We hear about data breaches and hacks on big companies on a near daily basis and most people assume these cyber-attacks are being conducted by sophisticated actors using complex hacking tools. The truth is; most hacks are quite simple. Hackers are more likely to use the tried and true classic attacks than they are to use complicated cyber weapons. Case in point, phishing attacks.
Phishing works by tricking individuals into providing sensitive information through the use of deception. These attacks often come in the form of an email from a bad actor who is posing as a person or a company who is trustworthy. The bad actor may simply ask for sensitive information or divert the unsuspecting user to a legitimate looking malware site where they will input confidential data.
Types of phishing threats:
- Spam – Bulk email attacks used as a conduit to distribute malware and spyware
- Impersonation Attacks – Communications attributed to trusted senders in an attempt to maliciously fool users
- Opportunistic Attacks – Leveraging well known current events or trends to deceive users into clicking (think right after a natural disaster or before the Super Bowl)
- Target Attacks – Spear phishing specific people in an organization with exploits that are not known or specifically designed to get past commodity anti-viruses
Cyber threat research has shown that impersonation email phishing attacks are actually on the rise. With phishing season underway, new research has found that threat actors are digging back into the past to bring old exploits back with fresh new modifications to avoid spam filters and anti-virus. Hackers are adding new wrinkles to their phishing attacks including sending Microsoft Office documents as attachments in an email.
The most common types of files being used as malicious attachments include:
- .doc
- .xlsm
- .zip
- .xls
- .jar
There has also been an uptick in attacks against specific industry verticals this summer, and alarm bells should be going off for business owners to improve their cyber security strategies before they become the next victim. Threat research has revealed the following industries as common targets:
- Manufacturing – Manufacturing is being heavily targeted with Opportunistic Attack and Targeted Attack phishing campaigns
- Professional and Financial Services – Service companies are being targeted with Impersonation Attack phishing campaigns
- Educational Institutions – Spam phishing campaigns are overwhelmingly targeting schools and universities as most students are not trained or aware of the dangers of phishing (this can be a risk and need immediate training amongst employers hiring college grads)
- Software and Data Processing Companies – Tech companies are being heavily targeted with Spam and Opportunistic Attack phishing campaigns
The research and trends all show that tactics to evade anti-virus and anti-malware tools should continue into the fall. Companies cannot rely on their technology to protect them from attacks but need to focus on raising the education and awareness of their staff through computer based and in-person training programs. While phishing attacks may be simple in nature, defending against them requires a comprehensive cyber security strategy that includes training and awareness for all employees.