Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
Digital Threat or Missed Opportunity?Telco Security Trends Report, Q3 2019
Phishing:
Table of Contents
Intro
What is Phishing?
How Phishing Works
Phishing by the Numbers
Phishing Is Not a Fad!
A Valuable Opportunity for CSPs
6 Success Factors of a Phishing Attack
This is Where CSPs Step In
Geography of Phishing
Phishing Around the Clock
Best Defense Tips
Conclusion
Resources
End Notes
About Allot
3
4
5
6
7
8
9
10
11
14
15
16
17
18
19
TELCO SECURITY TRENDS | Q3 2019ALLOT
Scams, hoaxes, and frauds are nothing new.
The internet is just the latest conduit for them,
with hackers playing the role of the modern day
con artist. The greed, fear, and hope that online
phishing exploits are as old as mankind.
Phishing has always been one of the most
common and effective methods of cybercriminals.
It is simple, low-tech, and exploits human nature.
Its goals can include credential harvesting,
malware infection, and money extortion. In 2018,
the number of phishing attacks doubled, reaching
nearly 500 million1.
The problem affects everyone as phishers target
ordinary individuals, SMBs, and large enterprises.
Phishing is quickly expanding from email to
new channels where users are most vulnerable.
Potential victims are often targeted through
mobile messaging and social media apps, many
of which lack traditional security.
Reports from as early as 20062 indicated that
phishing was becoming a major concern for
CSPs, with pressure coming from both users
who demand that service providers do more to
protect them from attacks, and from the financial
institutions targeted by these attacks. CSPs are
starting to feel the impact of cybercrimes like
phishing, and there are ways to actively participate
in globally reducing phishing attempts.
Understanding the severity of this cybercrime
underscores the importance of network security.
This is where the true value lies for CSPs: the ability
to take action to mitigate this concerning trend
while earning new revenue.
a scam by which an Internet user is duped (as by a deceptive e-mail message) into revealing personal or confidential information which the scammer can use illicitly.
Merriam-Webster Dictionary
phish· ing | \ ˈfi-shinˈ\
3
TELCO SECURITY TRENDS | Q3 2019ALLOT
Knowing these
scams exist is half
the battle.
To combat them,
it is also important
to understand
why phishing is so
successful in the
first place.
Phishing comes in many forms, but these are a few of the popular variants:
Mass phishing is the prevalent form. Hackers send out thousands of
fraudulent messages to a large user base, aiming for quantity over quality,
like in a Vodafone phishing campaign from 2017. Mass phishing can capture
significant amounts of information, even if only a small percentage of
recipients fall for the scam.
Spear phishing targets a specific person or role in the enterprise and is used
when the stakes are higher. Cybercriminals research and profile their victims
by gathering personal data on social media prior to orchestrating the attack
and put extra effort towards crafting and designing personalized messages.
Typically, spear phishing is used as a first step to gain access to corporate
networks, which can then lead to severe consequences.
DNS hijacking is very difficult to detect. The domain name service of
typically insecure home routers is hacked to redirect traffic to IP addresses
of carefully crafted phishing sites. Unsuspecting users type the correct
domain address in their browsers, have no idea they are on a malicious site,
and hand over their credentials. A DNS hack like this occurred on two of the
largest banks in Brazil in 2018.
Tech support scams are a particularly troublesome form of phishing for
CSPs. Phishers impersonate CSPs and ask customers for account credentials
or attempt to sell bogus tech support services and steal their credit card
details. These scams can damage CSP reputations and generate negative
brand associations, even though the CSP is not to blame.
4
TELCO SECURITY TRENDS | Q3 2019ALLOT
A “phisher” exploits human emotions like fear, to trick
unsuspecting users into clicking malicious links. In a popular
example, a phisher sends a fake message from an on-line
service, claiming that there was a suspicious login attempt
or that a password has expired, encouraging victims to click
a link to update the password. The link instead takes them
to a spoofed page where they are asked to submit their
credentials to “log in”.
When Does It Happen?
Phishing attacks happen all the time, but are often fueled
by trending topics, from thematic holidays, to pop culture
and sporting events. For example, FedEx based phishing
campaigns become more popular around the holidays when
online ordering surges.
