Phishing Dark Waters. Fincher Michele

      At this point, Chris's years of training kicked in. He looked at the website URL (address) and realized it wasn't legitimate. If he had entered his login credentials as he was asked to, his account containing his PII and his credit card information would have been hijacked. This almost worked because the website itself was an exact duplicate of the real thing, and the e-mail came at a time when Chris was busy, tired, and distracted – all things that can prevent critical thinking. (We'll talk more about this in Chapter 4.) The bottom line here is that website cloning is a very convincing way of getting people to believe the phish is real.

      One final trick that scammers use is to follow up phishing e-mails with a phone call. This is also known as vishing (for voice phishing) or phone phishing. Vishing has many malicious goals, ranging from adding truthfulness and credibility to an e-mail all the way to directly requesting confidential information. This technique emphasizes the idea that you should be closely protecting your PII. I grew up in an era in which people regularly had their Social Security and telephone numbers printed on their checks, right under their addresses, which basically announced, “Please steal my identity, Mr. Criminal!” Imagine how convincing it would be if you received an e-mail directly followed by a phone call from “your bank” that urged you to click the link, go to a website, and update your account information.

      A real example occurred recently at the corporate level. It was dubbed “Francophoning” because the targets were primarily companies based in France.8 The attack was well planned and executed. An administrative assistant received an e-mail regarding an invoice, which was followed by a phone call by someone claiming to be a vice president within the company. He asked the assistant to process the invoice immediately. She clicked the e-mail link, which led to a file that loaded malware. This malware enabled attackers to take over her computer and steal information. This example is interesting because so many factors are in play – for example, the use of authority and gender differences in compliance – but the main point here is that any story becomes more convincing if you hear it from more than one source.

      Examples

      I'm not sure about you, but both Chris and I learn best by example. This section covers some high-profile compromises that started with phish and some of the most prevalently used phish on the market today. We also discuss why they work so well.

      First of all, this section would be incomplete if we didn't mention the Anti-Phishing Working Group (APWG —www.apwg.org). We could fill pages about how amazing these folks are, but the thing to know is that the APWG is a global coalition of security enthusiasts who study, define, and report on how phishing is working around the world.

      According to the APWG's report dated August 2014, phishing numbers continue to be staggering. In the second quarter of calendar year 2014, there were 128,378 unique phishing sites reported and 171,801 unique e-mail reports received by APWG from consumers.9 This was the second-highest number of phishing sites detected in one quarter since the APWG started tracking these statistics. Payment services and the financial industry were the most targeted sectors, accounting for 60 percent of the total, but within that, there was also a new trend in which online payment and crypto-currency users were targeted at an increased rate.

      Now that you've seen the bird's-eye view of the numbers, it's time to examine some specifics.

      Target Corporation is probably one of the highest-profile breaches to date. It has affected close to 110 million consumers – an estimated 40 million credit cards and 70 million people with stolen PII; with those numbers, you might have been one of them.10 The interesting thing about this story, however, is that it appears as though the attack wasn't specifically aimed at Target.11 This is a prime example of attack escalation. Target became a victim of opportunity after the real breach. The initial victim in this case was an HVAC vendor for Target that had network credentials. A person at the HVAC company received a phishing e-mail and clicked a link that loaded malware, which in turn stole login credentials from the contractor. The contractor network had connections to the Target network for things such as billing and contract submission. Not all of the attack details are known, but after attackers had access to snoop around, they eventually found entry into Target's corporate servers and compromised the payment system.

      Although the final hit to consumers is still to be determined, the Target breach has already cost more than $200M for financial institutions to reissue compromised credit cards – and that's before taking into account any charges for fraud, which consumers aren't liable for. All in all, this was a dramatic and expensive lesson in the dangers of phishing.

Another notable breach that you may not even remember involved RSA. At this point, any mention of RSA probably relates to the encryption controversy it experienced in connection to the National Security Agency starting in late 2013. That story was so big that it practically overshadows the corporate breach the company experienced in 2011.12 Unlike the opportunistic Target attack, this one appears to have been a very deliberate action taken against RSA employees. It was apparently the result of a malicious Excel spreadsheet attachment to an e-mail sent to low-level RSA users (see Figure 1.4).

Figure 1.4 RSA phish

      RSA's spam filters reportedly caught the e-mails, sending them to users' Junk folders. The interesting point here is that humans overrode technical controls that worked the way they should have. At least one recipient opened the e-mail and clicked the attachment. This gave attackers entry into the internal network and enabled them to eventually steal information related to some of RSA's products. It was reported that in the quarter that followed the breach, parent company EMC spent $66M on cleanup costs, such as transaction monitoring and encryption token replacements.

      One more product-based company breach worth noting involved Coca-Cola in 2009.13 This case originated as a very targeted spear phish directed at Coca-Cola executives with the subject line “Save power is save money! (from CEO).” The e-mail subject line is pretty bad, to be sure, but consider a couple of things: First, the e-mail