Phishing Season: Spam on the rise

September 01, 2011, Mike Weber, Vice President, Coalfire Labs

Within the past two weeks there have been several reports on the increase in email spam, which can be directly correlated to an increase in phishing schemes and malware attacks.  These attacks are frequently being delivered under the guise of legitimate business: they come in the form of shipment confirmations, credit card statements, and IRS alerts.  They all request swift action to click a link or to read an attachment to address some pressing issue.

Sound familiar?  It should, we’ve seen it all before, but it was easier to identify.  It was not so long ago that your typical email-borne attack carrying payloads such as the “Melissa” or “ILOVEYOU” virus, in an email rife with misspellings, typos, and abhorrent grammar.  At that time, a wise co-worker said “The greatest security threat is a virus packaged in an email written in proper English”.  Now it appears his fears are being realized.

Within these well-crafted emails are links to websites or attached files (sometimes in zip format and requiring passwords).  The websites behind the links are designed to collect sensitive data that the email requests you to confirm.  The attachments contain malware – software intended to silently install and harvest your most sensitive information or take control of your computer.  If this type of data is captured by “the bad guys”, it can have vast financial impact on a business and devastating impact on an individual.

What steps can be taken to protect your sensitive data from loss?  There are many ways to mitigate this risk, ranging from obvious to optimal:

Obviously –

  1. Don’t click the link.  For example, when receiving an email from your bank about your statement or an alert you have set up, the best advice is to go directly to that financial institution’s website and securely log in to get information.

  2. Don’t open the attachment.  As above, if you receive email that appears to be from a known business or individual with an attachment that you’re not expecting,

Optionally –

  1. Call and confirm.  It’s hard to believe, but not everybody has a computer and internet access.  Any legitimate organization or business contacting you for a valid reason will most certainly have a resource available over the phone.

  2. Create an alter ego.  Many Internet Service Providers will allow you to create several email aliases that you can receive mail on.  Creating a specific email account that you ONLY use for contact from online services can allow you to quickly identify suspicious emails – if it comes to your non-business address, it’s a scam.

Optimally –

  1. As an individual, separate business and pleasure.  You wouldn’t use your kids’ smelly sweat socks to polish your silverware – so don’t use a shared “family computer” to manage your investments.  You know, the one you got last Christmas that they use for gaming, instant messaging, and video chat with their friends?  There’s no telling what could be on there…

  2. As a business, your data is top secret.  For your staff that needs to process sensitive data, disallow ALL use of work computers for personal use.  If the information is of high enough value, the most effective recommendation is to prevent any communications from these data processing systems with the rest of your business environment, effectively eliminating this threat.  Treat it as a “classified” environment.  Using Virtual Machines or thin client systems specifically for communications purposes can be just as effective as well.

In the month of August alone there has been an increase in over 13 percent in botnet related hacks.  Even in 2011, when “computers” are now more than 60 years old and we’ve been battling computer viruses and malware for almost 30 years, the human element continues to be the weakest link.  Everyone is at risk.  Put a comprehensive awareness and training in place at your organization and keep your business and personal communication separate.

For more information on these recent phishing attacks here a couple of helpful articles to read:

Digital Transactions: Malware and Spear-Phishing Soar, Helping To Drive Rise in Breaches

Dark Reading: Phishers Becoming Marketers of Fraud

Mike Weber

Author

Mike Weber — Vice President, Coalfire Labs

Recent Posts

Post Topics

Archives

Tags