January 08, 2018 by nwilliams
A few weeks ago, I received a strange pop-up notification on my iPhone. “Update Your Payment Information,” it requested. And it wouldn’t go away. Eventually, I followed the notification into Settings, where the error message persisted. It appeared that Apple needed new credit card information for an expired card...and it wanted me to hand it over. Covering all my bases, I called my tech-guru dad to ask his advice. Was this legit? As it turns out, one of the credit cards for our shared iTunes account had, in fact, expired, prompting the pop-up. But any request for financial data, no matter how trusted a source it comes from, should be taken with a grain of salt. After all—if cyber events this year have taught us anything, it’s that nothing is so innocent or so seemingly legitimate that it cannot be a phishing scam. Welcome to 2017, folks.
So the Apple notification was legit. But it could easily have been a massive scam to get me to give up my financial information to a bot disguised as a trusted provider. Such are the murky waters we’ve been navigating of late, as new information security disasters have popped up around every turn. Think I’m being overdramatic? I wish I was. But the good news is that, as we enter this new year, we have the perfect opportunity to notice our mistakes and learn from them. What went wrong last year, and how can we ensure that 2018 proceeds differently?
As you’re likely already aware, phishing was a massive problem in 2017. While phishing scams have always lurked behind spam emails and sketchy pop-up ads, recent years have seen them become more and more ubiquitous and mainstream. And they’re finding ever-advancing ways of exploiting trusted companies in order to reach their targets. In May, hackers used real Google Docs invitations-to-edit in order to get victims to grant permission to their account details. Rather than spoofing the Google brand, they actually worked from within, sending out actual invitations but then taking those who clicked to scammy third-party applications. From there, the scammers used the permissions they stole under false pretenses to spam everyone in that user’s contact list, spreading their mayhem and compromising the data of over a million Google users. Something similar happened with Netflix just a few months later: hackers took over the site’s branding, sent emails telling users that they needed to update payment information, then took users to a fake site where they could pilfer any credentials that those users were unlucky enough to give up. And while Netflix didn’t act within the system like Google did, the sophistication of the emails they deployed is a testament to the grand heights phishing technology is headed. Perhaps now you understand my pause when that notification popped up on my phone.
What really sets these hacks apart—and defines the landscape of phishing threats last year in general—is their realism and sophistication. By now, most computer users who are even remotely savvy can recognize ye olde run-of-the-mill phishing email, with its poor grammar, off-looking branding and sketchy “from” email addresses. But these hacks possessed few if any of those tells. The Netflix phish perfectly mastered the look and feel of a real email from the sites they were spoofing, which can only have drastically impacted their success. And the one from Google Docs? Thanks to its cunning maneuvering from inside, that one had no real technical tip-off at all.
If this sophistication defined phishing in 2017, how much more complicated will things get in the coming year? Well, phishing scams will undoubtedly continue to look better and strike us as more legitimate, as hackers continue to experiment and discover what works and what doesn’t. My suspicion is also that we’ll see a rise in phishing attacks that manipulate actual sites in order to do their work. We already watched as this happened with Google, as well as with the trojan malware that manipulated bank email systems in order to distribute itself, and I suspect that that method will become the norm. Hackers no longer have to resort to fake emails—why would they, when they can hack the system and send legitimate ones? This creates additional difficulties for prevention, as these emails bear an unprecedented mark of legitimacy—they actually come from who they claim to come from. Security experts also suspect that attacks on mobile devices will increase this year. Because we spend so much time on our phones, carrying out a wide variety of sometimes private activities, this seems like a realistic prediction. What’s more, we tend to be even more rushed and careless when messing around on our phones, which doesn’t bode well for click rates. But whatever 2018 brings, one thing is clear: hacks in general, with phishes leading the parade, will continue to get bigger and better...that is, until we step up to take them on.
Every time a breach occurs, security experts decry the woeful state of threat prevention, but that gnashing of teeth rarely takes any sort of actual hold. I’ve asked myself more than once what it will take for organizations to realize what’s at stake, and that protecting it is—are you ready?—worth it. In fact, it’s not only worth it, it’s even relatively simple. When it comes to phishing, there is one major variable at play—us. Humans. The individuals who may or may not become accidentally responsible for the theft of not only their data but the data of millions of others. And how do you prevent humans from making dumb, dangerous mistakes? As it turns out, we figured this out a long time ago: you teach them. You figure out the best way to reach and appeal to and truly affect your audience, and then you teach them. In-depth security awareness training is the piece of the puzzle still missing from even the most high-tech security programs. And it’s far and away the most crucial. If I can venture an outlandish supposition, it might just be what could save us in 2018.
As scams continue to get more frequent and more sophisticated, the only user populace that will be able to stand up to and combat them is an educated one. When phishing emails were few and far between and looked like they were written by a monkey, your average computer user might have been able to spot and avoid them. But now? They are too many and too good for us to slide by on a wing and a prayer. What we need now is in-depth phishing awareness training programs that not only teach users what to look for in a phishing email, but actually simulate real phishing emails in order to test their knowledge in the real world. These kinds of tools are gaining momentum across the marketplace, but in order to make a real dent in phishing rates, we have t0 actually utilize them. And beyond that, we need to work hard at cultivating a culture where phishing—and the training that will mitigate it—is taken seriously.
Even if phishing scams make great advances in 2018, even if every single one masterfully spoofs a legitimate, trusted website in order to hack every device we hold dear, they will never, ever be airtight. There will always be ways of attenuating risk and protecting ourselves and our information from hackers. But we need to equip ourselves with the tools and information necessary to do that. Sure—advances in hacking engineering could define 2018. Or, we could take matters into our own hands, and turn 2018 into the year that breach rates go down, that fewer phishing emails get clicked on, that fewer organizations and individuals suffer devastating losses at the hand of an infected link. It’s time to put 2017 behind us and make a new start.Read More...