Where Does Phishing Happen?
Well, everywhere that communications exist. Traditional
phishing messages are sent via email, however, recent trends
indicate a rise of phishing attacks that use other messaging
platforms. In 2018 Slack, Skype, Facebook Messenger and
other communication applications become popular targets
for phishing, with a 237% increase in phishing attacks against
users of the SaaS industry in 20183.
How Phishing Works
Top 10 Impersonated Brands of 20184
Phishing has been around for over 20
years and the costs of phishing are higher
than ever, with some alarming trends
accompanying the rising figures.
5
TELCO SECURITY TRENDS | Q3 2019ALLOT
Global losses from Business Email Compromise (BEC) attacks since 20137
$12.6 Billion
Yearly costs of phishing attacks for American businesses5
of malware is installed via malicious email attachments; fake purchase orders, payments, invoices, and receipts14
Cost of phishing and other forms of online
fraud in 20178
Average cost per financial cyber attack8
Average cost of a phishing attack for mid-size companies in 2017 6
Increase in phishing attacks against users of social media.
of targeted attacks involved the use of spear-phishing emails13
of the ~281B emails sent daily are phishing attempts11
of manufacturers experienced a phishing attack in 201812
Losses reported by 1 in 10 consumers9
$500M
66%
$172M
1%
82%
$476 $1.6M
190% 71.4%
$5000+/-
Phishing by the Numbers
Financial Costs
Phishing Trends
These statistics highlight the financial damage and overarching trends of phishing in recent years.
In 2018, phishing was the most
popular type of cybercrime
and it isn’t just a trend;
phishing is here for the long
haul and it is time to act.
*Data adapted from external source(s) referenced in the Endnotes of this document.
6
TELCO SECURITY TRENDS | Q3 2019ALLOT
Just like any marketplace, market demand applies to the
monetization of malware too. With the rise in cryptocurrency
valuations last year, Allot identified and reported16 a massive
surge in cryptojacking malware based on Coinhive libraries.
During the same period, there was a corresponding rise in
phishing. This is understandable as phishing is commonly
used to infect users with malware.
With the devaluation of cryptocurrencies, the appeal of
cryptojacking declined 100 fold in 2019, while phishing
remains stable at about 20M phishing attacks per month.
Looking at the threat landscape for Q1 2019, phishing
remains in first place and accounted for almost 35% of
activated protections for 7 milion customers in Europe
subscribed to a CSP based security service.
This data demonstrates that phishing is not a fad. The reason
is one constant factor - human nature. Even though con
artists have modernized their tactics, the emotions they are
preying on are still the same. People are naturally prone to
click on emails that are addressed to them. Bad guys will
always find new, creative ways to trick victims.
Phishing Is Not a Fad!
Even though phishing is technically the responsibility of
internet users, the cyberattacks present unique revenue
opportunities for CSPs, while protecting innocent
internet users that don’t know better.
7
TELCO SECURITY TRENDS | Q3 2019ALLOT
Despite over a million fatal car accidents each year, people keep
driving. However, through regulation and private initiatives by car
manufacturers, safety technology has helped mitigate a lot of the
risk. Some car companies have even made safety the focal point
of their branding. Similarly, CSPs can wait for regulation to step in
or take a pre-emptive step and become secure communications
providers, championing safety as a key differentiator for themselves.
Here are 3 trends that can’t be ignored in 2019:
o 69% of people don’t use their smartphone for mobile
payments, with 42% of them claiming security as the reason17.
o 90% of successful cyberattacks started with a phishing email,
according to a 2018 report18.
o 50B+ IoT devices are expected to be connected by 202019,
creating a plethora of new opportunities for cybercriminals.
Phishing is a real problem for CSPs, but by proactively addressing
internet security, CSPs stand to increase brand loyalty, generate
additional revenue from added premium security packages, and
differentiate themselves from the competition.
CSPs can provide continuous protection against phishing with an
approach that includes the following three elements:
As documented in our recent Telco Security Trends report, Allot
found that 66% of households with 1-10 devices are willing to pay
monthly fees of $4.90 on average to cybersecure their connected
home; 84% of households with more than 10 devices were willing to
pay an average of $6.16.
