Posted by C Henry on Wed, Nov 23rd, 2016
Phishing has become a prominent sport in Canada – cybercriminals have turned their sights to organizations based in Canada in order to obtain sensitive data and profit off malicious attacks. Phishing is the preferred method for attackers, who are able to send personalized messages to users disguising themselves as a legitimate party or website. This form of social engineering has a high success rate for attackers, who are often able to quickly gain entry into users systems and networks, and thus insert their malware quickly.
Prominent attacks include the phishing attack on Roger’s communication, as well as a large number of phishing and extortion attempts that resulted from the Ashley Madison attack in November of 2015. Additionally, in January of this year the Canadian government issued a statement regarding the high number of attacks that have been targeted at governmental agencies – most being phishing attempts by state sponsored hackers. With phishing being so prevalent, why don’t more users know about it? Oftentimes, organizations lack proper security training and awareness programs that would serve to educate users on the risks of social media, spoofed emails etc. While it is not always easy to spot a phishing attempt, knowing the common phishing attack mechanisms can help users be more alert, and thus drastically lower the number of successful phishing attacks.
The most prominent attack methods include:
1) Social Media
Especially in the past two years, there has been a large focus on hacking or replicating Facebook accounts of friends and family members. Cybercriminals find this route easy, as all they have to do is either guess a password correctly, or create a convincing false account of a user. Once they have access to a fake users account, they often send messages to Facebook friends and family members requesting money or personal information of other users. Additionally, it is not uncommon for hackers to use the same credentials on Facebook and other social media accounts to then gain access to email accounts to create an even more convincing story.
2) Spam e-mails
There are numerous types of phishing attacks that leverage spam, or emailing users in attempt to convince them to perform various tasks. Most commonly, these involve requests for money transfers. While it may seem obvious, many users have fallen for phishing attacks that convince a user to facilitate the transfer of money, while keeping a percentage for themselves. Not only is this illegal, it is highly dangerous as users are often tricked into provide hteir banking information to attackers.
Additionally, other spam emails try to convince a user to safeguard money that is to be transferred from other countries – often third world countries in the middle east or Africa. The attacker will claim to be traveling from said country, and will convince a user to let them transfer money into their account and help them. Again, all this does is provide banking information to attackers who then able to wire transfer money out of the victims accounts (instead of transferring money in – what a surprise!).
3) Governmental Agency or Collection Department Emails
It is quite common for cybercriminals to target individuals using scare tactics – such as, posing as the Canadian Revenue Agency (CRA) and demanding specified amounts of money to be sent immediately in order to avoid criminal prosecution. These attacks seem to be more legitimate, especially when attacks are able to spoof email addresses making it look like the message is being sent from a reliable, verified source. How do you avoid falling into this snare? The easiest way to verify the email is to contact the agency/sender directly, by contact forms or telephone numbers listed on their websites or other official sources. Most of these agencies avoid contacting individuals or organizations with requests for money via email – rather, you can expect phone calls and certified mail instead.
4) Account Password Change Requests
Last but not least, another common (and successful!) method of phishing is for an attacker to send spam emails regarding password change requests. The links lead to spoofed sites, leading the user to believe the password change request is from a valid source. A successful attack typically results in the download of malware to a user’s system, but can also be used to obtain current passwords to accounts – such as requiring the user to enter the old password in order to change the “new” (and fake) password. This has been seen numerous times, especially from hackers posing as large Canadian banking institutions such as RBC, Scotia, and TD Canada.
These attempts to spam and scam can be convincing – especially when the victim is an unsuspecting user who has no prior knowledge of these security threats. In the case of phishing, knowledge is power – and organizations are charged with the responsibility of educating users to prevent these attacks from occurring. Great ways to prevent this from a corporate side include spam filters and email gateway security appliances, as well as endpoint protection. Alongside preventative tools, educating users on how to spot fake emails (such as looking at domain names, checking for SSL certificates, etc.) can drastically reduce the number of successful phishing attempts.