Cybersecurity experts at Microsoft’s Windows Defender Security
Intelligence Team this week reported their discovery of two new
email-based phishing campaigns. One targets Amex (American
Express) users while the other targets Netflix customers. Both
campaigns reportedly are very well-crafted, featuring legitimate logos
and even fill-in forms that closely mimic those on the respective
company’s own websites.
It isn’t clear if these campaigns are being orchestrated by the same
group, but each was launched last weekend, and each cast a wide net. The Windows Defender Intelligence Team has advised all computer users to be especially vigilant in the coming days and weeks.
Phishing attacks have
increased not only in sophistication, but also in frequency. Upwards of 20 percent of phishing email recipients were convinced that the messages were legitimate and clicked on the redirecting links, according to Microsoft’s security experts, who noted there was a 250 percent increase in such attacks last year.
Getting Very Personal
The recent attacks both warned of account issues, a common tactic
with phishing scams. Amex customers have been receiving a “Notice
Concerning Their CardMember Account,” which claims that they need
to go through a reauthentication process for security reasons. The
message urges users to download and fill out an attached form. Based
on reports, the form itself doesn’t contain a virus but rather asks for
highly personal information such as mother’s maiden name, birth dates,
PIN for the card, and even first elementary school.
The Netflix phishing attack warns users that their “account is on
hold because of a problem with their last payment,” and as with the
spoofed Amex emails, they feature the actual Netflix logo. A link
directs users to a “Billing Information” form that requests full
credit card numbers including PIN, as well as Social Security numbers
and other personal details.
What is notable about these respective emails and forms is how
convincing they appear, including correct grammar and spelling —
an indication that the criminals responsible took the time to copy edit the content to eliminate the usual telltale typos. About the only notable
giveaway with the Amex email is that it features capital letters
following commas — something that some users might not immediately
recognize as a grammatical error.
Casting a Wide Net
Phishing scams tend to be rather low-tech in nature, a fact that has
remained true since they first showed up on Usenet newsgroups nearly
25 years ago. Even with constant reminders from companies and
security experts not to trust such emails, many people still fall victim to these attacks.
“The average consumer is not trained to think of emails in terms of
the potential threat they might contain, unless they’ve been similarly
compromised before,” observed Colin Little, senior threat analyst at
Centripetal Networks.
“We see Microsoft is demonstrating that they are continually trying to
develop ways to stop these threats,” he told TechNewsWorld.
Also worth noting is not only the scale of the attacks, but “also the context
of the attack — taking place during an overall increase in the phishing
threat landscape,” said Little.
“We continue to see these types of attacks because they’re effective,”
observed Francis Dinha, CEO of
OpenVPN.
“Plus, these attacks target humans over tech. That is, a hacker
doesn’t have to be a tech wizard to carry it out — they just need to be
able to trick the reader into clicking on a link or filling out a
form,” he told TechNewsWorld.
“It takes very little tech expertise to do that, because it’s more of a
personal con than a technical assault,” Dinha explained. “People have
been trying to trick each other out of resources since humanity began;
we just have modern tools to do so more effectively now.”
Beyond Amex and Netflix
At present, it isn’t clear if this attack was sent only to actual
“known” customers of Amex and Netflix or if a much wider
net was cast.
“Potentially, we’ll never know for sure, but that would tell us whether
the attackers are using information from some prior breach to focus
the effort,” noted Jim Purtilo, associate professor in the
computer science department at the
University of Maryland.
“Sending a fake Netflix notice of account suspension to people who
aren’t Netflix customers is probably not very productive,” he told TechNewsWorld.
“On the other hand, so many people are Netflix customers that an
attacker has statistics on his or her side, and a random mail blast to a
zillion collected names will score hits,” Purtilo added.
The attackers also have economics on their side.
“Sending a malicious mail blast is basically free for them,” said Purtilo. “Phishing is a low-overhead business that profits with the very first
hapless user to respond. If the volume of phishing
attempts has gone up in the last year, then that tells us it is also
mostly free of legal costs. Officials just aren’t keeping up.”
Cutting the Net
The best defense against phishing attacks is awareness, but this is
also one of those rare situations where literally doing nothing is the
best course. Don’t open the email, don’t respond — just ignore it.
“Education has to be the No. 1 strategy for users across the
board,” said OpenVPN’s Dinha.
“Consumers need to educate themselves, and companies need to educate
their workforce and stakeholders,” he suggested.
All too often these attacks work because users haven’t thought to
question what they’re reading, but education on cybersecurity risks
teaches us to stop and question, said Dinha.
“If you’ve never heard of someone experiencing the consequences of a
phishing attack, then you might assume it’s less likely to happen to
you or not that dangerous,” he suggested. “But the more educated you are
on what exactly can happen and how, then the more likely you are to be
on alert for attacks like this. This education has to go beyond the
obligatory warning to consumers — it has to be an in-depth
explanation of and understanding around the cybersecurity risks we’re facing.”
Low-Hanging Fruit
Phishing scams are effective for the criminal groups
because, unlike other attacks, they don’t require very
sophisticated skills. Apart from crafting an official-looking email
and spoofed website, no other technical expertise is required.
In fact, it probably isn’t apt to describe the perpetrators as
“cybercriminals” or “hackers,” as they are more like con artists. The phishing
scams work because people are fooled into supplying information,
not because someone broke into a system. This is why these attacks are
unlikely to go away. Even if most people delete the email from a phishing campaign, a few individuals will believe it.
“Unfortunately, we will continue to see these types of phishing
attacks on consumers as long as they continue to fall for them,” said
Jo O’Reilly, cybersecurity advocate at
BestVPN.com.
“These types of attack are a numbers game, even if only a handful of
those targeted respond, then the hackers have still seen their efforts
pay off,” she told TechNewsWorld.
“The best way for consumers to protect themselves from phishing is to
ensure they never enter personal or financial details via a link
contained within an email, even an official-looking one,” O’Reilly
added.
“Instead, they should always open a new browser window in order to
sign into any online account, whether it is Netflix, Amex or any other
service, before inputting their password or any other personal
information,” she advised.
The good news is that security experts are closely monitoring
the situation and bringing greater awareness to phishing efforts.
“This latest story shows us that Microsoft’s cloud protections are
attempting to do more and more to proactively protect the accounts of
their users from receiving these phishing emails,” said Centripetal
Networks’ Little. “However, it is in the nature of cybersecurity that
the more innovative we are at detecting threats, the more innovative
and evasive the bad guys will be — I liken it to the Tom and Jerry
cartoons.”
Peter Suciu has been an ECT News Network reporter since 2012. His areas of focus include cybersecurity, mobile phones, displays, streaming media, pay TV and autonomous vehicles. He has written and edited for numerous publications and websites, including Newsweek, Wired and FoxNews.com.
Email Peter.