You Are A Target:
Most people simply just do not
understand they are a target
and their lack of awareness
is one of the biggest problems today.
Most simply have no idea
and in this war against
us, the people,
to systematically strip us of any and all
constitutional rights afforded us in the
United States
while stomping all over our private lives in every conceivable way,
one simply...
can not afford to not know.
2013: The Security Year in Review
What can you and your clients look forward to? More attacks and more malware, plus greater threats against platforms such as Mac and mobile devices. Privacy concerns will rise, the cloud will continue to add a new twist to the whole electronic security game, and troublemakers will look to make a buck from momentary lapses of judgement that could leave your "entire digital life destroyed" regardless of how tech-savvy you are.
Here's what Kaspersky says are their main findings as well as what you need to watch out for.
Main Findings
- In 2012-2013, 37.3 million users around the world were subjected to
- phishing attacks — up 87% from 2011-2012
- Most often, phishing attacks targeted users in Russia, the US, India,
- Vietnam and the UK
- Phishing attacks were most frequently launched from the US, the UK,
- Germany, Russia and India
- Yahoo!, Google, Facebook and Amazon are top targets of malicious users.
- Online game services, online payment systems, and the websites of banks
- and other credit and financial organizations are also common targets
- Over 20% of all attacks targeted banks and other credit and financial
- organizations
- The number of distinct sources of attacks in 2012 and 2013 increased 3.3
- times
- More than one-half (56.1%) of all identified sources of phishing attacks were
- located in just 10 countries
- In 2012-2013, 102,100 Internet users around the world were subjected to
- phishing attacks every day. This is double the amount of intended victims
- over the previous period
- More than 50% of the total number of individual targets (921 names out of
- 1,739 in the KSN database) were fake copies of the websites of banks and
- other credit and financial organizations
- Phishing has some local accents: phisher targets are different from country
- to country, depending on the popularity of local online resources
1. Targeted attacks and cyber-espionage
Kaspersky says targeted attacks, specifically tailored to penetrate a particular organization and often focused on gathering sensitive data that has a monetary value in the ‘dark market’ have become an established feature in the last two years. Many attacks start by ‘hacking the human’ i.e. tricking employees into disclosing information that can be used to gain access to corporate resources.
2. Hacktivism continues
Sometimes the purpose of an attack is to make a political or social point. There were plenty of attacks like this in 2012, including Anonymous's attack on the Westboro Baptist Church. Our increasing reliance on the Internet makes all types of organizations more vulnerable to these attacks, so expect them to continue into 2013 and beyond.
3. Nation-state-sponsored cyber-attacks
Stuxnet pioneered highly sophisticated malware for targeted attacks on key production facilities. While these kinds of attacks aren't common, they aren't isolated incidents either. Kaspersky says we are now entering an era of cold cyber-war. Expect more countries to develop cyber weapons designed to steal information or sabotage systems. Copy-cat attacks by non-nation-states may also emerge with an increased risk of damage beyond the intended victim of the attack. Potential targets could include energy supply and transportation control facilities, financial and telecommunications systems and other infrastructure deemed critical.
4. More legal surveillance tools
The increase in and growing sophistication of cybercrime has led to law enforcement upping its game as well with new technology to monitor the activities of those suspected of criminal activities. The use of such legal surveillance tools has led to concerns about privacy and civil liberties. Kaspersky says we can expect this arms race and political debate to continue.
5. Clouds and malware
Cloud computing, for all its benefits, offers a potential single-point-of-failure to cybercriminals. Clouds hold large quantities of personal data in one place that can be stolen in one fell swoop if the provider should fall victim to a successful attack. Plus, cybercriminals can use cloud services to host and spread malware – typically through stolen accounts. And when data stored in the cloud is accessed from a non-cloud device criminals get access to everything. The use of mobile devices just increases the risk. And Kaspersky points out that when the same device is used for both personal and business tasks, the risk increases still further.
6. Privacy threatened
The erosion of privacy has become a hotly-debated issue in IT security. While the Internet lets us bank, shop and socialize online, we routinely disclose information about ourselves, and companies around the world actively gather information about us. That puts both personal data at risk and raises bigger questions about the proper use of aggregated data companies use for promotional purposes. The value of personal data to both cybercriminals and legitimate businesses will only grow in the future, and with it the potential threat to our privacy, Kaspersky notes.
7. Fake security certificates
We’re all predisposed to trust websites with a security certificate issued by a real Certificate Authority (CA), or an application with a valid digital certificate. But cybercriminals have been able to issue fake certificates for their malware using so-called self-signed certificates, and they have also been able to successfully breach the systems of various CAs and use stolen certificates to sign their code. The use of fake, and stolen, certificates is set to continue in the future.
8. Ransomware spreading globally
In 2012 Kaspersky noted the growth of ransomware or Trojans designed to extort money from their victims, by either encrypting data on the disk or by blocking access to the system. These attacks had been confined largely to Russia and other former Soviet countries until recently. Kaspersky says we're likely to see their continued growth in the future.
9. Mac OS malware
Macs are not immune to malware. But while Mac-based malware remains a small threat, it has been growing steadily over the last two years.
