A phishing campaign is series of emails designed to manipulate people into either giving up specific information or carrying out an action.
Cyber criminals often use phishing techniques to manipulate victims into giving up specific information, such as login credentials, credit card data and personal identifiable information (PII). It is also a common vector for malware delivery and CEO fraud, the phishing emails tend to be from a seemingly trustworthy organisation or reputable staff member.
Phishing and in general social engineering attacks are the platform for the majority of breaches. They tend to be the preferred delivery method for a majority of malware infections and are associated with a large proportion of corporate system breaches.
MIMECAST, https://www.mimecast.com/solutions/email-security/spear-phishing
Unfortunately, for most businesses, their employees are the weakest link in their security posture. However, they can be one of the strongest tools you have at identifying attacks on your organisation.
Using similar techniques as the threat actors, Laneden can show the risks associated with phishing emails and help build a program of works to educate your employees and help them identify the attacks before they become breaches.
Laneden can provide an on-site debriefing of the campaign findings explaining how attackers could potentially gain control of your systems or/and exfiltrate data.
A comprehensive report is written containing an executive summary which gets right to the point of the associated risks. It is consumable by anyone in the organisation regardless of their technical background.
Along with enough detail to allow you to not only understand the attacks but also concise and clear guidance on how to remediate relevant concerns, and help your employees identify future phishing attempts.
PURPLESEC, https://purplesec.us/resources/cyber-security-statistics/
Using a combination of automated and manual testing, our consultants will conduct a thorough assessment of your infrastructure, identifying vulnerabilities that may be exploitable by both authenticated and unauthenticated users across your network.
The use of automated tools and in-depth knowledge of manual testing allows us to accurately and effectively assess your infrastructure, maximising the time available.
Assessments are conducted in line with the current standards and methodologies utilised in the industry, such as those outlined in the Penetration Testing Execution Standard (PTES). Using PTES as guidance, Laneden defines our approach in six phases:
- Pre-engagement
- Intelligence Gathering
- Vulnerability Analysis
- Exploitation
- Post Exploitation
- Reporting
Our consultants engage with the client to discuss the scope and make certain all is in order prior to the assessment beginning
Communications at the beginning and end of each assessment day, confirming either the assessment is starting or ending for the day.
On-going communications from the engaged engineer, highlighting any major issues as they come across them.
A comprehensive report is provided containing an executive summary which gets right to the point of the associated risks and is consumable by anyone in the organisation regardless of their technical background.
Clear and concise information describing each issue to hand.
Technical references will be provided when relevant, allowing you to gather more information on the vulnerability if required.
Each vulnerability will be put into context and given a risk-based score. Utilising CVSS 3 scoring and relevant context you can get a real picture for each associated risk.
Simple remediation advice, advising what is required to remediate the relevant vulnerability.
FREQUENTLY ASKED QUESTIONS
Phishing emails are generally sent to a large number of individuals simultaneously in an attempt to either make monetary gains or gather or “fish” sensitive information such as credentials, personally identifiable information and payment details. The cybercriminals tend to pose as a reputable source such as a supplier, colleague or some other trusted third party.
The emails often come fully loaded with legitimate-looking logos, signatures and contact details. Common examples of monetary gain emails seemingly come from banks, payment service providers such as PayPal, couriers such as DHL, Royal Mail, DPD etc., credit card providers, eBay and CEO Fraud.
CEO Fraud is a scam in which cybercriminals spoof or take control of corporate email accounts and impersonate executives to try and fool unsuspecting employees into making payments or sending other confidential information to the attackers.
According to Action Fraud, the largest payment made to fraudsters was £18.5 million; however, the average loss is £35,000. Out of the £32 million reported losses since 2015, only a total of £1 million has been successfully recovered.
Spear phishing attempts tend to be far more focused phishing emails and only go to a single individual or at most, a handful of individuals. In these instances, the cybercriminal is likely looking to gain specific information, potentially information to aid in further attacks. Cybercriminals have all the time in the world to gather data on your organisation, and the publicly available information can be very useful to attackers.
Whaling as it is known, tends to be a more specific spear phishing attempt. These attacks are generally on the likes of corporate executives such as the CEO, CTO or CMO. These attacks are usually undertaken for monetary gains however they could very well be attempts to gain other sensitive information.
Identifying phishing attempts can be achieved with reasonable ease, it just takes some know-how and practice. The processes of reporting the threat to your organisation and employees requires foresight and planning. An efficient structured approach to dealing with these threats is somewhat of a requirement or all your efforts would have been in vain.
Consider the following high level questions when reading your emails.
DOES THE COMPOSED EMAIL SEEM AT ALL ODD FROM THIS PARTICULAR PERSON?
Does the email seem out of place for any reason at all, is it being sent at a peculiar time, or are there obvious grammatical mistakes? These should raise red flags, if you are at all in any doubt. Contact the person out of band, If you received an email contact them via their phone number (if you have a record of one) never reply to the email received or use any contact details given in the email.
IS THE SENDER EXPECTING ANY ACTION ON YOUR PART?
If the sender is expecting a payment to be made or for specific links to be followed you should confirm the links by hovering over them and comparing the URL and link text visually. Do they match exactly? Any mismatch could be an attempt at deception all link should have their status checked via free services such as VirusTotal. Any positive malicious results should raise alarm.
DO YOU RECOGNISE THE DOMAIN NAME OF THE SENDER’S EMAIL ADDRESS (read it carefully)?
Look up the domain name via services such as DomainTools. This will show you the Registrar details, do they match your expectations of the sender address? Is it a newly registered domain? The colleague that sent you the email works with you and uses the same mail provider, so this should match your own domain look up, compare them.
The weakest link in the majority of organisations is, unfortunately, their employees. They can, however, become the strongest tool in your arsenals at defending against these fraudsters. Defending against phishing type attacks is achieved in layers, the most effective measure in the layered approach, is education. It is paramount that employees are taught to understand social engineering vectors such as phishing and what to look out for in communications. Your organisation should have a process for verifying the legitimacy of requests and reporting potential fraudulent ones.
Defence In Layers
Employee education around CEO Fraud, phishing and other social engineering vectors
Defined process for authenticating requests and reporting potential phishing attempts
Multifactor authentication on any publicly accessible portals (such as email)
Ensure computer systems are secure and regularly patched
Understand what information is publicly available concerning your organisation
A competent antivirus solution should be installed on all corporate systems
Understand what information is publicly available in relation to your organisation
A competent antivirus solution should be installed on all corporate systems