This week we are looking at the rise of phishing attacks and what we should be doing to prevent them.  Let’s start with some scary stats!. Verizon’s 2017 data breach report indicated that:

  • 3% of users who receive phishing emails fall for them (whether via a link or an opened attachment)
  • 15% of all unique users have fallen victim on more than one occasion
  • 3% of users have clicked on links in phishing emails on more than two occasions.

To many people, these stats may be alarming but other reports have shown that the number of users being duped by phishing emails are even higher!

If these stats are not scary enough, in August 2018 the US Department of Justice started criminal indictments against three alleged members of a cybercrime gang called FIN7 whose preferred attack vector was phishing emails.  According to the indictments, FIN7 members were engaged since at least 2015, in a highly sophisticated malware campaign targeting more than 100 U.S. companies, predominantly in the restaurant, gaming, and hospitality industries.  FIN7 hacked into thousands of computer systems and stole millions of customer credit and debit card numbers, which the group used or sold for profit.

In the United States alone, FIN7 successfully breached the computer networks of companies in 47 states and Washington, D.C., stealing more than 15 million customer card records from over 6,500 individual point-of-sale terminals at more than 3,600 separate business locations.  Additional intrusions occurred in the United Kingdom, Australia, and France.  Known frauds are valued at over $1 billion.

What the above stats are telling us is that the threat from phishing is a very real and significant one.  What was interesting to note about FIN7 was its phishing method.  We are all aware of the need to be suspicious of emails coming from unknown sources and not clicking on links/attachments contained within the emails.  Anticipating this reaction, however, FIN7’s technique was to phone ahead claiming that they would like to place an order by email.  By doing so it was able to ensure that the email was expected and the odds of the attachment, containing embedded malware, being opened was considerably increased.  

The reality is that even well trained and alert employees can fall victim to a motivated, resourceful attacker.  However, there are steps we would recommend you take to mitigate against the risks:

  • Firstly, ensure that all your employees are in the well trained and alert category
  • Ensure that you are compliant with the relevant requirements of the Payment Card Industry Data Security Standard (PCI DSS)
  • Whether you process payment card data or not; identify individuals whose role involves opening email/attachments from external/untrusted sources and consider placing them in a separate network segment. This will help to contain the spread of any compromise by limiting the attacker’s ability to move laterally through your systems
  • Maintain and evolve your training and awareness programme. The ‘unexpected email’ advice remains valid but staff need to be aware of evolving attack approaches, such as the one used by FIN7. As such, you need to update your employees regularly (and promptly!) so that they are aware of the latest types of attack and know what to look out for
  • Ensure that your employees know how to respond to known/suspected compromise of devices. Do they know how to disconnect from the network?  Should they power the machine down?  Who should they notify?  Define, document and communicate your requirements and verify, via audit/survey/management walkarounds/discussions, that the requirements are fully understood
  • Ensure that staff are not storing valuable data in locations that are not backed up e.g. on their desktop. Several recent ransomware attacks have involved wiperware (WannaCry, notpetya etc.), where there was no decryption key, even if victims paid the ransom.  Ensure employees are aware of this and do not attempt to cover up any compromise(including paying the ransom!).  This is an understandable response but, it is important to learn about any attack so you can respond accordingly, including determining if the attacker is still lurking in your system.  An open ‘no-blame’ culture is vital
  • Purchase a ‘Blinky box’. There is some very clever technology on the market that can significantly reduce both the likelihood and impact of the risk attached to phishing attacks. Your security measures should always take into account the ‘state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity‘.  In general, if you actually have the means, not investing fully in security can often be a false economy.
  • Check your insurance policy and take care how you communicate a breach externally. It has become fashionable, in the event of a compromise, to claim it was a ‘state level actor’. However, insurers have been known to cite the ‘war exclusion’.  While this PR approach may gain you sympathy, e.g. ‘it was a nation state attack, what could we do?‘, you could end up paying all the attributed costs.

The good news is that attackers can be lazy.  While high tech, zero-day, ‘Hollywood’ style attacks do occur, the clear majority are low tech, old school, common/garden variety scams that can be effectively mitigated with a bit of common sense and effort.  Introducing some simple security controls, implemented as part of a structured information security management system, can be enough to ensure that (in most cases) the attackers move on to a softer target, leaving you free to focus on running your business.

If you would like support with meeting your PCI DSS obligations, implementing and maintaining a training and awareness programme or achieving your broader information security objectives then please contact URM for an informal discussion.

LEarn More - Official2