Phishing, Vishing & SMiShing, Oh My!

 

I think I was in a hit and run. As I looked up from the road, I saw the license plate, and it said, “2015.” Ok, maybe I wasn’t actually run over, but 2015 did feel like a hit and run of sorts. This year just started, right? How is it over already?

Well, as 2016 starts, it is important to take a quick look back at 2015 and see what we can learn and what we need to do moving forward. We have been compiling news stories throughout the year, and here are a few that highlight what, I feel, 2015 was all about. Are you ready? Got your helmet on?

If it Quacks Like a Duck, it Must be…..

Impersonation used to be very rarely used because of its very “personal” nature and the amount of effort involved. This year, though, came one story after another of people impersonating police officers, doctors, fellow employees, and more. For example, one man impersonated an armored truck driver. How did he pull it off? A vest, ball cap, and pants that all matched that of an armored truck driver. He then walked into a local Walmart, signed for the bags of cash, and walked out with an amazing $75,000 in cash. Yes, there were some grainy shots caught on camera, but it was very hard to see his face in those pictures.

What is the lesson? We want to trust that others are who they say they are. This doesn’t mean employees who were fooled by impersonation attacks were “stupid,” but rather that there need to be better policies in place for double checking the identity of people taking your money. More than just the outfit.

A Phish is Not a Phish if it’s a SMiSh

What can fit into your pocket, take selfies at an alarming rate, and own your whole corporate network? If you guessed your phone or tablet, you win the door prize. That little social media box that so many are connected to 24/7 has been used for an alarming increase in 2015 for the attack called SMiShing, or SMS phishing.

The IC3 and the FBI report the alarming increase in the way cell phones are being used to phish. Once a phone or mobile device is compromised and malware is loaded on it, passwords can be scraped, contact lists can be harvested, and if that device connects to your beautiful BYOD network … anyone else hearing the death bells tolling in the background? What is the lesson?

Yes, BYOD can save your company money — but before you just jump on that bandwagon, really think about what you allow your people to access over their devices and if they are allowed to connect that device to your network. Think of it this way: You wanted to eat your yogurt for lunch, and you asked me for a spoon. If I dug inside my backpack, pulling out used tissues and other sundry items, to present you with a spoon, would you just dig in? Or, would you take the proper measures to make sure it was sanitized first? Ask yourself, if you would take that much precaution with a spoon, shouldn’t we take as much and more effort to keep our network clean?

Even Oxford Agrees….

We did see the word vishing end up in the Oxford dictionary, and while I was doing a happy dance, my somewhat awkward dancing was stopped when I realized it was in the dictionary: because it became so prevalent it warranted the word to be used by more than just us in the security community.

Then, I saw a terrible story of this poor woman who was duped out of 370,000HK with a simple vishing call stating a package that she was receiving broke local laws and to receive it she had to pay a fine. After she entered her banking details on a website, she lost almost $47,000 USD — more than some people make in a year! That same article states that in 2015, Hong Kongers alone were taken for $34,825,677USD in vishing scams alone. That is a staggering number.

In April of this past year, IBM uncovered Dyre Wolf, which has already taken U.S. companies for more than $1 million USD. We are only going to see this getting worse and worse. There is even a sadder side to vishing, like the case of a poor elderly man who was duped out of his life savings by vishers and eventually committed suicide because he had nothing left. What is the lesson? The phone has been a device used by attackers for years. With the ease of spoofing, SIP lines, and Internet call back numbers, scams using the phone are on the rise. More vigilance and realistic testing and policies are needed now!

Teach a Man to Phish, and He Can Eat for a Lifetime

No review of social engineering would be complete without adding phishing to the mix.Let me just set the pace here with some stats from the 2015 Verizon DBIR report:

  • More than 2/3 of all espionage cases involved phishing attack

  • 23% of recipients now open phishing messages, and 11% click on attachments

  • It takes only 82 seconds on average for hackers to get their first victim in a phishing campaign

Scared yet? I am. This year, we saw such horror stories as Anthem, Sony, and OPM. If anyone doubts the danger of phishing, they are living a life free of the Internet … and I envy them.

What is the lesson? Phishing is a threat to everyone who has an email address, and we have to get away from thinking “only stupid users click on phish”. Phishing emails can hit any person, and if they hit the right emotional trigger, ANYONE can click. Yes, even a guy who wrote a book on phishing and sent 3.5 million phishing emails in one year. I won’t say any names, but I know him … very well.

2016 Has to Get Better, Right?

As we see financial crises across the globe, we see an increase in cyber-based crimes. And the human element is still the easiest to attack. That equation means that we will see an increase in social engineering attacks, not a decrease.

I really hate being all doom and gloom, I really do. I don’t want to say it is hopeless. Let me end with some positives, then. This last year also saw a massive spike in the number of companies actively doing phishing and vishing training. We also saw a large upturn in the number of companies realizing the need for social engineering services and training.

There is hope then! But what can you do about it? First and foremost, stay educated in 2016. Learn what types of social engineering attacks are out there. Learn about the techniques and the methods so you can prepare a defense.

Educate your parents, aunts, uncles, and, seriously, your grandparents. They are such big targets. Get the kids involved, and make security a part of your life and your culture. Will it make you hacker-proof? No. But it will definitely not leave you the low hanging fruit.

Written by Chris “loganWHD” Hadnagy

Sources:
https://abc13.com/news/man-poses-as-armored-car-employee-robs-walmart/831016/
https://www.creditcards.com/credit-card-news/top-10-phone-scams-1282.php
https://en.oxforddictionaries.com/definition/us/vishing
https://www.scmp.com/news/hong-kong/law-crime/article/1888293/hongkonger-conned-out-hk360000-yet-another-phone-scam
https://www.recode.net/2015/4/2/11561102/ibm-uncovers-new-sophisticated-bank-transfer-cyber-scam
https://www.cnn.com/2015/10/07/us/jamaica-lottery-scam-suicide/
https://enterprise.verizon.com/resources/reports/dbir/
https://www.democratandchronicle.com/story/news/2015/11/08/phishing-used-hackers-excellus-data-breach/75413014/?from=global&sessionKey=&autologin=
https://www.politico.com/story/2015/04/sony-hackers-fake-emails-117200
https://www.zdnet.com/article/phishing-e-mail-temporarily-stops-opm-hack-remediation-efforts/