A Valuable Opportunity for CSPs
By nature, people are susceptible to social engineering
scams like phishing, but that isn’t the only factor in the
success of these campaigns.
WARN customers about
phishing campaigns
EDUCATE customers on internet safety
SECURE customers from
phishing
8
TELCO SECURITY TRENDS | Q3 2019ALLOT
Many internet users are fooled by
these elements which is why phishing
continues to trend around the world.
Humans may be the weakest link in cyber security, but it isn’t entirely our fault. Even highly educated, tech-savvy individuals can fall victim to these scams because of the level of complexity generally involved. How many of these factors would be able to fool you?
Well-Crafted Fake Email or Website
Easy-to-spot fake emails
with bad grammar and typos
are being replaced with
well-crafted, personalized
messages that are harder
to detect.
Human Emotions and Psychology
Hackers are exploiting human
emotions: fear, guilt, kindness,
greed, and curiosity. Victims
are tricked by a fake sense
of urgency created by the
messaging or imagery.
HTTPS Domain
Today, phishers install
encryption certificates to make
fake sites appear more legitimate.
Nearly one-third of all phishing sites
observed by the end of 2017 were
located on HTTPS domains, up
from only five percent a year
before 20.
Massive Distribution Phishing campaigns exploit
large-scale IoT botnets and
automation to deliver messages
to their victims. Hackers have used
“thingbots” of smart home devices as
launching pads for massive phishing
and spam attacks distributing more
than 750,000 malicious emails
since as early as 2014.Social Engineering and Personalization
Criminals today can research
and profile their victims prior to
orchestrating an attack making their
messages personal and timely, and
therefore, more authentic and
convincing.
Ties to Current Events and Holidays
Criminals typically take advantage
of holidays and hyped events taking
place around the world, like the 2018
World Cup in Russia, GDPR launch,
new season of “Game of Thrones”,
and others. During holiday shopping
season users often have their guard
down, leaving them vulnerable
to the attacks.
6 Elements of a Successful Phishing Attack
9
TELCO SECURITY TRENDS | Q3 2019ALLOT
Endpoint Security agents scan messages for malware as they arrive, but this relies on the users to install and update software independently. The efficacy of this type of solution is beyond the CSPs control, and adoption rates are extremely low.
CSP's can protect customer who fall victim and click on the malicious link with a network-based security solution. Such solutions do not require users to take any action, can provide engagement opportunities for CSPs and achieve higher adoption rates.
This is Where CSPs Step In
To Click or Not to Click
End Point Security CSP Network Security
No
Yes
When you look at the path a typical phishing attack takes, there are two very clear junctures where the malicious behavior can be mitigated.
10
TELCO SECURITY TRENDS | Q3 2019
USA84%
Canada4%
Turkey1%
Germany<1%
China2%
Australlia1%
UK1%
France2%
Colombia1%
Brazil1%
Sweden RussiaJapan
ALLOT
Geography of PhishingFrom the Americas to Europe and the Asian Pacific region, phishing is an active threat. Some of the most affected countries in the top ten may even surprise you.
Depending on the level of research,
campaigns can even be sent with
specific timing to catch victims when
their guard is down throughout the day.
Top 10 Most Targeted Countries of 201821
(By percentage of total phishing volume)
Famous Hacks(Read the stories on the next page)
11
TELCO SECURITY TRENDS | Q3 2019ALLOT
Famous Hacks
USA
Operation Phish Phry (2009)
Operation Phish Phry was the largest international phishing case ever conducted at the time, according to the FBI. The hackers successfully targeted
hundreds of US bank account holders who received official-looking emails directing them to fake financial websites. Victims entered their account numbers
and passwords into fraudulent forms, giving the attackers easy access to their private data. Nearly 100 people in the USA and Egypt were arrested for
stealing $1.5 million through this phishing scam.
