How Phishing Attacks Will Change in 2019

And the first time I found out dicks.com is not Dick’s Sporting Goods.

I remember when we got our first home computer. I don’t recall exactly how old I was, but I do know the big game that we played was NBA Live ’95…I’d guess I was still in elementary school.

Back then home computers were pretty new, and so was the internet. That was when AOL provided free trials off a cd. Now we get wi-fi from our car.

My sister was a few years older than me, and a star athlete. She was one of the tallest girls on the team. Finding shoes that fit was no easy task.

We lived a mile from the mall with quick access to Foot Locker, Finish Line, and Dick’s Sporting Goods. We were on the search for royal blue and white basketball shoes that matched the school colors in a size that was a few deviations from the mean.

Foot Locker didn’t carry that size. Finish Line didn’t carry that size. Dick’s Sporting Goods didn’t carry that size, but they did have a website.

That was pretty new. The folks at the store recommended that we check online from home, and have them shipped to the house.

Ordering online was new and exciting. I vividly remember sitting at the computer table at the side of the kitchen. My wonderfully naive mom booted up the tower, waited for Windows 95 to launch, and then dialed into our 56 bit connection. I cringe thinking about that noise today.

I’m on her left, my sisters on her right. We’re all new to computers. New to the internet. And we need to buy shoes from Dick’s Sporting Goods.

With her young, beautiful kids standing in support behind her, my mom navigates to the only logical address – www.dicks.com.

To our surprise, this wasn’t a website for the shoe store. It was a website that little boys and girls should never know existed.

What popped up at dicks.com?

An image. Do you remember how images loaded when we used dial up? They loaded line by line. This one loaded slowly from the bottom to the top.

So none of us noticed at first. Three new internet users. We just watched. A blank box. Slowly filling, line by line. The culmination of which resembled a grand structure, much like the Eiffel Tower.

In 2018 that story could be shortened to two words – The Internet.

Changes in User Behavior Leads to a Change in Phishing Techniques

Just as the internet in 2018 is a much different place than the internet in 1995, phishing is a completely new beast. Back then it was the nigerian prince, or the widow asking for help.

As the people using the internet have become more sophisticated, and know not to navigate to dicks.com in front of their children, phishing attacks have evolved too.

The are more creative, and difficult to identify. Cyber criminals are using new channels like texts and social media, and improving how they use email.

The most creative attack in 2018 sheds some light on what we can expect in 2019. Over the summer, shame scammers launched a phishing attack claiming that they’ve recorded their victim watching pornopgrahy via their webcam.

This scenarios is ingenious.

The scammers launched a ‘mass’ spearphishing campaign based on building trust with their victims and instilling fear.

The email started with the intended victims username and password in the subject line, and then goes on to tell the intended victim that they’ve installed malware on their computer to get the password, and recorded a video of them watching porn via their webcam. They have to pay the sender via bitcoin within 24 hours, or the sender will release a video of them watching porn alongside a the porn video they were watching to all of their friends and coworkers.

This approach triggered a few emotions.

Curiosity – No one expects others to know their username and password, so they’re curious when it’s sent in the subject line of an email. This ensures that the intended victim reads the email.
Fear – This is a terrifying threat, and this fear ensures sure the intended victim opened immediately and acted quickly.
Trust – If this sender of this email has my actual username and password, they must be telling the truth about the video recording.

It’s suspected that the cyber criminal never installed malware or actually recorded any videos. They simply used usernames and passwords pulled from an old data breach, or purchased on the dark web.

This is an especially terrifying example. This means that a cyber criminal does not have to be technically competent.

They can just buy a list of breached emails and passwords, open a crypto wallet which is untraceable by design, and come up with a unique scenario like the shame scam described here.

Enter Mass Spear Phishing

Spear Phishing has traditionally been reserved for high value targets because it’s a costly endeavor. Spear phishing emails are personalized to garner trust from an intended victim, and increase the likelihood that they’ll click a link, open an attachment, or respond.

