2016 in Review: The year Phishing went mainstream

Crowd. Large crowd of people stay on a line on the white background.

By 

A decade from now, people may very well look back on 2016 as the year phishing became a mainstream concern. That’s because, in just the past 12 months, millions of high profile organizations, spanning all industries and sizes, and the people they employ, became targets of cyber attack. Of said cyber attacks, 95 percent or more originated with phishing.

From industry to industry and country to country, the phishing epidemic has become so widespread that it recently prompted the U.S. Secretary of Homeland Security Jeh Johnson to proclaim phishing a primary threat to national security:

“The most devastating attacks by the most sophisticated attackers almost always begin with the simple act of spear-phishing.” 

To quantify the phishing problem, Webroot’s Quarterly Threat Trends report detected an astounding 400,000-phishing sites per month in 2016. Furthermore, the Anti-Phishing Working Group concluded that email phishing attacks reached an “all-time high” in Q2. We anticipate this number to grow, as Q3 and Q4 statistics become available.

The State of Phishing

While the number one delivery vehicle for phishing continues to be email, attacks using social media and SMS messaging increased in 2016. For example, now prevalent on both Facebook and Twitter, Angler Phishing is a new attack in which “crooks impersonate the social media teams of banks and retailers in order to trick consumers into disclosing sensitive personal information,” according to Fortune. In addition, text scams, according to a report in the Independent, are “being used as a way of duping people into giving up their online accounts, and out of their identities and their money.” No matter the delivery medium, recipients open 30 percent of phishing campaigns, despite companies spending millions of dollars on employee awareness training.

Though the motivations for conducting a phishing campaign can vary, the overwhelming incentive is financial gain. According to the FBI, “spear-phishers have netted some $2.3 billion since 2013 in a variety of semi-sophisticated, global email frauds.” This appetite for fortune has paved the way for ransomware, a type of malware that is now found in more than 90 percent of phishing. For cyber criminals, ransomware creates an ethical decision for the organizations and/or individuals under attack – pay up or risk exposure, damage or destruction of important assets – both physical and digital.

Believe it or not, Phishing-as-Service (PhaaS) emerged on the dark web in 2016. According to researches, hackers of any skill can purchase these on-demand phishing ‘kits,’ which can include, according to ZDNet, “databases of emails, templates of phishing scams, and a backend database to store stolen credentials.” But hackers don’t even need to wander into the depths of the Dark Web to purchase phishing tools. Instead, they can simply hop over to YouTube to buy attacks on the world’s most popular video website (although a secret backdoor made them vulnerable to malware, as well).

The Top Phishing Attacks of 2016

Not a single day went by in 2016 without some news of a hack initiated by phishing. From retail and healthcare to financial services, governments and even critical infrastructure, no company or industry was safe. Despite the ubiquity of phishing, several attacks stood out in notoriety and damages in 2016, including:

  • Snapchat The social media company was hit with a spear-phishing campaign in which employees were sent an email that appeared to be from the company’s CEO. As a result, important payroll information of current and ex-employees was eventually leaked.
  • Democratic National Committee (DNC) – Earlier this year, we wrote about how John Podesta, the campaign chair for Hillary Clinton, had his personal Gmail account breached. Although the phishing wasn’t too stealthy, it was enough to fool the DNC. Hackers eventually released internal communications of the Democratic Party and the campaign, which many believe might have helped to sway the election.
  • Seagate Technology– The data storage company was the first of 41 organizations (Q1) to fall victim to a phishing campaign that led to the exposure of W2 tax documents. Using a Business Email Compromise (BEC) correspondence, hackers penetrated the network and leaked highly sensitive information on current and former employees.
  • Sony PlayStation – Gamers across the globe have recently suffered from account takeover, or hackers hijacking accounts and denying players’ ability to sign into their games. In addition, some have had their virtual items and currency stolen. The hack originated with a sophisticated phishing campaign in which players inadvertently shared account information, thinking that Sony sent the emails.
  • North Korea – Earlier in the year, the South Korean government confirmed that North Korea had compromised thousands of government officials’ email accounts. While complete details of the damages were not revealed, it was confirmed that the attack originated via phishing attacks sent to 60 unwitting government officials. 

Ransomware Gets Worse in 2017  

Following great success and monetization from ransomware attacks in 2016, we expect to see a new generation of sophisticated ransomware with demands of more than $1M for a single attack in 2017. In total, we predict damages will easily surpass US $1 billion. In our labs, we’re already seeing how ransomware is evolving and becoming much more evasive and destructive. Take for example the new innovative ‘backup wiper’ ransomware, which can delete backup files to ensure data restores become unavailable, increasing the chances that the attack is successful.

Furthermore, ransomware attacks are now adopting the good old tactic of computer worms, which internally propagate inside a network.  Once access is gained, worms search for multiple hosts to infect and in doing so, seek access to sensitive data.

Ransomware on IoT devices is yet another new vector we expect to see grow in 2017. In fact, we believe the use of IoT devices for DDoS attacks is just the starting point for what cybercriminals will explore in the next year. Essentially, we will see hackers exploit low hanging IoT devices for monetization. Simply imagine someone stealing a sensitive video capture and threatening to publish it online. Attacks on smart TVs or even cars are possible, too.

We will also see the rise of “doxing”, the notorious shaming technique that threatens to publicly expose sensitive information, like browsing history or personal pictures, in exchange for money. This specific tactic is immune to any backup process one might have in place. Unfortunately, the ransomware-as-a-service business will grow bigger to support all kind of attack vectors, making it easy for even non-tech savvy criminals to monetize using readily available techniques.

Stop Phishing with IRONSCALES

Recognizing the looming threats in the New Year, we’ve created a solution to protect organizations from ever-evolving email phishing attacks. IRONSCALES enables organizations to reduce risk from phishing attacks, including those that contain ransomware. Our employee-based intrusion prevention system, IronTraps, provides users with an automatic one-click response as well as real-time inbox scanning. This unique functionality makes it possible for users to expedite the time from phishing attack to remediation from weeks to seconds, without ever needing the SOC team’s involvement. Our newest product, Federation, automatically and anonymously shares phishing attack intelligence with enterprises and organizations worldwide, enabling them to proactively defend their network gateways and endpoints from increasingly frequent and sophisticated phishing attacks.

(This post has been reproduced from Ironscales blog). 

Be the first to comment

Leave a Reply