Report. Phishing Deceives the Masses: Lessons Learned from a Global Assessment

Transcription

1 Phishing Deceives the Masses: Lessons Learned from a Global Assessment

2 Table of Contents Executive Summary...3 Phishing Preys on the Uninformed...4 Introducing the McAfee Phishing Quiz....5 Lessons Learned...5 Recommendations for Security Practitioners Phishing Deceives the Masses: Lessons Learned from a Global Assessment 2

3 Executive Summary Organizations worldwide succumb to a constant barrage of cyberinfiltration attempts. The actors behind these efforts want information personal, financial, or even intellectual property and have shown no signs of slowing down. Our research shows that social engineering is the most effective way to exploit employees. Most commonly, through phishing s that deliver malware, or simply lead an unsuspecting user to divulge information. Part of the solution is to educate every connected worker on the tactics used in phishing attacks, so they are better prepared when a phishing makes it to their inbox. Using an online quiz, we re bringing attention to these tactics and are attempting to raise the skill level of anyone who takes it. With over 50,000 respondents to date, we are able to both grasp the overall performance level of employees around the world when it comes to detecting phishing s and help give them a more astute view of the potential threats in their inbox. Several trends have emerged from this assessment. First the vast majority of us will miss at least one phishing , especially if it looks like it is coming from a legitimate and known address. Unfortunately, we re not all equal. Finance and HR departments around the world performed worse on this assessment than their counterparts, especially those in IT and R&D who were consistently top performers. In this report, we ll look at what caused respondents to struggle, and what can be done to prevent future attacks from occurring with a combination of education and technology. Phishing Deceives the Masses: Lessons Learned from a Global Assessment 3

4 Phishing Preys on the Uninformed Phishing attacks exploit what is often the weakest link in cyberdefense human behavior. Bypassing our best judgment can be as simple as creating urgency with a fake bank notice, or as complex as assuming the persona of a known business partner all in an effort to steal information. Numerous high-profile breaches such as the theft of credit card data from Target and the compromise of multiple celebrities Apple icloud accounts are purported to be the result of targeted spear phishing. Effectively, it has become easier for the bad guys to know their targets, where they work, what they are interested in, and more. All forms of digital media have accelerated this capability, especially social media. We base our decisions on trust: Did the come from a party or organization I know and currently do business with? Does it contain an element of personalization that makes it appear legitimate? That is often enough to ensure a click. Take a look at some of the top brands used in phishing attacks these days, identified by McAfee Labs. PayPal Amazon ebay Bank Of America HSBC Would you click a link in an that appears to come from one of these companies? Through research conducted by McAfee Labs, we have seen phishing enable the vast majority of successful attacks in the wild. Verizon found similar evidence in their investigations this year: 80% of all espionage-motivated attacks used either a link or attachment in a phishing to gain access to their victim s environment 1 On the front lines, there are often unsuspecting employees just trying to navigate the constant flow of entering their inboxes. Phishing attacks have moved from the classic Nigerian 419 scams of the past, to targeted spear phishing messages that look no different on the surface than any other shipment notification, bank statement, or business solicitation you may receive from a legitimate party. Technology can only solve part of the problem. Key to defending against sophisticated phishing attacks is employee education and the level of awareness they have about potential threats in their inboxes. Only education can raise awareness around recognizing malicious s but many organizations lack the tools and resources to roll out an effective educational program to their employees. Phishing Deceives the Masses: Lessons Learned from a Global Assessment 4

