Tag Archives: verizon

Phishing As A Service Twice As Profitable As Traditional Phishing

Imperva Hacker Intelligence Initiative report reveals Phishing-as-a-Service campaigns cost less to execute and are twice as profitable as traditional campaigns

Imperva, Inc. (NYSE:IMPV), committed to protecting business-critical data and applications in the cloud and on-premises, today released its new Hacker Intelligence Initiative (HII) Report: Phishing made easy: Time to rethink your prevention strategy? In the report, researchers at the Imperva Defense Center expose how cybercriminals are lowering the cost and increasing the effectiveness of phishing by leveraging compromised servers and turnkey phishing services, which are the key drivers of the overall increase in phishing attacks.

The 2016 Verizon Data Breach Investigations Report (DBIR) shows a resurgent pattern of people falling prey to phishing campaigns, with 30 percent of recipients in this year’s dataset opening phishing emails. This is alarming given that phishing is the starting point for most network and data breaches. With this in mind, Imperva researchers deconstructed a phishing campaign initiated in mid-June, 2016. Among the most surprising findings was the low cost of launching a phishing campaign and the high projected return on investment for cybercriminals.

Imperva researchers browsed the darknet marketplace to estimate the cost of phishing campaigns and to get a clear picture of the business model. They observed the ease of purchase and low cost of Phishing-as-a-Service (PhaaS) campaigns. In addition, they saw that hackers were easily able to hijack compromised webservers for their campaign, which further lowered the investment needed. Based on the researchers’ analysis of costs, PhaaS is about a quarter of the cost and two times more profitable than a traditional unmanaged phishing campaign, which is skill and labor intensive. Unfortunately, lowering the costs and technology barriers associated with phishing is sure to lead to an increase in phishing campaigns, and the number of people falling victim to these campaigns.

Following the trail of the hackers, the researchers could garner a surprising amount of data on both the victims and the hackers’ social engineering techniques. Diving into the data on victims, it became clear that people were most likely to take the email phishing bait during the hours of 9 a.m. to noon while at work when they were busy writing and replying to emails. Additionally, victims were more likely to enter their username and password to open an email attachment – in this case an Adobe PDF file – than to click on a URL in the email and blindly log in.

The researchers linked the campaign to an Indonesian hacking group that began its “career” with a series of defacement attacks, a form of electronic graffiti, against targets in the U.S., Australia and Indonesia. In late 2015, the group moved on to financially motivated hacking and have been able to mount and actively maintain three different campaigns involving Outlook Web Applications, Wells Fargo’s Online Banking and an Adobe PDF campaign. This group also has been linked to campaigns that use vulnerability scanners for online shops that use the Magento e-commerce system.

“The combination of PhaaS and compromised web servers has significantly lowered the monetary, technological and time investment needed to conduct a successful phishing campaign,” said Amichai Shulman, co-founder and CTO of Imperva. “It’s no longer feasible for enterprises to use the client-side approach of endpoint software to fight phishing attempts because people continue to click nefarious links in email. One way to slow the attacks is to choke off easy access to compromised servers, which would make the phishing business model more expensive and lower profitability. Web applications are ubiquitous today, and web application security needs to be widely adopted to stem the growth of phishing and protect valuable data and applications.”

To access a copy of the HII Report, Phishing made easy: Time to rethink our prevention strategy?, please visit bit.ly/2hbBFbu or to see the Infographic visit bit.ly/2gdH8gh.

About Imperva

imperva_2016Imperva® (NYSE:IMPV), is a leading provider of cyber security solutions that protect business-critical data and applications. The company’s SecureSphere, Incapsula and Skyfence product lines enable organizations to discover assets and risks, protect information wherever it lives – in the cloud and on-premises – and comply with regulations. The Imperva Application Defense Center, a research team comprised of some of the world’s leading experts in data and application security, continually enhances Imperva products with up-to-the-minute threat intelligence, and publishes reports that provide insight and guidance on the latest threats and how to mitigate them. Imperva is headquartered in Redwood Shores, California

A cybersecurity expert's 10 tips to stop you being scammed on email

Business email compromise (BEC) has cost companies $3.1 billion since January 2015 and consumer email phishing is at an all-time high. Most people don’t question the “from” field in the emails they get day in and day out, yet without the right tools in place, there’s actually no reason to trust the “from” field!