This takes time. While a standard phishing email only requires an email address, and can be sent to thousands of people with the click of a button, spear phishing requires reconnaissance. Cyber criminals might follow your facebook to find out when you’ll be on a family vacation, the name of your dog, or a company that you do business with in order to create a personalized phishing attack. They might watch your patterns, and dig into your digital footprint.

This allows the cyber criminal to personalize a message that’s almost guaranteed to get an intended response. This additional effort is worth it when you’re attacking a high profile executive, a political figure, or some other high value target.

But it’s extremely inefficient for lower profile targets like employees or parents.

The shame scam example from 2018 is an example where the barrier to creating a spear phishing email has been minimized, making it a more cost effective attack for a wider array of people.

Now cyber criminals can personalize a message without the extra effort.

2019 Will Be The Year of Mass Spear Phishing

2019 will be the year of mass spear phishing. If this is paired with the improvements in design and sophistication of other phishing attacks, it will also be a year of unprecedented loss.

The Marriott attack is huge. A hypothetical example of what a mass spear phishing attack would look like leveraging this recent breach is this –

The set up – an email to everyone requesting that they reset their password.

Building curiosity – The subject line will include both the username and password, ensuring that the intended victim opens the email.

Trust – The attackers will build trust by using their name, and a lookalike domain…something like mariott.com (missing an r).

Fear – The email will ask them to reset their password immediately to prevent the attackers from accessing their account.

Conversion – The email will download malware, request payment, or convert on some other goal.

Trust and Fear

All phishing emails leverage two things – trust and fear. The faster a cyber criminal can build trust and instill fear, the more likely they are to convert their target into a victim.

The scams that use stories of a Nigerian prince or a widow in need of money aren’t gone. In fact, there’s dozens in my spam box every week.

But they’re easy to spot – if I see a story even mentioning the promise of riches, or a sick stranger, red flags go off. The hair stands up on my neck like I just walked through the doors of a furniture store and I’m surrounded by sharks salespeople.

That’s why cyber criminals are upping their game. It’s difficult to convert a target using those old stories. Over the years they changed their stories, changed their channels of attack, and improved their design so that a phishing email looks exactly like a trusted source.

The progression will continue. In 2019 phishing scams will not just be difficult to spot, they’ll also be highly targeted.

What Can We Do?

In every sport that I’ve ever played I remember one saying. Every coach said it.

Stay on your toes.

When you’re flat foot you’re slow to react. If you need to run forward from a flat foot position, the first movement is raising your heel, which takes time. If you have to do this, you’re already behind the person next to you.

If you’re on your toes, the first movement is forward. You’re quicker, faster, and more likely to make the play.

The Sport of Employee Cyber Awareness

Spotting a phishing email is like a sport. You have to be on your toes. In other words, you have to know that you’re under attack, and be ready to respond.

If an employee doesn’t have this realization they will receive an email with their username and password from mariott.com, and hand over any information that’s requested. It’s too late.

If an employee knows they are under attack, they will receive an email with their username and password from mariott.com and think, have I stayed at a Marriott in the last couple years? Did I use this email for my account? Why is the sender Mariott, and not Marriott? Why do they need my bank information?

They’ll be skeptical and they’ll recognize the red flags – they’ll be on their toes. That’s cyber awareness.

Cyber Awareness Is A Process, Not An Event

Building a culture of cyber awareness is a process, not an event. It starts with building a leadership team that embraces cyber security, which I’ve written extensively on at Secjuice.

Developing a Leadership Team that Embraces Cybersecurity Awareness

Cyber awareness is then ingrained into the culture of the business from strategy and policy to weekly meetings and annual reviews. Leader must train their employees, and continue validating the importance through ongoing training modules, simulated phishing attacks, formal meetings, and water cooler discussions.

Building a culture of cyber awareness ia process, but it’s vital to growth and sustainability of an organization.

Building a Culture of Cyber Awareness

Wuvavi provides the world’s only cyber security awareness platform developed for small and medium sized businesses, and creates a culture of cyber awareness within its customer organizations.

Wuvavi allows SMBs to deploy enterprise grade cyber awareness training and simulated phishing campaigns to their employees, track progress, and receive completion certifications.