We have all heard these clichés: “Curiosity Killed the Cat,” “Nothing Bad Will Happen,” “Did You Know They Removed Gullible from the Dictionary?” and “It Can’t Happen to Me.” But as we have learned, phishing scams pray on these types of attitudes to invoke user behavior and perpetuate an attack. Let’s consider these four clichéd bad user attitudes one at a time, and then I will explain steps you can take to mitigate these risks.
"Curiosity Killed the Cat"
Let’s say you receive a phishing email and it eludes your junk email box. Below is a perfect example of one I received recently. The payload is in the Word document and is typically ransomware (W97.Downloader in this case).
Hopefully, any experienced computer user would recognize this and just delete the email. However, for the typical non-technical user, especially someone in, say, the accounting department, they may not be expecting this type of email and just open the attachment to see what it is and if it is a bill that should be paid. Honest curiosity based on the job alone could completely infect their entire environment. This would be a targeted behavioral response based on the end user’s profession.
"Nothing Bad Will Happen"
In all fairness, I think every security professional has done this at least once; even for testing purposes. You have a system (probably a virtual machine) built up, fully protected with every security tool you have or stripped down to bare basics, and you execute malware (known or unknown payload) to see what happens. Unfortunately, to our surprise, our best defenses crumble, the system is compromised and you end up pulling the network cable or hitting Power Off for the VM because things got out of control too quickly.
Phishing emails are no different. Consider the first time someone tested the file mentioned above with an Anti-Virus solution. Better yet, here are the current findings from Virus Total: Only 26% identified it as malware and if your protected VM contained the 74% of the other solutions, you may have been a victim of “nothing bad could happen if my security tools are fully up to date;” even today.
Phishing emails to security and technology professionals rarely succeed. However, the work we do in the lab is not always containable and the outcome potentially devastating if not properly controlled. If an overzealous actor within the organization executes the file and you are exposed to vulnerability, they may think nothing bad could happen but in realty the results can be very different as well.
"Did You Know They Removed Gullible From the Dictionary?"
This one is short and sweet. Remember when Apple launched a campaign that Macs do not get viruses? It’s scary that this actually was a real advertising campaign. But here is reality: 1989 saw the first Mac Malware and things have evolved for OS X just like for Windows (although not in the same quantity due to Apple market share). This article from Time explains a recent ransomware attack that proves the point. While the payload came from sharing files in Transmission, the torrent for sharing could have easily come in an email or webpage. For anyone that says Macs do not get Malware or are not susceptible to phishing attacks really thinks that a word like ‘gullible’ can be removed from the dictionary.
"It Can’t Happen to Me"
This phishing attack plays to every ego in the room from executives to hired expert contractors. Phishing emails do not discriminate and when they employ techniques to target specific individuals (i.e. spear phishing), the results can be financially disastrous. Recent attacks against executives and their team members to conduct fraudulent wire transfers have cost millions and their jobs. If any team member thinks they cannot be a victim of phishing due to the seniority or perceived importance, they are grossly mistaken.
4 Steps to Determine if Your Email is a Phishing Attack
The best way to prevent the potentially damaging effects of phishing attacks is enforcing basic education – just like putting on your seat belt when driving a car. Here are four steps to take to verify whether your email is a phishing scam:
- Verify that the email address is really an internal address and from a trusted source.
- If your name is not in the To: or CC: line, or many of your colleagues are listed (dozens or even hundreds), question the source.
- If there are simple typos or grammatical mistakes, or the subject line seems odd, it could potentially be a fake.
- Verify the links are for real domains and not questionable like .ru.
5 Best Practices to Mitigate the Risks of Phishing Attacks
Basic technology can stop an attack even if the end user makes a mistake since many of the phishing attacks leverage known weaknesses. Here are five best practices to mitigate the risks of phishing attacks:
- Make sure all security patches are up to date on a regular basis for all systems, especially for common attack vectors like Microsoft Office, Adobe Flash, and Java.
- Ensure the end user is running with proper privileges and not logged in as an administrator answering emails. This just makes it easier for malware to own the system and bypass defenses.
- Ensure defense software like AV is up to date including engine and signatures.
- Disable automatic macro execution in Office and only run macros that are digitally signed (the sample file discussed above).
- Deploy and maintain SPAM filters, next generation firewalls, etc. to stop malicious emails before they end up in an end user’s inbox and establish command and control of the hijacked system.
If users can be educated on the concepts, and security and operations maintain these policies for safe computing, the risks to everyone would be much lower.
If you would like to learn more about how BeyondTrust can help you achieve better control and visibility over your user endpoints, request a free trial today.
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.