RSA (2011)
In 2011, an American network security company called RSA reported a data breach following a spear phishing attack. The attack exploited an Adobe Flash
vulnerability that was unpatched, which resulted in a backdoor being installed on the compromised machine. The email had a single line of text that said:
“I forward this file to you for review. Please open and view it.” The attack enabled criminals to get hold of master keys for all RSA SecureID security tokens,
which were then subsequently used to break into US defense suppliers’ networks.
Target (2013) The huge Target data breach that affected 110 million customers in 2013 began with a simple phishing attack. Hackers stole network credentials through an email phishing attack against a third-party heating, ventilation, and air-conditioning vendor, that began at least two months before they started stealing card data from thousands of Target cash registers. The breach cost Target hundreds of millions of dollars, and the firm fired its CEO and CIO.
Sony Pictures (2014) The largest data breach at Sony Pictures was caused by phishing emails used as an initial attack vector. Using social engineering,
hackers convinced employees to open a malicious attachment that infected Sony with the malware. Over 100 terabytes of Sony’s data were stolen, which cost the company an estimated $100 million
The Clinton Campaign (2016)On March 19, 2016, Russian intelligence services sent Hillary Clinton’s campaign chairman, John Podesta, a carefully crafted spear-phishing email. The fake message looked like Google was urging him to reset his password. He fell for it and gave criminals the access to his email account. Two days later, they swept up his inbox of more than 50,000 emails.
Google Doc (2017) 1 million Gmail users were impacted by a major phishing attack that hit Google Docs in 2017. The attack sent victims an emailed invitation from someone they may know, took them to a real Google sign-in screen and asked to “continue to Google Docs.” This granted permissions to a (malicious) third-party web app that had simply been named “Google Docs,” which gave phishers access to the email and address book of the victims.
Geography of Phishing
12
TELCO SECURITY TRENDS | Q3 2019ALLOT
Australia
EnergyAustralia (2017)
In 2018 Australia rose up the
charts as one of the most
targeted countries for phishing.
One of the largest local attacks
was a phishing scam that hit
EnergyAustralia customers. The
phishing email was an exact
replica of a real EnergyAustralia
bill with the message noting
the bill was due in just a few
days. In truth, the sender was
attempting to trick the recipient
into downloading a Zip file that
contained a malicious JavaScript.
Japan
Russia
Yahoo! Japan (2008)
This phishing attack
impersonated the Japanese
localized site of Yahoo! Auctions.
The phishing emails were
delivered to users with a subject
title in Japanese “To Yahoo!
Japan site users” appearing to
come from the Yahoo! Japan
Support Center. The phishing
site was designed to mimic the
real Yahoo! Japan site layout
and some of the links were even
connected to the legitimate
Yahoo! Japan site.
Russia World Cup (2018)
Last year, cybercriminals heavily
exploited the World Cup event in
Russia, creating numerous fake
FIFA partner websites to gain
access to victims’ bank accounts.
The criminals sent a large amount
of emails promising vacation
rentals, free tickets, and more, to
World Cup fans. The FTC issued a
special note guiding fans to FIFA.
com, the only official source for
tickets, and giving tips on how to
avoid the scams.
Brazil Sweden
UK
2005
Notorious Brazilian phisher Valdir
Paulo de Almeida was arrested
in 2005 for leading one of the
largest phishing campaigns.
Between $18 and $37 million USD
were stolen over two years. Valdir
sent up to three million messages
a day with sophisticated Trojans
attached, targeting Brazilian bank
customers and led a gang of up
to 18 hackers.
Brazilian Bank (2016)
Hackers hijacked the entire
online operation of one of the
major banks in Brazil by using
DNS manipulation to reroute
all customers to perfectly
reconstructed fake copies of the
bank’s sites. Aside from mere
phishing, the spoofed sites also
infected victims with malware.
Nordea Bank (2007)
In 2007, Swedish Bank Nordea
lost about $1.1 million in a
phishing scam. Going on for over
15 months, the scam infected
customers with a Trojan called
“haxdoor.ki.” masquerading as
an anti-virus package. The virus
was designed to redirect to a fake
bank page when they tried to use
the website. Approximately 250
bank customers were said to be
affected by it.
