing cultural attitudes so that targets of such focused attacks can actively work with IT-security planners to minimise corporate risk. This includes reconsidering institutionalised tendencies towards victim-shaming – which is becoming less and less helpful as ever-stealthier attacks no longer rely on employees clicking on something they have been told not to.
“There is a tendency in the technology community to blame the victims,” he explains. “A lot of victims don't admit that they've been done by ransomware because they do feel ashamed – but there's no point telling the poor victims that they should have known better. The bad guys will continue to do this because it continues to bring in significant revenue.”