10. Mobile malware
Kaspersky puts it this way: "Mobile malware has exploded in the last 18 months." About 90 percent of it is targeted at Android-based devices. Cybercriminals like it because it’s widely used, easy to develop for, and those who use the system are able to download programs (including malicious programs) from wherever they choose. So expect the Android malware to keep on coming in 2013. Kaspersky says that so far most malware has been designed to get access to the device, but in the future, we are more likely to see the use of vulnerabilities that target the operating system and the development of ‘drive-by downloads’. There is also a high probability that the first mass worm for Android will appear, capable of spreading itself via text messages and sending out links to itself at some online app store. By contrast, iOS is a closed, restricted file system, allowing the download and use of apps from just a single source, the App Store. iOS remains at much lower risk.
11. Vulnerabilities and exploits
Expect cybercriminals to continue to install malware on victims’ computers by exploiting un-patched vulnerabilities in applications. Java vulnerabilities currently account for more than 50 percent of attacks, while Adobe Reader accounts for 25 percent. Cybercriminals typically focus their attention on applications that are widely used and are likely to be un-patched for the longest time.
It may even infect your account with worms to further propagate itself throughout the worldwide web as well. At any rate, here are the top ten most notorious phishing scams to ever land on a user's inbox or browser:
1. Wells Fargo and Bank of America Scam:
Masterminded by Kenneth Joseph Lucas, Nichole Michelle Merzi, and Jonathan Preston Clark, this multi-million-dollar money laundering scheme that required the assistance of Egyptian syndicate members was among the biggest phishing schemes in history to be busted by the FBI.
2. PayPal Scam:
2. PayPal Scam:
Any PayPal spam requesting for confirmation or validation on your part—followed by a link to the spoofed site—should be ignored. This is a particularly notorious spam email because despite PayPal's best efforts to stop its spread, it has continued to make the rounds to this day. An early iteration of this email even contained the "Mimail" worm as well.
3. Comerica Web Bank Scam:
3. Comerica Web Bank Scam:
This refers to a Comerica spam that's specifically offering an SSL certificate update. Bonus points for emails claiming that the update will expire within five days. Variations include a news item version and a downloadable link version. It uses all the phishing innovations described below plus it's the most common spam subject header to date next to the PayPal example.
4. Public Posting of Email Credentials Scam:
4. Public Posting of Email Credentials Scam:
A recent scam proved to be among the more peculiar ones as well. This 2009 phishing spam was able to get the credentials and account information from providers such as Hotmail, Gmail, Yahoo, and AOL. The scammers then publicly posted the information on the PasteBin catalog, which effectively compromised each and every last one of those victimized accounts.
5. Phishing Virus Combo Scam:
5. Phishing Virus Combo Scam:
2004-made virus was able to combine the evils of phishing and malware together in one frightening package. This virtual contagion was able to transform hundreds of legitimate sites into hacker-controlled botnets that stole the credit card numbers, usernames, passwords, accounts, and other personal data of anyone who visited them, a la a spoofed phishing site.
6. URL Spoofing Scam: Phishers have developed a DNS poisoning method that actually replaces the fake URL on the victim's address bar with the one it's impersonating, which made discerning a spoofed site from a real site all the more difficult.
7. Account Verification Scam: In February 2004, phishing scams became a lot more complex. Phishing sites had gained a feature wherein it submits the data it has obtained to the real site in order to check how authentic they are. If the information cannot produce a successful login, the victim is prompted to enter his credentials once more.
8. Legitimate Site Redirect Scam: In order to convince victims that the site they've visited is legitimate, the spoofed site actually redirects the user back to the real site, with him none the wiser of the bait-and-switch swindle that has just occurred.
9. Fake Login Box Scam:
This technique is standard issue to all phishing scams nowadays, but it actually cropped up as early as December 2003. This phishing scam feature uses a fake login box popup in order to get the credentials it needs while linking to the real financial website in the background.
10. Domain Name Buyout Scam:
10. Domain Name Buyout Scam:
In September 2003, fraudsters started learning from the mistakes of their early efforts in producing phishing scams. In order to make their links a lot more sophisticated and legitimate-looking, they began registering dozens of look-alike domain names such as yahoo-finances.com, microsoft.verification.com, and ebay-billing.com.
Phishing scams have risen to become the Internet's most notorious and pervasive online email scam to date. For all intents and purposes, it can be considered the modern-day equivalent of the "sting" con game because of its distinctive modus operandi.
Phishing scams have risen to become the Internet's most notorious and pervasive online email scam to date. For all intents and purposes, it can be considered the modern-day equivalent of the "sting" con game because of its distinctive modus operandi.
Always be very critical when you click links in emails.
As a rule if you do not know the target site for the link do not click it.
Always be critical by clicking links in mails.
For more information you may want to see our
In 2013, global volumes of phishing emails* dropped significantly compared with 2012.
This is great news: users have become more savvy to the signs of mass phishing. Also, adoption of email authentication standards DKIM, SPF, and DMARC have begun to hamper spammers’ ability to pose as trusted brands.