Vodafone (2017)
This phishing campaign
impersonated Vodafone, a major
international phone company, in
a very convincing example of a
fraudulent email. It claimed that
the customer needed to pay a
bill of over £400 - a high amount
designed to send users into
panic and click on the links. The
scammers sent these emails out
by the thousands in the certainly
that some would reach real
Vodafone account holders.
Famous Hacks
Geography of Phishing
13
TELCO SECURITY TRENDS | Q3 2019ALLOT
In today’s world, millions of people are on a device of some kind from the moment they wake up to right before bedtime.
At Home Jane gets a personal email
from “PayPal” asking her to
verify a suspicious login to her
account. She clicks through to
a fake copy of the real site, and
then hands over her login and
password unknowingly.
On the Commute to Work Fred is on the bus and gets an
email notification from his phone
company with a huge bill. He
panics, clicks to view the claim and
inadvertently downloads malware
to his phone.
Lunch in a CafeKeisha sits in a café and gets a
phishing SMS asking her to claim a
free gift. She excitedly clicks the link
which turns out to be malicious and
her phone is infected.
In the Office Pedro sits at his desk and gets
a spear-phishing email “from
the CEO” asking him to transfer
a payment to a new partner
company, which is a scam.
At a Bar Emma already had her first
martini, when she gets a
Facebook message from a
distant cousin who she hasn’t
heard from. The “cousin” invites
her to download the video of
her recital, but in fact, Emma has
downloaded malware.
Phishing Around the Clock
CSPs can take steps to protect their
customers from these situations, while
simultaneously increasing brand loyalty
and engagement.
14
TELCO SECURITY TRENDS | Q3 2019ALLOT
Creating an opt-in mailing list, and proactively alert customers to help them avoid getting caught
in the latest scams.
o Inform customers in real-time about specific phishing campaigns that are going on,
especially if the campaigns are relevant to their interests.
o Anticipate upcoming phishing attacks. Traditionally, waves of phishing attacks increase
around the holidays and during pop culture events.
Find ways to educate customers on using practical tools and best practices for browsing the web
and staying safe.
o Encourage customers to learn more about phishing and test themselves with interactive
tools, like free interactive quizzes or games. This quiz by Google and this game by the
FTC are good examples, or even better, make your own.
o Offer your customers the chance to opt-in to your own phishing awareness program for
customers. These programs are designed to train participants in a safe environment, by
sending fake phishing emails out periodically, with feedback and scoring relayed to the user.
Even with better education, the best thing you can do for your customers is protect them.
o Implement anti-phishing technology, such as Allot NetworkSecure and Allot HomeSecure.
The most effective defense against phishing is to protect customers from within the network,
with in-line content and header inspection that blocks phishing, malware and other types of
malicious traffic.
o Encourage customers to install end-point security solutions to fight phishing and keep
themselves protected when they access the internet from multiple accounts that
may not reside on the CSP infrastructure.
Best Defense Tips
CSPs have a valuable chance
to be trend setters instead of
followers, by championing
cybersecurity and rolling
out security-as-a-service
packages to protect their
customers.
To successfully deal with phishing, CSPs can embrace the following three-pronged approach:
15
TELCO SECURITY TRENDS | Q3 2019ALLOT
Phishing is the most prevalent form of
cyberattack that exists today, but it is only
the tip of the iceberg when we look at the
threat landscape for 2019. As our society
continues its rapid transformation into
a hyper-connected digital age, we are
more exposed than ever to the dangers of
criminal activity on the web. Weak network
security can make it just as easy as it is for
cybercriminals to access your personal
data as it is for you.
The key to strengthening the weak link that
is human nature, is consistent education
to raise awareness. Ongoing anti-phishing
campaigns that regularly send test emails
combined with computer-based training
have been found to dramatically decrease
careless clicking to just 13% in 90 days, with
a steeper drop to 2% after 12 months 22.
These initiatives can result in a safer, and
therefore more satisfied, customer base.
Our data has shown substantial interest
from consumers in purchasing network
security services from their Internet Service
Providers. To these consumers, ISPs are
the experts at everything internet-related,
which includes security. CSPs are uniquely
positioned to make a difference with their
massive subscriber lists who already look
to them as the experts. By embracing
the burden of protection and educating
customers, CSPs can make a tremendous
impact on the cybercrime footprint and
make the internet a safer place for the
everyday digital consumer.