Unfortunately though, no matter how sophisticated a company or enterprise’s email strategy is, some phishing emails will always make it to the inbox. And these messages are extremely effective. Verizon found that 30% of targeted recipients open phishing messages and 12% click on malicious email attachments.

As a critical piece of every business’ email security strategy must be education, below are Proofpoint’s top 10 tips for identifying a phishing email.

Tip 1: Don’t trust the display name
A favorite phishing tactic among cybercriminals is to spoof the display name of an email. Here’s how it works: If a fraudster wanted to impersonate the hypothetical brand “My Bank,” the email may look something like:

Once delivered, the email appears legitimate because most user inboxes and mobile phones will only present the display name. Always check the email address in the header from—if looks suspicious, flag the email.

Tip 2: Look but don’t click
Cybercriminals love to embed malicious links in legitimate-sounding copy. Hover your mouse over any links you find embedded in the body of your email. If the link address looks weird, don’t click on it. If you have any reservations about the link, send the email directly to your security team.

Tip 3: Check for spelling mistakes
Brands are pretty serious about email. Legitimate messages usually do not have major spelling mistakes or poor grammar. Read your emails carefully and report anything that seems suspicious.

Tip 4: Analyse the salutation
Is the email addressed to a vague “Valued Customer?” If so, watch out—legitimate businesses will often use a personal salutation with your first and last name.

Tip 5: Don’t give up personal or company confidential information
Most companies will never ask for personal credentials via email–especially banks. Likewise most companies will have policies in place preventing external communications of business IP. Stop yourself before revealing any confidential information over email.

Tip 6: Beware of urgent or threatening language in the subject line
Invoking a sense of urgency or fear is a common phishing tactic. Beware of subject lines that claim your “account has been suspended” or ask you to action an “urgent payment request.”

Tip 7: Review the signature

Lack of details about the signer or how you can contact a company strongly suggests a phish. Legitimate businesses always provide contact details. Check for them!

Tip 8: Don’t click on attachments
Including malicious attachments that contain viruses and malware is a common phishing tactic. Malware can damage files on your computer, steal your passwords or spy on you without your knowledge. Don’t open any email attachments you weren’t expecting.

Tip 9: Don’t trust the header from email address

Fraudsters not only spoof brands in the display name, but also spoof brands in the header from email address, including the domain name. Keep in mind that just because the sender’s email address looks legitimate (e.g [email protected]), it may not be. A familiar name in your inbox isn’t always who you think it is!

Tip 10: Don’t believe everything you see
Phishers are extremely good at what they do. Many malicious emails include convincing brand logos, language, and a seemingly valid email address. Be skeptical when it comes to your email messages—if it looks even remotely suspicious, do not open it.

* Tim Bentley is the managing director of Proofpoint Australia and New Zealand.

Follow Business Insider Australia on Facebook, Twitter, and LinkedIn

Why Your Users Keep Falling for Phishing Scams

Why Your Users Keep Falling for Phishing Scams

We’ve all been there. That awful moment, when you realize it’s happened again.

“Why do they never learn?” You ask yourself. “It really isn’t that hard!”

Time and time again, your users click on malicious links and attachments in phishing emails, and it seems like no matter what you do to improve their awareness, it never gets any better.

So why do they keep falling for phishing scams? Is it just complacency? Or something more?

A Very Real Problem

As a member of the security community, it’s sometimes difficult to understand why phishing is such a problem. After all, we think about security all day long, so it’s only natural that when we see a suspect email we immediately assume it’s a phish.

But other people don’t think this way. They assume anything that makes its way into their inbox is a legitimate attempt to contact them.

This leaves us with a problem, clearly, and not a small one. According to Verizon, 10 percent of phishing scams lead to a data breach, which is terrifying when you consider the volume of phishing emails out there.

During the creation of our 2016 Phishing Trends and Intelligence report we analyzed over 1 million confirmed phishing sites, located across more than 130,000 domains, and we think we’ve come up with some answers. For starters, here are a few:

They Aren’t Looking For Them

We’ve touched on this already, but it’s an important point to consider. Just because security professionals see a shady email and think ‘phishing’, doesn’t mean everybody else does too.

