Sounds Phishy

Despite obvious errors, email scammers still manage to reel in victims.

Given the comical levels of poor grammar and spelling in many phishing emails, one might say those taking the bait are falling hook, line and stinker.

“We wanted Automatically,” a recent email, purportedly from PayPal, urgently announces. It claims that there is a problem with the recipient’s account and wishes to determine “if you your cheeks exchange agreement with thesis.” Recipients are asked to click on a link to gain details about “our exchange Updates Regulations.”

Cyber security experts say there are several reasons for the notoriously high level of mistakes in spoofed emails. For one, most originate in countries where English is not the native language — particularly Eastern Europe and China. Scripts are written in the phisher’s native language and then run through online translation engines with predictably peculiar results. However, researchers also say that some of these errors are actually deliberate attempts to slip past spam filters and attract only the most gullible.

Whatever the reason, it would be a mistake to assume that all phishing attacks are clumsy and easy to spot. Recent headlines indicate that phishing lures can actually be quite sophisticated.
Phishers mimic the logos and websites of legitimate organizations, and pose as friends, business partners, clients, bank officials or IT staff. They hook their targets by fooling people into clicking malicious links or opening attachments that automatically engage and activate viruses and malware. Then, these criminals can use these compromised accounts to spread the misery to others.

Bigger Fish

In August, U.S. authorities charged an international band of criminals with using phishing techniques to acquire logins and passwords that were used to steal confidential corporate press releases before they became public. Trading on that information, the criminals illegally netted more than $100 million on Wall Street, authorities charged.

An even more sinister attack was uncovered in May when a former Department of Energy employee launched a phishing attack targeting dozens of DoE employee e-mail accounts. Authorities allege Charles Harvey Eccleston was attempting to deliver a viral payload that would extract sensitive information related to nuclear weapons — information he intended to sell to a foreign government.

In fact, experts say phishing scammers are casting a wider net than ever before, targeting an increasingly broad set of industries with a growing number of attack vectors.

The Q2 2015 Cyber Threat Report from cybersecurity firm CYREN reveals that phishing attacks increased 38 percent overall during second quarter. Phishing occurs most frequently through email, but instant messages, texts and social networking sites are becoming more popular avenues for attack.

CYREN says usernames and passwords, financial account information, social security numbers and basic contact information are the most common targets of phishing attacks. Consumers with PayPal, Apple and Gmail accounts are frequent victims of phishing. Common phishing scams include phony requests to verify bank account or billing information, bogus alerts of stolen credit cards or overdue payments, malicious e-cards, job listings and prize-winning notifications, and fake charities or political campaigns requesting donations.

Staying Off the Hook

For its Q2 2015 report, CYREN looked beyond these types of attacks to examine phishing campaigns that seek intelligence or financial gain from businesses. The security analysts grouped these sophisticated attacks into two categories — indirect and direct.

With indirect phishing attacks, cybercriminals use a series of emails to gain the organizational information needed for a broader phishing campaign. For example, an employee using a personal Apple device might be tricked into revealing iTunes credentials, which would give the attacker access to the contact information of other staff. Or by successfully phishing an employee using cloud-based company email (such as Office 365 or branded Gmail accounts), an attacker would gain access to a platform for sending malicious emails that appear safe.

Cybercriminals use direct phishing attacks to gain login credentials for actual business systems such as Microsoft Outlook. Because these credentials are frequently used for domain logins as well as email access, this could enable the attacker to access far more than just email. Credentials for cloud-based services such as Dropbox or Salesforce can also provide an attacker with direct access to company data.

There are simple ways to protect against phishing attacks:

  • Never email personal or financial data. Financial institutions and government agencies will never request this information by email.
  • Don’t click links or open attachments from unknown or suspicious senders, and don’t click suspicious links from anyone. Hovering the mouse arrow over a link will reveal the true destination of the link.
  • Educate employees about what types of emails are dangerous.
  • Make sure all security software is automatically updated.
  • Use centralized management tools for monitoring email threats.

Poor grammar, bad spelling and faulty logic are telltale signs of a phishing scam. Unfortunately, not all cybercriminals provide such obvious clues. With phishing attacks reaching epidemic proportions, it is clear that scammers are getting smarter and more sophisticated. Vigilance, common sense and a healthy dose of skepticism combined with properly managed security systems are key to being the one that gets away.