Shield Your Business - Combat Phishing Attacks. A Phishnix White Paper

Transcription

1 A Phishnix White Paper Shield Your Business - Combat Phishing Attacks Aujas Information Risk Services Steven s Creek Blvd, Suite 100, Cupertino, CA Phone: PHISHNX Fax :

2 Table of Content 1. Introduction to Phishing 2. Who are the targets? 3. Latest Phishing Schemes: Spear Phishing and Whaling 4. Phishnix: A Dynamic Solution to Combat Phishing Attacks 5. Phishing Fall and Fail Rates: Why they matter

3 Introduction to Phishing The alarming increase in cybercrime rates and security breaches in recent years stress the importance of tightening network security to protect organizations from such attacks. The rapid adaptation of mobile devices and wireless networks further intensifies the problem by providing a breeding ground for newer and much more organized forms of cybercrime. Highly sophisticated and targeted security attacks have become the norm, and Phishing is one of the most commonly employed techniques to spread malware. Phishing is defined as an attempt by cybercriminals and identity thieves to obtain sensitive information by masquerading as a legitimate and trustworthy source. Also known as carding or spoofing, Phishing is characterized by attempts to acquire confidential information such as passwords or credit card details. Phishing is often initiated with an unsolicited that contains a link to a domain name, which appears to be a legitimate site. Once the recipient clicks the link, he/she is taken to the spoofed website which resembles a genuine website where the visitor gives personal information. Who are the targets? According to the Phishing Activity Trends Report - 2nd Half 2010 published by the Anti-Phishing Working Group (APWG), 80% of phishing attacks target financial institutions and payment services. But, with more and more companies using the Worldwide Web to exchange and process confidential/sensitive information and move money, the scope for cybercriminals has expanded widely. In recent years, gaming, e-commerce and social network sites have become hot targets as they continue to grow in popularity. Most targeted industry in Q for phishing attacks Source: CommTouch Reports

4 Social networking sites are an attractive target to Phishers because of the easy availability of a great amount of vital personal information on such sites. Phishing attacks on social networking websites are becoming increasingly common as attackers leverage this information for their own advantage. Phishers use this information to draft customized s seeking possible sensitive information about individuals or organizations. Such s may also contain a link that will install Trojan / malware on the end user system. The topic of the is also usually designed to attract as much interest as possible. Some examples are: See who has viewed your profile Free Facebook Credits Osama Bin Laden Dead Actual Video Latest Phishing Schemes: Spear Phishing and Whaling As with advancements in any other sphere, cybercrime has also become more organized and refined. While phishing s are generally indiscriminate, victimizing recipients randomly, attackers are now making more targeted phishing attacks aiming at specific groups or individuals. Spear Phishing is one such form of phishing in which employees of a certain organization or members of a specific group are targeted. s are customized based on information publicly available on social networking sites, and these s direct the recipient to a fraudulent site or fake login page from where sensitive information is extracted. Whaling is another form of targeted phishing which is aimed at top corporate executives, affluent individuals, characterized as the big phish. Just like Spear Phishing, Whaling also involves sending s customized to the specific recipient. Phishnix: A Dynamic Solution to Combat Phishing Attacks Tackling phishing attacks can be immensely challenging as phishing s are usually very convincing, and it is hard to distinguish them from genuine s. Risk management and control mechanisms against such social engineering attacks need to be dynamic in order to keep up with evolving security risks. The security industry has used the concept of build, test and fix since inception. A lot of time and money is spent in identifying vulnerabilities in technologies and processes. The idea is that the flaws

5 would be found and fixed. However, there aren t too many ways to test people, which is why people (users) have been called the weakest link in security. While upgrading to advanced security solutions is crucial, educating people about phishing is also equally important. The most effective people control against phishing is user education. Users are educated on the risks of phishing, how it happens, how to identify phishing attempts etc. But more often than not, these tend to be generic training. Such training is not as effective as those tailored specifically to the user s behavior pattern. This is where Phishnix makes a difference. Phishnix is a phishing diagnostic solution that helps organizations in protecting their most valuable assets -- their employees, from becoming phishing victims. It assists organizations in evaluating the readiness of employees against phishing and social engineering attacks. It proactively educates users and helps them identify phishing attacks so they can avoid becoming phish baits in the future. It simulates a phishing attack and captures user's potential reaction to a real attack. It further leverages the teaching moment created based on the user's response, and generates an action plan that can be implemented to avoid future pitfalls. Phishnix is used by several organizations to capture and analyze user behavior against phishing attacks. It focuses on the Fall rate and Fail rate based on actual employee behavior and helps organizations in developing specific control measures to address potential problem areas. Phishing Fall and Fail Rates: Why they matter In a typical phishing attack, the target is enticed to read an , visit a website and reveal information. A common misconception is that the attack is successful only if the target reveals information. But, this is not true. An attacker essentially looks for information to plan the next move, which he can get based on user actions, even when there are no major revelations of private data. For instance, just by the mere act of visiting the malicious website, the target reveals information that could be used for fingerprinting and understanding the kind of information that attracts targets. The Fall Rate is defined as the percentage of users (targets) who fall for the attack and visit the fake website. The Fail Rate is defined as the percentage of users (targets) who fail in the attack, visit the fake website and reveal sensitive information. Following is an example of statistics of Fall and Fail rates analyzed using Phishnix:

6 The two ends of the spectrum- Best and Worst- are results for specific tests, whereas the Average is computed across all tests. All percentages are computed based on total target users in the test. Average fall rate of 61% would be startlingly high considering that a certain percentage of users have taken no action at all. Mostly, this inactivity on the user s part is not because they have spotted an attack. It is more likely that they have an back log or may not have had the time to see the yet. As mentioned earlier, visiting a malicious website itself provides attackers enough knowledge to plan their next move. Average fail rate of 21% would be a huge concern as these users have revealed sensitive information like passwords. 65% of the users who fell didn t fail, which means that either they realized it was an attack (most likely the case) or just didn t proceed further due to other priorities. This highlights the need for tailored education to users by leveraging the teaching moment created. If users are educated with examples of good and bad behavior based on their own actions, the retention of that knowledge would be far greater than the retention of knowledge gathered from generic trainings. These statistics change as follow-up tests are performed or the parameters of the tests are changed. For instance, the fall and fail rate increase as the services (e.g. social networking) and end devices (e.g. mobiles) change. They also increase if the tests are conducted around specific incidents (e.g. 9/11 memorial or company specific events). Organizations can learn about user behavior and modify their control strategies by fall and fail rate benchmarks. As an example, if the fail rate is high in a specific department or location and it doesn t decrease after education, then technology or process controls would need to be enhanced. So, benchmarking is the first step in analyzing and improving metrics. As you can t improve what you can t measure, tracking Fall and Fail Rates becomes critical for an organization which is interested in introducing positive changes in user behavior. To know more about Phishnix, write to contactus@phishnix.com (or) Call us at PHISHNX