Plenty of Phish in the Cc
December 2, 2019 • RBS
We recently released our latest Data Breach QuickView Report for Q3 2019, and there are a few things that stand out.
- There were 5,183 breaches reported in the first nine months of 2019 exposing 7.9 billion records.
- Compared to Q3 2018, the total number of breaches was up 33.3% and the total number of records exposed more than doubled, up 112%.
- In Q3 alone, six breaches exposed 100M or more records, accounting for 3.1 billion records exposed between July 1st and September 30th.
Over the past years, the number of records being exposed on the web has reached astronomical amounts, and in many cases a single event can be the source of millions of records exposed. The breach landscape has changed radically over the past years, but some trends remain unchanged since we began this report in 2011. Malicious actors are still seeking opportunities to make a fast buck, and hacking is still the top breach type with the majority of attacks coming from outside the organization.
As we look over 2019, we have continuously found evidence that organizations, in a way, help hackers out. It is commonplace to read about how organizations have misconfigured databases and services, leaving millions of sensitive records out in the open, or that employees continue to fall for phishing campaigns that provide malicious actors with a toehold into their systems. Human nature, coupled with weak controls, has contributed heavily to the number and severity of breaches that were reported in our QuickView report.
I am a Nigerian Prince
Nowadays, many organizations require their workforce to take some form of educational session about computer security, no doubt causing many eyes to roll. When you have the boilerplate phishing script in mind, it seems incredible that people ever fall for it so it’s not surprising that being told “don’t click this” sometimes falls on deaf ears. Everyone seems to have a Nigerian prince in their network with millions of dollars to hand out, if they can just help with a few small transaction fees.
However, 7.9 billion records have been exposed in the first nine months of 2019 and we are on track to reach as high as 8.5 billion records for the year. Approximately 80% of breaches reported this year have confirmed data exposure with additional research supporting that attackers prefer email addresses and passwords to aid them in their attempts. Why is this? Because it is much easier to find an opening with keys in hand rather than trying to forcibly break in.
Who falls for these things? You have to be naive, right? The stereotypical phishing campaign is laughable at best. Yet these mails keep coming in because enough people click to make it profitable.
Everyone is at Risk, Even Risk Based Security
Every organization is bound to get a malicious email, us included. Within the last few months we have been sent dozens of emails that have attempted to impersonate our CEO, Barry Kouns. Since we are a security company, our researchers wanted to determine if we were being targeted or whether this was just a spray-and-pray attempt at random companies to see who would fall for it.
It didn’t require our team of researchers much analysis or consultation from upper management to conclude that this email is indeed fake. Joking aside, the prose within the email as well as its grammar is a dead giveaway to this message’s malicious attempt.
Fight Fire with Fire: Operation Phish in the Cc
In order to get more information, one of our researchers created a fake account and reached out to the scammer. He provided them a phone number and went along with the scheme. Within a few minutes, via SMS, the scammer was asking for the employee to purchase Wal-Mart gift cards and send the gift card codes back to them.
Our researcher told the scammer(s) that he had unfortunately ran out of data on his phone plan and that he would need to email the pictures to which they agreed. Our researcher then created a PDF canary token and sent it via email to the other email address ‘Barry’ provided, in order to determine the approximate location of the scammer. Once he sent the loaded PDF our researcher got an alert that they had opened the file.
Following this alert, our researcher reached out to the scammer(s) for comment:
Do you think we are that dumb?A Risk Based Security researcher
Their spokesperson did not respond unfortunately.
Keep in mind, that is just a DNS server, not the actual IP of the scammer. Risk Based Security is an ethical company so the PDF was blank. However, like most email links, it could have contained anything (including malicious code). The point is that they fell victim to the same attack they tried on us. If we really wanted to, in our researcher’s words, we “could have owned them.”
What Happens if They Aren’t Gullible?
Despite the former example, not every phishing attempt is unpolished and we have seen our share of attempts that are seemingly passable to an untrained eye, with some being very convincing.
Since the release of our Mid-Year QuickView report we have seen a massive uptick in ‘fake’ websites claiming to provide a copy of our own report and they are specifically designed to bypass Google search filters.
In this example, the website seems legit on a first pass but then suddenly redirects to a page with a fake window notifying that an Adobe Flash Player update needs to be downloaded. Even though this attempt is noticeable, to someone stressed out and on-the-go, this may seem real. But if you inspect certain elements on the page such as the URL and a small grammatical mistake in the pop-up, you can see that the update window on the page is a fake.
A second attempt (and site) was much more convincing. The website affiliated with this scheme comes from a plausibly named “security” domain name, so on inspection, you think to yourself, “this could be a real site”.
In addition to the domain name, this window replicates the elements of a Mac OS update almost perfectly; the update button even properly changes color on mouse-over. However, the minimize button does not respond which gives this attempt away. With only very subtle clues, it is no surprise that these types of attack enjoy success.
Attackers Shouldn’t Be the Only Ones Adapting
Attackers are constantly adapting their phishing attempts and organizations need to be prepared. One mistake could be the catalyst that exposes thousands, or millions, of records into the hands of malicious actors, and it is the duty of organizations to do their best in protecting sensitive data.
It might seem mundane at times, but make sure to check every detail of an email or web-page you visit on a work system. Sometimes even legitimate sources seem suspect, but it is better to be safe than sorry. Let’s do our part in ensuring that malicious actors cannot get a toehold into systems through carelessness.
Aw, look at that. They learn so fast…