Survey Finds That Enterprise Spear Phishing Is On The Rise

Phishing is an attempt by cybercriminals and identity thieves to obtain sensitive information by masquerading as a legitimate and trustworthy source. Phishing attacks increased by more than 11 percent in Q1, 2011 compared to the same quarter the previous year. Source: eCrime Trends Report – Second Quarter 2011 from IID (Internet Identity).

As high profile security breaches became frequent across the globe, the second quarter of 2011 saw some of the largest and most sophisticated hacking attacks. The breaches at RSA, Epsilon, and International Monetary Fund (IMF) highlight the fact that spear phishing has become the most common way to retrieve target-user related information which is then utilized to plan more sophisticated attacks. Brian Krebs, a Security Analyst notes on his blog that if this could happen to one of the largest and most integral security firms, organizations that aren’t focused on security had little hope of fending it off, let alone discovering it. Source: Money.cnn.com, Oct 27, 2011.

Spurred by the awareness if they target 40 million bank customers, at least 20-30k of them will possibly fall prey to Phishing attacks, phishers continued to target local and global banks, web email users, and even online gaming sites.Even though most banks have implemented a virtual keyboard to avoid logging of keystrokes by local key-loggers, recently spammers went a step ahead and successfully mimicked the virtual keyboards in the phish website of a Middle Eastern Bank. This highlights the extreme importance of double checking the authenticity of the banking website before sharing credentials on the internet.

“Handling targeted spear phishing attacks is a major challenge for corporations because it is aimed at people and not at technology. They leverage information from social websites and make the emails very convincing. The best strategy is to educate users so they can remain a step ahead of the phishers” said Sameer Shelke, COO and co-founder of Aujas.

Cyber-attacks in Q2 2011

A series of events in Q2 of 2011 raised significant alarm as many of these incidents employed sophisticated spear phishing attacks or e-techniques to spread malwares.

Source:CommTouch

Increased phishing attacks across sectors in Q2 2011 over Q2 2010

Actual Data

Source: eCrime Trends Report – Second Quarter 2011 from IID (Internet Identity)

Most targeted industry in Q2 2011 for phishing attacks

Source: CommTouch Reports

Many of the attacks were observed on social networking websites related to phishing attacks / malwares as social networks are becoming an attractive target for phishers. A great amount of vital personal information is available on social networking websites that are used by attackers for their own advantage. Such information can be used to draft customized emails seeking possible sensitive information about individuals or organizations or may contain a link that will install Trojan / malware on the end user system. The topic of the email is also usually designed to attract as much interest as possible.

Some recent examples are:

“See who has viewed your profile”

“Free Facebook Credits”

“Osama Bin Laden dead – Actual Video”

One of the other findings by IID indicates that 85% of their clients and large enterprises are concerned about spear phishing and 33% of them are extremely concerned. Their concern is justified because half of them said that their organization has been a victim of spear phishing attacks in last 12 months.

Security problems that have a non-technical aspect cannot be controlled by technology alone. Employee password re-use, a willingness to click on malicious links in what appear to be valid corporate communications, and poorly controlled access to databases containing valuable data are now well-known problems for organizations. So, companies need to focus on employee education to overcome issues that arise from non-technical quarters. Employees need to be vigilant and firms need to stay one step ahead of the innovations of the hackers and keep the employees informed.

About Phishnix

Phishnix is a Phishing Diagnostic Solution which enables organizations to enhance their security measures against social engineering attacks by providing comprehensive user behavioral analysis. Phishnix is powered by Aujas, a Global Information Risk Management (IRM) services company. Aujas helps clients manage risk and enhance information value through excellence and innovation.

For more information, write to contactus@phishnix.com