5 Introducing the McAfee Phishing Quiz In an effort to build awareness around phishing and the tactics used to deceive victims of phishing attacks, McAfee now a part of Intel Security developed an online phishing quiz in mid This quiz presents 10 real s in replicated inboxes, asking respondents to determine whether each message is legitimate, or a phishing attempt. At the time of this report, over 50,000 business users in 49 countries have completed the quiz. The ability to detect fraudulent , as demonstrated by the results of this assessment, varies by country and even more dramatically, by department of employment. Key statistics from the quiz findings include: Only 6% of respondents worldwide were able to identify all s as phishing or legit. 80% of all respondents fell for at least one phishing . The average score around the world came in at a mediocre 65% correctly identified s. IT and R&D teams performed the best both at a 69% detection accuracy. HR and Finance departments performed the worst both with a 60% detection accuracy. EMEA proved to be the most skilled, at an average of 67% correct. Both NA and LTAM averaged 66% as well. APAC respondents were the least skilled, with an average score of 61% correctly identified s. An overview of these findings can also be viewed in this infographic. Lessons Learned While the results of this assessment are telling, it is enlightening to look deeper at where respondents fell short in their ability to detect the legitimacy of a message. Figure 1 below shows the frequency each question was answered incorrectly. Several messages were notoriously more difficult than the others. In this section, we ll explore why these s were more difficult to identify, and what that means for strengthening business defenses against attacks which use similar (and numerous other) tactics. Individual Question Failure Rate 70% 60% 63% 62% 50% 49% % Incorrect 40% 30% 43% 42% 27% 20% 21% 10% 13% 7% 8% 0% Blue = Legitimate Red = Phishing Figure 1. Overall failure rate for individual questions in the McAfee Phishing Quiz. Phishing Deceives the Masses: Lessons Learned from a Global Assessment 5

6 Looking at the full range of questions, we see a mix of both accurate identification and overwhelming misidentification of s by respondents overall. Notably, two s which both used forged addresses were the most difficult to detect as phishing ( s 4 and 8, above). We ll dive deeper into those in the analysis below. Not exempt from misidentification were several legitimate s, which highlight the difficulty in identifying the true nature of any , whether legitimate or malicious, when sitting in an inbox. Let s dive into the most missed questions to uncover the source of difficulty. 1 of 10: LinkedIn (missed by 63% of respondents) In a strange twist of fate, the single most-missed was actually legitimate. This marketing message from LinkedIn asks the recipient to take action and claim their free ads. Claiming a free prize is a tactic many are familiar with in phishing or spam campaigns, which is likely the reason behind this s misidentification as a phishing . Despite its harmless nature, the high rate of failure on this question further highlights the issue at hand it is extremely difficult to detect the legitimacy of an message in today s technology landscape. Ambiguous messages like this only cloud the judgment of end-users, as a fake message could easily follow the same template and lead to a malicious payload. We also recognize an inherent bias in the data regarding this question, as respondents were aware of the intention of the quiz as a phishing assessment, and were presented with this question first. Phishing Deceives the Masses: Lessons Learned from a Global Assessment 6

7 4 of 10: efax (missed by 49% of respondents) No excuses here. This is simply well-crafted and proved very difficult to detect any malicious intent. Business users may be familiar with the online service efax, and even if they haven t received a digital fax in their own professional lives, it is easy enough to place yourself in the shoes of someone who might. The relatively accurate branding and convincing layout in this would fool most people at first glance. Savvier users might look to the sender address for validation that the originates from a known party and that it matches the brand in the body of the . Unfortunately this wouldn t help here, as the address has been spoofed or forged to appear as if it came from the actual efax domain. In many cases, using your cursor to hover over links in an body would reveal the true destination of a URL, and give evidence of malicious activity if it does not match up with a known domain, or is random enough to raise suspicion. The malicious actors here however chose a fairly safe sounding domain with minimal additions to the URL strings behind each link. While this doesn t line up with efax perfectly, it is close enough to be mistaken in a quick glance, which is all most employees give an link if they even check the destination URL at all. So what can we learn from the high failure rate here? Reinforcing safe practices such as hovering over URLs (long-press on mobile devices) may be enough for some to avoid being tricked. All it takes is one employee clicking a link, however, to give the sender a chance to deliver their malware payload hidden in URL content. Instructing end users to never click on links in is going to be a futile effort for most. Web security technology which scans HTML content for both known and zero-day malware, even from links on mobile devices (which are often excluded from proxy-based scanning), is the most comprehensive resolution here. More on technology in the final section of this report. Phishing Deceives the Masses: Lessons Learned from a Global Assessment 7