The bad news is: even though mass phishing is down, spear phishing is not only on the rise, but is becoming more sophisticated. The APWG (Anti-Phishing Working Group) found that the number of brands targeted by spear phishing has risen.
While mass phishing uses spam email campaigns to lure as many people as possible into this digital trap, spear phishing focuses efforts on an individual or small group of people.
To target an individual, cybercriminals gather information about the person through social media or other public outlets and use that information to create personalized lures. Often, spear phishing targets people with access to highly secure data -- such as government officials, tech leaders, or journalists.
In 2013, organized forces around the world executed highly sophisticated phishing scams to target a variety of organizations and leaders. Below, we have detailed the top 7 phishing scams from 2013:
In August 2013, a few days before Iran’s national election to choose a successor to President Mahmoud Ahmadinejad, thousands of Gmail account users in Iran were targeted in phishing attack intended to influence the election.
In April, an AP journalist journalist clicked on a spear phishing email disguised as a Twitter email. The phisher then hacked AP's Twitter account. Stock markets plunged after a phony tweet about an explosion at the White House, erasing $136.5 billion of value from the S&P 500 index.
In January 2013, a well-organized, sophisticated computer spy operation dubbed Red October was found to (still) be targeting high profile diplomats, governments and nuclear and energy research companies. The Red October operation used phishing emails purporting to be from companies’ HR departments. The attacked covered 69 countries.
In March, a cyberattack wiped the hard drives of computers in banks and broadcasting companies in South Korea. The attack came from phishing emails mimicking a South Korean bank.
Using spear phishing emails, a large and complex hacker group in China was said to have hacked more than 100 companies in the U.S. The hacker group is said to have stolen proprietary manufacturing processes, business plans, communications data, and much more.
In December, 2013, a man was arrested for his part in a phishing scam targeting UK college students. The scam sent emails inviting students to update their student loan details on a malicious site that took large amounts of money from their accounts.
Last but not least, in October, a cunning phishing scam warned against phishing scams!
Though these scams list only a fraction of those perpetrated, worldwide, they show the breadth of organizations and people targeted, the diversity of reasons for targeting individuals and companies, and the sophistication of the criminals.
In short, they show the even more urgent need for every organization to employ strong email security in 2014.
Be safe out there, Protect yourself.
*Phishing email is email sent from a cybercriminal to lure someone to take an action that downloads software onto their machine.
This is great news: users have become more savvy to the signs of mass phishing. Also, adoption of email authentication standards DKIM, SPF, and DMARC have begun to hamper spammers’ ability to pose as trusted brands.
The bad news is: even though mass phishing is down, spear phishing is not only on the rise, but is becoming more sophisticated. The APWG (Anti-Phishing Working Group) found that the number of brands targeted by spear phishing has risen.
While mass phishing uses spam email campaigns to lure as many people as possible into this digital trap, spear phishing focuses efforts on an individual or small group of people.
To target an individual, cybercriminals gather information about the person through social media or other public outlets and use that information to create personalized lures. Often, spear phishing targets people with access to highly secure data -- such as government officials, tech leaders, or journalists.
In 2013, organized forces around the world executed highly sophisticated phishing scams to target a variety of organizations and leaders. Below, we have detailed the top 7 phishing scams from 2013:
In August 2013, a few days before Iran’s national election to choose a successor to President Mahmoud Ahmadinejad, thousands of Gmail account users in Iran were targeted in phishing attack intended to influence the election.
In April, an AP journalist journalist clicked on a spear phishing email disguised as a Twitter email. The phisher then hacked AP's Twitter account. Stock markets plunged after a phony tweet about an explosion at the White House, erasing $136.5 billion of value from the S&P 500 index.
In January 2013, a well-organized, sophisticated computer spy operation dubbed Red October was found to (still) be targeting high profile diplomats, governments and nuclear and energy research companies. The Red October operation used phishing emails purporting to be from companies’ HR departments. The attacked covered 69 countries.
In March, a cyberattack wiped the hard drives of computers in banks and broadcasting companies in South Korea. The attack came from phishing emails mimicking a South Korean bank.
Using spear phishing emails, a large and complex hacker group in China was said to have hacked more than 100 companies in the U.S. The hacker group is said to have stolen proprietary manufacturing processes, business plans, communications data, and much more.
In December, 2013, a man was arrested for his part in a phishing scam targeting UK college students. The scam sent emails inviting students to update their student loan details on a malicious site that took large amounts of money from their accounts.
Last but not least, in October, a cunning phishing scam warned against phishing scams!
Though these scams list only a fraction of those perpetrated, worldwide, they show the breadth of organizations and people targeted, the diversity of reasons for targeting individuals and companies, and the sophistication of the criminals.
In short, they show the even more urgent need for every organization to employ strong email security in 2014.
Be safe out there, Protect yourself.
*Phishing email is email sent from a cybercriminal to lure someone to take an action that downloads software onto their machine.
This software has been written to perform a malicious action, such as stealing account information or other valuable data.
By Victoria Lund-Funkhouser
Technical Writer , Knowledge Services
By Victoria Lund-Funkhouser
Technical Writer , Knowledge Services