Posted by Ed Macnair / 25 March 2016
The thing about well known phishing scams is they’ve essentially become industry-comedy punch lines which also puts them in danger of being diluted as a meaningful and growing threat.
If you even so much as mention to a colleague the Nigerian Prince offering you many many monies to leave the country, you will instantly engage in a series of one-upmanship debates on who’s received the most spurious spam.
There’s a pretty good reason. Early SPAM was comical in its clumsiness. The very nature of its scattergun approach meant that it relied on poor information and had a very slender grasp on grammar, to put it politely.
The security industry also did a better job in education than we perhaps gave it credit for. A lot of these scams became notorious by simply their title and we have bred a population of natural scam cynics.
So why, if we all so attuned to the risks, is phishing still by far and wide, one of the biggest reasons for security breaches and data loss?
Part of the issue is that those particular scary stories have been doing the rounds in the industry rumor mill for years and have also been used as marketing tactics for more security vendors than we could name.
They have undoubtedly done their job in raising awareness but have also fooled a vast number of people that if you just keep one eye out for a mail that asks you to wire them funds or tries to persuade you to purchase a llama abandoned at Heathrow, you’ll be just fine.
The truth is though, the farcical scams that have fed thousands of scary stories are fast becoming just that, industry folk lore and barely resemble the current modern day cybercriminal that lurks behind this type of attack.
Over the last three years in particular, the extent that cybercrime has professionalized makes most corporate organizations look positively unpolished in contrast. Cybercrime is big business, some speculate that it is bigger than gun and drug crime combined but the truth is, nobody really knows because it is growing beyond measure.
For some time now, exploitation kits have been available as marketable products on the dark web and are often presented with better graphical user interfaces than most legitimate businesses could muster. They make themselves easy to do business with. Just ‘point and click’ and you too can generate and distribute new malicious code or your money back.
For all their questionable moral motives, they are in many ways operating in their own flourishing economy, offering technical support for their criminal consumers, experimenting with cloud-based models to reach a broader audience and even entering into discount pricing battles with their competitors. It is in every regard as fascinating as it is deplorable.
In the same way that the security market has benefited by sharing and collaborating best practices, in the parallel world of cybercrime, the opportunistic hacker through to the politically motivated groups are exhibiting common trends and techniques.
In order to move away from the well-trodden path of scary stories, we need to acknowledge that the criminal fraternity’s adept technical capability is simply cards at the table. Let’s give credit where it is due, they have a proven track record. It’s something to be mindful of but it’s by no means the scariest indicator of their growing success.
The modern day cybercriminal's demonstrable creativity in profiting from our information is frankly astounding and truth be told, they could probably go toe-to-toe with anyone on Dragons Den.
Show me the marketing
Probably the most astounding and palpable change in the SPAM and Phishing approach in recent years is the staggering attention to detail and marketing prowess.
If you thumb through your average historical security policy guidelines, there will be a list of tell-tale signs to keep an eye out for, the comedic titles, the unapologetically blatant attempts to get you to click on something you shouldn’t, an approach by somebody younger and way more attractive than you, has seen your profile and would like to connect…ahem. The list goes on.
Then there is of course the language. Not that it’s unusual to receive appalling grammar (particularly by email) but we all know this was once the calling card of the speculative, opportunistic spammer.
Look in contrast however at today's spam from a hypothetical bank (as an example) and you’d be hard pushed to notice the difference between the spoof and the genuine article. In fact, if you looked at some specific examples, you could argue that the SPAM is marginally better phrased and more professionally presented.
This is a real and growing concern. It produces a gap between our average savvy user expectation and what constitutes a modern day phishing scam. Almost all historical attempts to educate the market have become borderline redundant.
Smooth Criminal – Turns out, Annie isn’t ok
Whether you’ve worked in this industry a long time or you’re a fledgling digital native, knowing that there is bad stuff out there is hardly going to be news to you but the biggest risk we all face is relying on the redundant scary stories as our education and dated security tools as protection.
The hard truth is many security products that are available on the market today were designed to protect the world some 15 years ago but have been dusted off, polished a little, re-branded to say something about cloud and are somehow still in business.
The world however has moved on. It needs (and is demanding) technology designed to serve as a superior adversary to the bad guys. Intelligent security that follows the user with productivity and protection at its very core, with the added bonus of the ability to spot and prevent unusual or malicious behavior as it happens.
Be contextual, be relevant or cease to be useful. It’s that simple. Sophisticated crime needs an even more sophisticated adversary.
Will phishing go away anytime soon? We seriously doubt it. Let yesterday's security giants reminisce about days gone by and scary stories that are long since past. We tend to favor taking those learnings, protect the here and now and plan for tomorrow.
Oh and if you liked this blog, I like your profile, please send $1,000,000 to the below link. Thank you please sir madam.