Phishing Attacks On Mac Users Doubling, Don’t Get Fooled
It's hard to put a total cost on the fraud that flows from phishing scams, because losses can range from a few dollars for a phishing attack against one person, to successful phishing attacks against large organisations potentially costing millions of dollars.
Phishing attacks on Mac users doubling, don’t get fooled
One research paper suggests the cost of phishing for large companies is almost $15 million a year, whie the FBI suggests that the total cost of online attacks has cost US businesses over $43 billion in recent years.
While many in the information security sector might raise an eyebrow when it comes to the lack of sophistication of some phishing campaigns, it's easy to forget that there are billions of internet users -- and every day there are people who are accessing the internet for the first time.
Lots of internet users won't even be aware about the potential threat of phishing, let alone that they might be targeted by attackers using it. Why would they even suspect that the message in their inbox isn't actually from the organisation or friend it claims to be from?
Training, training and more training. It might seem like a simple idea, but training is effective. Teaching staff what to look out for when it comes to a phishing email can go a long way to protecting your organisation from malicious attacks.
At a technical level, disabling macros from being run on computers in your network can play a big part in protecting employees from attacks. Macros aren't designed to be malicious -- they're designed to help users perform repetitive tasks with keyboard shortcuts.
Multi-factor authentication (MFA) also provides a strong barrier against phishing attacks because it requires an extra step for cyber criminals to overcome in order to conduct a successful attack. According to Microsoft, using MFA blocks 99.9% of attempted account hacks. If applying MFA to accounts is possible, it should be applied.
These early attacks were successful because it was a new type of attack, something users hadn't seen before. AOL provided warnings to users about the risks, but phishing remained successful and it's still here over 20 years on. In many ways, it has remained the same for one simple reason -- because it works.
While the fundamental concept of phishing hasn't changed much, there have been tweaks and experimentations across two decades as technology and how we access the internet has changed. Following the initial AOL attacks, email became the most appealing attack vector for phishing scams, as home internet use took off and a personal email address started to become more common.
Many early phishing scams came with telltale signs that they weren't legitimate -- including strange spelling, weird formatting, low-res images, and messages that often didn't make complete sense. Nonetheless, in the early days of the internet, people knew even less about potential threats and that meant these attacks still found success -- and are still effective today.
While spear phishing does target consumers and individual internet users, it's much more effective for cyber criminals to use it as a means of infiltrating the network of a target organisation as it can produce a far more lucrative bounty.
It's quite possible for hackers to compromise the account of one user and use that as a stepping stone for further attacks. These 'conversation hijacking' attacks take advantage of using a real person's account to send additional phishing emails to their real contacts -- and because the email comes from a trusted source, the intended victim is more likely to click.
The growth of remote working in recent years has arguably made it easier for criminals to conduct BEC scams and other phishing attacks, because people working from home can't as easily talk to one of their colleagues to check if the email is legitimate.
For cyber criminals, that means, if exploited, LinkedIn is a useful too for helping to conduct phishing attacks to steal passwords and other sensitive corporate information. For example, a fraudster could browse your LinkedIn profile to find out who you work and regularly interact with.
SMS phishing -- or smishing -- attacks work in much the same way as an email attack; presenting the victim with a fraudulent offer or fake warning as an incentive to click through to a malicious URL.
In a prominent example of cryptocurrency phishing, one criminal group conducted a campaign that copied the front of Ethereum wallet website MyEtherWallet and encouraged users to enter their login details and private keys.
The theft of cryptocurrency in phishing campaigns like this and other attacks is costing crypto exchanges and their users hundreds of millions of dollars, as accounts and whole platforms get hacked and cyber criminals take the money for themselves.
It might have been around for almost 20 years, but phishing remains a threat for two reasons -- it's simple to carry out -- even by one-person operations -- and it works, because there's still plenty of people on the internet who aren't aware of the threats they face. And even the most sophisticated users can be caught out from time to time.
While there are many guidelines and practices that can reduce the risk of phishing and email hijacking, the best way to prevent a malicious actor from taking over your email accounts is to strengthen your authentication. One solution is to use two-factor authentication, which requires users to have a secondary token (such as a mobile device or a physical key) in addition to the password when signing into the account. An even stronger solution is the use of passwordless authentication technologies, which totally obliviate the need for passwords and make it impossible for hackers to gain access to accounts through phishing.
For instance, say a victim usually uses the Wi-Fi network of a Starbucks where she eats breakfast. A hacker who wants to stage a man-in-the-middle attack on the victim goes to the same Starbucks and picks up the ID and password of its Wi-Fi network. Then, the attacker sets up his own Wi-Fi network with the same name and password using a router or a laptop computer. Now, devices of users who have previously connected to the Starbucks network (including the