IOCTA 2015

No matter how many resources a company spends on securing their networks and systems, they cannot fully prepare or compensate for what is often the weakest link in their security – the human factor. Without (or even with) adequate security awareness training, a lapse in judgement on behalf of an employee can leave a company open to attack.

Social engineering attacks are epitomised in advanced fee fraud (also known as 419 fraud). Increasing Internet access in developing countries has led to higher numbers of innovative yet technically unskilled attackers with access to a greater number of victims.

Social engineering has developed into one of the most prevalent attack vectors and one of the hardest to defend against. Many sophisticated and blended attacks invariably incorporate some form of social engineering. Targeted spear-phishing attacks were identified as a growing trend in 2014 and two-thirds of cyber-espionage incidents have featured phishing¹.

Key threat – Phishing

Almost all Member States indicated that the amount of phishing has either stabilised or increased in their jurisdiction in 2014. This trend was substantiated by financial institutions where almost every major business indicated that it was targeted by a phishing campaign. Incidents of smishing and vishing throughout the sector have seen an upward trend as well.

Additional security measures adopted by banks have become increasingly successful in identifying fraudulent transactions related to phishing attacks although this in itself has resulted in increased costs due to investment into proactive monitoring capability. As a result of these proactive measures, some institutions noted a decrease in the number of phishing attacks for high-value transfers and have observed fraudsters moving to high-volume low-value based attacks instead.

Phishing traditionally occurred on a larger scale in widely spoken languages such as English. Phishing attacks often originate from countries sharing the same language (e.g. French victims targeted by offenders from French-speaking North African countries). Nevertheless, some smaller EU countries have also observed a notable increase in localised phishing. The quality of phishing has increased over the last few years due to professional web design and translation services.

While companies can invest in increased ICT security which in turn requires criminals to innovate their own technical capability, it is harder to upgrade the “human firewall”². Training in cybersecurity awareness can be provided and safe practice encouraged but is harder to enforce. Each employee may represent a unique fallibility in the overall security. The overall effectiveness of phishing campaigns, which was formerly 10-20%, increased in 2014. Research shows that 23% of recipients who receive a phishing messages will open it and a further 11% will continue to open any attachments³.

For untargeted attacks, the primary way to distribute phishing emails is via spam. The overall volume of spam has continued to decline over the last few years, dropping to 28 billion spam messages per day in 2014. In June 2015, the overall spam rate fell below 50%; the lowest rate since September 2003⁴. Taking into account overall increases in malware and phishing, it is safe to assume that attackers are gradually shifting their activities to alternative distribution channels such as social media.

In 2014, Dutch and Belgian law enforcement authorities, in cooperation with the EC3 and Eurojust, arrested 12 suspected members of a European voice-phishing ring, seizing their infrastructure and other assets. The group conducted phishing and vishing which purported to originate from financial institutions in an attempt to trick their victims into handing over credentials necessary to perform bank transactions, including one-time passwords generated by the authenticator provided by the bank.

McAfee, Hacking the Human Operating System, https://community.mcafee.com/docs/DOC-7035, 2015
Verizon, 2015 Data Breach Investigations Report, http://www.verizonenterprise.com/DBIR/2015/, 2015
Symantec Intelligence Report June 2015, http://www.symantec.com/content/en/us/enterprise/other_resources/intelligence-report-06-2015.en-us.pdf, 2015

Key threat – CEO fraud

Several member countries as well as financial institutions reported an increase in CEO fraud which is now leading to significant losses for individual companies. The modus operandi for such frauds involves an attacker impersonating the CEO or CFO of the company. The attacker will contact an employee targeted for their access and request an urgent transaction into a bank account under the attacker’s control. The request may be channelled via email or telephone. Subsidiaries of multinational companies are often targeted, as employees working for regional cells do not usually personally know senior management in the holding company and may be fearful of losing their job if they do not obey their ultimate boss. The scam does not require advanced technical knowledge as everything the attacker needs to know can be found online. Organisation charts and other information available from the company website, business registers and professional social networks provide the attacker with actionable intelligence.

Future threats and developments

As consumers continue to shift much of their online activity to mobile devices, this opens up additional attack opportunities and strategies to enterprising cybercriminals. Mobile phones already provide SMS as an additional contact method, while the growing volume of communication and social networking apps provide further access to potential victims. Smaller, more compact screen sizes and reduced readability increase the likelihood of potential victims inadvertently clicking on a link. We can therefore expect to see the number of social engineering attacks via mobile devices and social media platforms to increase.

In 2014 there was widespread concern that the cessation of support for the still widely-used Microsoft XP operating system would lead to a fresh wave of scams from fraudsters purporting to represent Microsoft support. In 2015, Microsoft released its free upgrade to Windows 10. Although Microsoft has taken precautions to mitigate potential exploitation of this event by notifying customers directly through their current OS, it is still likely that criminals will take advantage of this opportunity to target unsuspecting victims.

In 2016 Brazil will host the thirty-first Olympic Games. As with any sporting event of this scale it can be expected that there will be a notable increase in phishing and other social engineering attacks attempting to exploit both businesses and citizens in relation to the games.

Recommendations

It is necessary to develop an efficient, fit-for-purpose reporting mechanism covering a range of social engineering offences. Online reporting channels are considered to be especially suitable for high-volume incidents of a minor nature.
While social engineering attacks are scalable, law enforcement resources are not. Law enforcement should therefore continue to share information with and via Europol in order to identify the campaigns which are having the greatest impact, thereby allowing law enforcement to manage its resources more effectively.
Where the capacity and capability exists, law enforcement should target criminal groups providing enabling services such as spam which supports many aspects of cybercrime including social engineering attacks and phishing.
Where it is not possible to identify or arrest individuals, law enforcement should focus on disrupting or dismantling the criminal infrastructure which may be supporting multiple types of criminality.
Law enforcement should establish and maintain working relationships with both global and national webmail providers to promote the lawful exchange of information relating to criminals abusing those services.

Verizon, 2015 Data Breach Investigations Report, http://www.verizonenterprise.com/DBIR/2015/, 2015