A Look Back at 2015: The Evolution of Phishing Attacks

If you ever watched any movie with a deserted island plot, you will have probably watched a scene with a character spearfishing. Think back to the 2000 classic hit, “Castaway” where Tom Hanks’s character, Chuck Noland, is forced to resort to spearfishing in order to eat a proper meal. After a great deal of practice and with extreme focus, he stares into the water and chooses one fish as a target and with one fell swoop, he is able to catch his fish.

Image for post
Image for post
Spearfishing, anyone?

With the same extreme focus on one target as spearfishing, “spear phishing” took to the digital stage in 2015. While most internet users have grown accustomed to avoiding traditional phishing techniques (spam e-mails promising you a free cruise vacation to the Bahamas, weird instant messages from “Candyxoxo467,” etc.), in recent years, the term spear phishing has grown in popularity with hackers.

Spear phishing is a much more advanced type of phishing. It is defined as a malicious email that appears to be from an individual or business that you know. These e-mails are often coupled with or lead to other hacking attacks, but always involve an e-mail requesting access to unauthorized and private information. Spear phishing attempts have become a favorite method of attack by professional criminal organizations as it gains them easy access to company secrets or funds. In 2015, spear phishing is so well-executed that in August, the FBI identified it as a concern for alert — sharing that spear phishing attacks have increased 270 percent in less than eight months.

But, very rarely do spear phishing attacks attack alone. Here are 3 of the top hacking methods that are often found with spear phishing.

According to Brian Krebs, cybersecurity expert and author of 2015’s bestseller, Spam Nation, shared through his novel that the forces behind spear phishing attacks are overseas organized companies. No longer are these attacks led by a few hackers in their basements in Nigeria, but now these spear phishing companies have hundreds of employees with researchers in Research and Development that spend their time looking for vulnerabilities in your network (such as unprotected SQL queries) and once they have found them, they send e-mails about projects that your company is actually developing. This way, when they send you a phishing e-mail, it will look exactly like an e-mail deliverable sent by a team member- with a business report included!

In 2015, 43% of data breaches can be attributed to insiders. Employees that have either entered your company for the sole purpose of infecting its network, or are just disgruntled and decided to breach company private data, are one of the rising causes to successful spear phishing attacks.

Once the employee has installed malware onto your server, spear phishing attackers can gain administrative rights to your website and even monitor your e-mails.

Once attackers have gained access to your e-mail network, they gain the ability to intercept your e-mail systems. They can intercept an e-mail that you just sent to your team and change its contents — directing your team to a phishing website that looks just like a link that you were trying to send them. This way, it is even harder to identify the origin of the attack and because the attackers can already control your e-mail, it is impossible to communicate through it to your employees without its contents being subject to manipulation.

Using a network firewall is a first step to phishing protection. A network firewall protects your company’s network so hackers cannot hack into your server to monitor or control internal communications. Also, while your employees are using the internet (both in the office and working remotely), use a VPN service that encrypts communications, so hackers cannot see the information that is being exchanged.

Skilled hackers can access your network server through your website. As long as they have administration login (which could come from a disgruntled employee), any vulnerability in your website can be an open door to the rest of your private information that is in your network. A web application firewall protects your website against hacks, so hackers cannot use your website as a gate to your company’s network nor use your website as a place to plant phishing links that steals private information from customers

This one is the most straightforward, but also most forgotten. Strong phishing protection starts with educating your employees about what phishing attacks are and how to identify them. Make it policy for employees to always ask for an in-person confirmation for any request asking for private information (i.e. via phone or in person). Also, constantly test employees aptitude at identifying phishing e-mails or websites as new phishing methods are quickly evolving to become more sophisticated and undetectable.

And how to deal with disgruntled employees that maybe the insider hacker? Make it clear to all employees the repercussions of breaching policy and constantly monitor those with admin permissions that can install software to your network. Also, if possible, try to segregate admin permissions throughout your server and website, so that no one permission has the ability to control your entire network, servers, and websites.

Although phishing attacks are quickly regaining their place as one of the most dangerous hack attacks, businesses should not be afraid to defend themselves. Just protect your network and websites while properly educating your employees and your business will be on the road to a strong phishing protection.

Cloudbric offers cloud-based security services including WAF, DDoS Protection, and SSL. Visit us and protect your website now! https://www.cloudbric.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store