Cybersecurity experts at Microsoft’s Windows Defender SecurityIntelligence Team this week reported their discovery of two newemail-based phishing campaigns. One targets Amex (AmericanExpress) users while the other targets Netflix customers. Bothcampaigns reportedly are very well-crafted, featuring legitimate logosand even fill-in forms that closely mimic those on the respectivecompany’s own websites.
It isn’t clear if these campaigns are being orchestrated by the samegroup, but each was launched last weekend, and each cast a wide net. The Windows Defender Intelligence Team has advised all computer users to be especially vigilant in the coming days and weeks.
Phishing attacks haveincreased not only in sophistication, but also in frequency. Upwards of 20 percent of phishing email recipients were convinced that the messages were legitimate and clicked on the redirecting links, according to Microsoft’s security experts, who noted there was a 250 percent increase in such attacks last year.
Getting Very Personal
The recent attacks both warned of account issues, a common tacticwith phishing scams. Amex customers have been receiving a “NoticeConcerning Their CardMember Account,” which claims that they needto go through a reauthentication process for security reasons. Themessage urges users to download and fill out an attached form. Basedon reports, the form itself doesn’t contain a virus but rather asks forhighly personal information such as mother’s maiden name, birth dates,PIN for the card, and even first elementary school.
The Netflix phishing attack warns users that their “account is onhold because of a problem with their last payment,” and as with thespoofed Amex emails, they feature the actual Netflix logo. A link directs users to a “Billing Information” form that requests fullcredit card numbers including PIN, as well as Social Security numbersand other personal details.
What is notable about these respective emails and forms is howconvincing they appear, including correct grammar and spelling –an indication that the criminals responsible took the time to copy edit the content to eliminate the usual telltale typos. About the only notablegiveaway with the Amex email is that it features capital lettersfollowing commas — something that some users might not immediatelyrecognize as a grammatical error.
Casting a Wide Net
Phishing scams tend to be rather low-tech in nature, a fact that hasremained true since they first showed up on Usenet newsgroups nearly25 years ago. Even with constant reminders from companies andsecurity experts not to trust such emails, many people still fall victim to these attacks.
“The average consumer is not trained to think of emails in terms ofthe potential threat they might contain, unless they’ve been similarlycompromised before,” observed Colin Little, senior threat analyst atCentripetal Networks.
“We see Microsoft is demonstrating that they are continually trying todevelop ways to stop these threats,” he told TechNewsWorld.
Also worth noting is not only the scale of the attacks, but “also the contextof the attack — taking place during an overall increase in the phishingthreat landscape,” said Little.
“We continue to see these types of attacks because they’re effective,”observed Francis Dinha, CEO of OpenVPN.
“Plus, these attacks target humans over tech. That is, a hackerdoesn’t have to be a tech wizard to carry it out — they just need to beable to trick the reader into clicking on a link or filling out aform,” he told TechNewsWorld.
“It takes very little tech expertise to do that, because it’s more of apersonal con than a technical assault,” Dinha explained. “People havebeen trying to trick each other out of resources since humanity began;we just have modern tools to do so more effectively now.”
Beyond Amex and Netflix
At present, it isn’t clear if this attack was sent only to actual”known” customers of Amex and Netflix or if a much widernet was cast.
“Potentially, we’ll never know for sure, but that would tell us whetherthe attackers are using information from some prior breach to focusthe effort,” noted Jim Purtilo, associate professor in thecomputer science department at the University of Maryland.
“Sending a fake Netflix notice of account suspension to people whoaren’t Netflix customers is probably not very productive,” he told TechNewsWorld.
“On the other hand, so many people are Netflix customers that anattacker has statistics on his or her side, and a random mail blast to azillion collected names will score hits,” Purtilo added.
The attackers also have economics on their side.
“Sending a malicious mail blast is basically free for them,” said Purtilo. “Phishing is a low-overhead business that profits with the very firsthapless user to respond. If the volume of phishingattempts has gone up in the last year, then that tells us it is alsomostly free of legal costs. Officials just aren’t keeping up.”
Cutting the Net
The best defense against phishing attacks is awareness, but this isalso one of those rare situations where literally doing nothing is thebest course. Don’t open the email, don’t respond — just ignore it.
“Education has to be the No. 1 strategy for users across theboard,” said OpenVPN’s Dinha.
“Consumers need to educate themselves, and companies need to educatetheir workforce and stakeholders,” he suggested.
All too often these attacks work because users haven’t thought toquestion what they’re reading, but education on cybersecurity risksteaches us to stop and question, said Dinha.
“If you’ve never heard of someone experiencing the consequences of aphishing attack, then you might assume it’s less likely to happen toyou or not that dangerous,” he suggested. “But the more educated you areon what exactly can happen and how, then the more likely you are to beon alert for attacks like this. This education has to go beyond theobligatory warning to consumers — it has to be an in-depthexplanation of and understanding around the cybersecurity risks we’re facing.”
Phishing scams are effective for the criminal groupsbecause, unlike other attacks, they don’t require verysophisticated skills. Apart from crafting an official-looking emailand spoofed website, no other technical expertise is required.
In fact, it probably isn’t apt to describe the perpetrators as”cybercriminals” or “hackers,” as they are more like con artists. The phishingscams work because people are fooled into supplying information,not because someone broke into a system. This is why these attacks areunlikely to go away. Even if most people delete the email from a phishing campaign, a few individuals will believe it.
“Unfortunately, we will continue to see these types of phishingattacks on consumers as long as they continue to fall for them,” saidJo O’Reilly, cybersecurity advocate at BestVPN.com.
“These types of attack are a numbers game, even if only a handful ofthose targeted respond, then the hackers have still seen their effortspay off,” she told TechNewsWorld.
“The best way for consumers to protect themselves from phishing is toensure they never enter personal or financial details via a linkcontained within an email, even an official-looking one,” O’Reillyadded.
“Instead, they should always open a new browser window in order tosign into any online account, whether it is Netflix, Amex or any otherservice, before inputting their password or any other personalinformation,” she advised.
The good news is that security experts are closely monitoringthe situation and bringing greater awareness to phishing efforts.
“This latest story shows us that Microsoft’s cloud protections areattempting to do more and more to proactively protect the accounts oftheir users from receiving these phishing emails,” said CentripetalNetworks’ Little. “However, it is in the nature of cybersecurity thatthe more innovative we are at detecting threats, the more innovativeand evasive the bad guys will be — I liken it to the Tom and Jerrycartoons.”