In fact, most people are woefully uninformed about all forms of security. Whether it’s using bad passwords, or repeatedly connecting to unsecured public WiFi, they display almost total ignorance of basic security concepts in both their personal and professional lives.

Hardly surprising, then, that they keep falling for phishing scams – They just aren’t expecting anything malicious to turn up in their inbox, so they’re unprepared to cope with it.

And it’s not just that.

Although security professionals commonly think of these people as ‘users’, in reality they’re professional people with jobs to do. They’re busy, in a hurry, and stressed, and none of these things will help them to think rationally about a shady email in their inbox.

They Often Look Legitimate

First off, threat actors all over the world have improved their writing skills immensely.

These days nobody would be fooled (we hope) by the old Nigerian email scams, but things have come a long way since then. Sure, there are still some pretty terrible phishing scams that somehow manage to fool a few people, but for the most part they have improved immeasurably.

For instance, here’s a fairly recent example of what we might call a ‘bad phish,’ received by students and faculty at Lehigh University.


Sure, it might fool the odd person if they’re really in a hurry, but for the most part the terrible spelling, lack of specificity, and unhidden Comcast sender address will give it away.

Compare it, though, to another phishing email, this time sent only to staff in the financial department at Lehigh.


Now this is much more convincing. Sure, if you looked closely you’d catch on, but in the heat of the moment it’s easy to see how people fall for this type of email. Don’t forget, all they have to do is open the attachment, and all that takes is a moment’s inattention.

But now let’s take it up yet another notch. Here’s a spear phishing email crafted by one of our own employee defense training experts, based on real examples we’ve seen in recent months. This time, the email was sent to members of our client’s sales team, and as a result of sophisticated spoofing techniques it appears to be sent by company’s VP of sales.


This email contains several other key convincers as well, including the specific audience targeted, the relative likelihood of their receiving this type of email, and the recipients’ desire to please their boss. The ‘sent from my mobile’ email signature has become a favorite amongst threat actors in recent years, and again seems to make the phish ‘seem’ more legitimate.

And as you can see from the included campaign stats, this email scored well above the average click rate of 20 percent.

When you see phishing emails of this quality, it can hardly be a surprise that some of your users continue to click, especially when you consider that…

Most Security Awareness Training is Terrible

In our experience, the vast majority of security awareness training is hugely ineffective. We explore this in Top Five Phishing Awareness Training Fails.

And the thing is, many organizations use the lack of results they’re seeing to justify cutting back even more, and simply providing the annual policy based training that’s required for compliance. It’s boring, there’s no reinforcement or incentive to change, and (once again) it only comes out once per year.

How is that ever going to change users’ security behaviors?

But we know you’re different.

For a start, you’re here reading an article designed to help you reduce phishing click rates. We as security professionals must up our game if we want to keep our organizations safe, and the first thing we need to do is get people thinking about security as they go about their daily business.

So don’t be discouraged if your current training isn’t working. We’ll be writing more about this topic in the future, but for now here are some of the elements that should be present in your security awareness training:

Interest – Training simply cannot be boring if you want users to benefit from it. People today are more overwhelmed and stressed than they’ve ever been in history, and our brains simply shut off in the face of material that we view as boring or unimportant.

Repetition – Annual training achieves nothing, because people aren’t in the habit of thinking about security. We need to change behaviors, and that requires a lot more than a single 20-minute session once per year.

Reminders – It’s not all about the training. Regular email correspondence, posters on the notice board, even stickers on each monitor can help remind users to think about security while they’re checking email.

Testing – If you want to make sure your users are ready to handle phishing emails, PHISH THEM. Whether you choose to create and manage your own phishing campaigns or pay a security vendor to do it for you, it’s essential that you identify the users most likely to fall for real phishing scams and give them the extra support they need. The same is true for other areas of security, particularly social engineering attacks such as physical infiltration of your buildings or phone scams.

Incentive – Whether you choose the carrot or the stick, incentives are a valuable means of behavioral modification. Research suggests that rewarding the behaviors you’re looking for is the best way to go, but whatever you choose it’s better to do something than nothing.

Stay tuned for a continuation of this topic in our next blog post Hitting Back Against Security Awareness Training Nay Sayers.