ConclusionLearn more about securing your customers from phishing attacks »
CSPs have two primary ways to capitalize
on the dangers of cybercrime:
o Raising awareness about the dangers
of phishing and other cybercrimes, to
increase brand loyalty and consumer
satisfaction, and differentiate
themselves from the competition, and
o Bundling security value-added
services (VAS) into existing internet
plans for consumers, generating
incremental ARPU and simultaneously
protecting consumers.
16
TELCO SECURITY TRENDS | Q3 2019ALLOT
ResourcesFrom Allot
Connected Home Cybersecurity: The Consumer’s Perspective - Telco Security Trends Report
How Effective are CSP Security Services for the Mass Market? - Telco Security Trends Report
Will Your Defense Conquer World Cup Malware? - Blog Post
New Research Shows Why We Should Trust CSPs With Our Data Security - Blog Post
IoT Security Demands a Multi-Layered Approach - Frost & Sullivan Whitepaper
From Other Sources
PhishLabs 2018 Trend Report
What Happens When You Reply To Spam Email - James Veitch, TEDTalk
Phishing for Phools - Robert Shiller, TEDxYale
The Latest in Phishing - Proofpoint
Tips on How to Recognize and Avoid Phishing Scams, FTC
Anti-Phishing Tools For Consumers
Anti-Phishing Browser Extensions
Password Alert - Chrome Extension
Password Checkup - Chrome Extension
Facebook Login Tracker and Email Alerts
People are prone to taking mental shortcuts. They may know that they shouldn’t give out certain information, but the fear of not being nice, the fear of appearing ignorant, the fear of a perceived authority figure - all these are triggers, which can be used by a social engineer to convince a person to override established security procedures.”
Kevin MitnickCybersecurity Consultantand former hacker
17
TELCO SECURITY TRENDS | Q3 2019ALLOT
End Notes1. Spam and Phishing in 2018 Report, Kaspersky Lab
2. Anti-Phishing Best Practices for ISPs and Mailbox Providers, 2006
3. PhishLabs 2018 Phishing Trends & Intelligence Report
4. F5 Lab 2018 Phishing and Fraud Report
5. Forbes: Phishing Scams Cost American Businesses Half a Billion Dollars A Year
6. PhishMe’s 2017 Enterprise Phishing Resiliency and Defense Report
7. FBI Public Service Announcement Alert I-071218-PSA
8. 2017 Norton Cyber Security Insights Report
9. Kaspersky: Online Financial Cybercrime Victims Struggle to Recover All Their Lost Money
10. Emails Sent and Received Between 2017 and 2023
11. Medium: How to Spot Phishing: The Most Common Cyberattack
12. Check Point Research Security Report 2018
13. Symantec Internet Security Threat Report 2018
14. 2017 Verizon Data Breach Investigations Report
15. PhishLab 2018 Phishing Trends & Intelligence Report
16. Allot Q2 2018 Telco Security Trends Report
17. Deloitte 2018 Global Mobile Consumer Survey, US Edition
18. IT Governance: Over 90% of Successful Cyberattacks Start with a Phishing Email
19. Cisco: Enterprises Are Leading The Internet of Things
20. PhishLab 2018 Phishing Trends & Intelligence Report
21. PhishLabs 2019 Phishing Trends & Intelligence Report
22. KnowBe4: Phishing
18
TELCO SECURITY TRENDS | Q3 2019ALLOT
About AllotAllot Ltd. (NASDAQ, TASE: ALLT) is a provider of
leading innovative network intelligence and security
solutions for service providers worldwide, enhancing
value to their customers. Our solutions are deployed
globally for network and application analytics, traffic
control and shaping, network-based security services,
and more. Allot’s multi-service platforms are deployed
by over 500 mobile, fixed and cloud service providers
and over 1000 enterprises. Our industry leading
network-based security as a service solution has
achieved over 50% penetration with some service
providers and is already used by over 21 million
subscribers in Europe. For more information,
visit www.allot.com or Contact Us
19