Cybersecurity experts at Microsoft’s Windows Defender Security Intelligence Team this week reported their discovery of two new email-based phishing campaigns. One targets Amex (American Express) users while the other targets Netflix customers. Both campaigns reportedly are very well-crafted, featuring legitimate logos and even fill-in forms that closely mimic those on the respective company’s own websites.
It isn’t clear if these campaigns are being orchestrated by the same group, but each was launched last weekend, and each cast a wide net. The Windows Defender Intelligence Team has advised all computer users to be especially vigilant in the coming days and weeks.
Phishing attacks have increased not only in sophistication, but also in frequency. Upwards of 20 percent of phishing email recipients were convinced that the messages were legitimate and clicked on the redirecting links, according to Microsoft’s security experts, who noted there was a 250 percent increase in such attacks last year.
Getting Very Personal
The recent attacks both warned of account issues, a common tactic with phishing scams. Amex customers have been receiving a “Notice Concerning Their CardMember Account,” which claims that they need to go through a reauthentication process for security reasons. The message urges users to download and fill out an attached form. Based on reports, the form itself doesn’t contain a virus but rather asks for highly personal information such as mother’s maiden name, birth dates, PIN for the card, and even first elementary school.
The Netflix phishing attack warns users that their “account is on hold because of a problem with their last payment,” and as with the spoofed Amex emails, they feature the actual Netflix logo. A link directs users to a “Billing Information” form that requests full credit card numbers including PIN, as well as Social Security numbers and other personal details.
What is notable about these respective emails and forms is how convincing they appear, including correct grammar and spelling — an indication that the criminals responsible took the time to copy edit the content to eliminate the usual telltale typos. About the only notable giveaway with the Amex email is that it features capital letters following commas — something that some users might not immediately recognize as a grammatical error.
Casting a Wide Net
Phishing scams tend to be rather low-tech in nature, a fact that has remained true since they first showed up on Usenet newsgroups nearly 25 years ago. Even with constant reminders from companies and security experts not to trust such emails, many people still fall victim to these attacks.
“The average consumer is not trained to think of emails in terms of the potential threat they might contain, unless they’ve been similarly compromised before,” observed Colin Little, senior threat analyst at Centripetal Networks.
“We see Microsoft is demonstrating that they are continually trying to develop ways to stop these threats,” he told TechNewsWorld.
Also worth noting is not only the scale of the attacks, but “also the context of the attack — taking place during an overall increase in the phishing threat landscape,” said Little.
“We continue to see these types of attacks because they’re effective,” observed Francis Dinha, CEO of OpenVPN.
“Plus, these attacks target humans over tech. That is, a hacker doesn’t have to be a tech wizard to carry it out — they just need to be able to trick the reader into clicking on a link or filling out a form,” he told TechNewsWorld.
“It takes very little tech expertise to do that, because it’s more of a personal con than a technical assault,” Dinha explained. “People have been trying to trick each other out of resources since humanity began; we just have modern tools to do so more effectively now.”
Beyond Amex and Netflix
At present, it isn’t clear if this attack was sent only to actual “known” customers of Amex and Netflix or if a much wider net was cast.
“Potentially, we’ll never know for sure, but that would tell us whether the attackers are using information from some prior breach to focus the effort,” noted Jim Purtilo, associate professor in the computer science department at the University of Maryland.
“Sending a fake Netflix notice of account suspension to people who aren’t Netflix customers is probably not very productive,” he told TechNewsWorld.
“On the other hand, so many people are Netflix customers that an attacker has statistics on his or her side, and a random mail blast to a zillion collected names will score hits,” Purtilo added.
The attackers also have economics on their side.
“Sending a malicious mail blast is basically free for them,” said Purtilo. “Phishing is a low-overhead business that profits with the very first hapless user to respond. If the volume of phishing attempts has gone up in the last year, then that tells us it is also mostly free of legal costs. Officials just aren’t keeping up.”
Cutting the Net
The best defense against phishing attacks is awareness, but this is also one of those rare situations where literally doing nothing is the best course. Don’t open the email, don’t respond — just ignore it.
“Education has to be the No. 1 strategy for users across the board,” said OpenVPN’s Dinha.
“Consumers need to educate themselves, and companies need to educate their workforce and stakeholders,” he suggested.
All too often these attacks work because users haven’t thought to question what they’re reading, but education on cybersecurity risks teaches us to stop and question, said Dinha.
“If you’ve never heard of someone experiencing the consequences of a phishing attack, then you might assume it’s less likely to happen to you or not that dangerous,” he suggested. “But the more educated you are on what exactly can happen and how, then the more likely you are to be on alert for attacks like this. This education has to go beyond the obligatory warning to consumers — it has to be an in-depth explanation of and understanding around the cybersecurity risks we’re facing.”
Phishing scams are effective for the criminal groups because, unlike other attacks, they don’t require very sophisticated skills. Apart from crafting an official-looking email and spoofed website, no other technical expertise is required.
In fact, it probably isn’t apt to describe the perpetrators as “cybercriminals” or “hackers,” as they are more like con artists. The phishing scams work because people are fooled into supplying information, not because someone broke into a system. This is why these attacks are unlikely to go away. Even if most people delete the email from a phishing campaign, a few individuals will believe it.
“Unfortunately, we will continue to see these types of phishing attacks on consumers as long as they continue to fall for them,” said Jo O’Reilly, cybersecurity advocate at BestVPN.com.
“These types of attack are a numbers game, even if only a handful of those targeted respond, then the hackers have still seen their efforts pay off,” she told TechNewsWorld.
“The best way for consumers to protect themselves from phishing is to ensure they never enter personal or financial details via a link contained within an email, even an official-looking one,” O’Reilly added.
“Instead, they should always open a new browser window in order to sign into any online account, whether it is Netflix, Amex or any other service, before inputting their password or any other personal information,” she advised.
The good news is that security experts are closely monitoring the situation and bringing greater awareness to phishing efforts.
“This latest story shows us that Microsoft’s cloud protections are attempting to do more and more to proactively protect the accounts of their users from receiving these phishing emails,” said Centripetal Networks’ Little. “However, it is in the nature of cybersecurity that the more innovative we are at detecting threats, the more innovative and evasive the bad guys will be — I liken it to the Tom and Jerry cartoons.”