8 5 of 10: Venmo (missed by 43% of respondents) Here we see a case of what is likely a high level of suspicion towards a new application, Venmo, and minimal evidence to base a decision of legitimacy. With a proverbial flood of new online services and mobile applications coming to market, most technology users receive sign-up confirmation s like this on a fairly regular basis. Cybercriminals are aware of this trend, and use similar shortformat s to trick recipients into clicking malicious links. In this case, the message was legitimate, displaying the Venmo domain in both the sender address and destination URL of the link. Educating users to long-press links within on mobile devices can help avoid any unintentional web access, but in this case, they would have been safe. Phishing Deceives the Masses: Lessons Learned from a Global Assessment 8

9 8 of 10: UPS (missed by 62% of respondents) Most people have received a tracking from UPS at some point in their life. The universal recognition of this brand and familiarity with package tracking play a large role in the high failure rate for this question and also for those that fell for this phishing attack when it made the rounds on real business networks. The methods of disguise here were common but effective. First, the sender address was spoofed to appear as if it originated from the UPS.com domain. Several UPS branding elements were part of the message, including the official logo. Most interesting was the use of only one malicious URL in the entire . The first URL directed the recipient to track the shipment and actually sent you to the UPS package-tracking website. The second URL prompted a download of the invoice, and it indeed opened a file but not one in the UPS domain. That link delivered the payload: malware wrapped in a.zip file. Phishing s like this are notoriously difficult to stop before they enter a business network, and even more difficult to prevent action at the user level. A common takeaway in this report hovering over links to reveal their true destination may raise enough suspicion for an end user. But this attacker clearly knew better. What are the chances an employee would hover over not just the first link, but the second as well? Probably not very high. Taking into account the legitimacy of the first URL brings a level of trust strong enough to warrant clicking on the second without thinking twice. Even more worrisome is that this phishing would have made it past most filters, and some web-based malware detection, as the.zip file contained zero-day malware. While end-user education could divert the attack from a percentage of recipients advanced malware detection technology for web traffic would have been needed to interrogate the.zip file download and uncover its zero-day payload. Phishing Deceives the Masses: Lessons Learned from a Global Assessment 9

10 Recommendations for Security Practitioners Phishing is still heavily in use, and carries with it a high level of efficacy leading the charge for most attacks we see in the wild. It is not an easy problem to address, requiring both technology and behavioral filters. To give readers a sense of our best practices, we offer a short checklist to help guide security initiatives. Activity Eliminate mass phishing campaigns. Reduce risk of cybercriminals being mistaken for trusted parties. Detect and eliminate malicious attachments. Scan URLs in when received, and again when clicked. Scan web traffic for malware when phishing leads the user on a multiclick journey to infection. Stop exfiltration in the event of a breach or user input. Educate users on best practices in detecting and acting upon suspicious s. Key Technologies Secure gateway with sender IP, URL, file, and network reputations, antivirus (AV), and real-time block lists. Secure gateway with identity verification including Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), Domain-Based Message Authentication, Reporting, and Conformance (DMARC). Secure gateway combined with advanced malware protection for file reputation, AV, content emulation, sandboxing, and static code analysis. Secure gateway with URL reputation, AV, content emulation, sandboxing, and static code analysis. Secure web gateway combined with advanced malware protection for URL reputation, AV, content emulation, sandboxing, and static code analysis. Data loss prevention for endpoints, traffic, and web traffic. Follow this link for a list of recommended tips for end users. Interested in assessing the phishing detection capability of your own organization? Run the McAfee Phishing Quiz internally at no cost. Follow these simple steps: 1. Add a unique identifier of your choice (red) to a. b. Test this URL in your browser to ensure it displays the quiz start page. 2. Send this URL to your employees, instructing them to take the quiz. 3. When employees have completed the quiz, contact phishingquiz@mcafee.com for your results. For more information, visit McAfee. Part of Intel Security Mission College Boulevard Santa Clara, CA Intel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright 2015 McAfee, Inc rpt_phishing-quiz-retrospective_0615