Even suspicious email is too tempting to skip, survey finds
In a study conducted by TNS Global for Halon, an email security service, 30 percent of those surveyed admitted they would open an email, even if they were aware that it contained a virus or was otherwise suspicious.
The study included only 1000 adults within the U.S., so this isn't a national index by any means. But of those surveyed, one in 11 admitted to having infected their system after they opened a malicious email attachment. Given the fact that email is still an easy way for attackers to gain access to the network, often via social engineering (phishing/spear phishing), the survey's results are somewhat alarming.
The reasons given for accessing the messages are telling: For women, the survey results marked messages containing invitations from social networks as the most alluring, while men were tempted messages with the time-tested suggestions of money, power, and sex. More often than not, the malicious messages claimed to be from banking institutions (15.9 percent), social media sites like Facebook or Twitter (15.2 percent), and online payment services, like PayPal (12.8 percent).
According to the stats form the Anti-Phishing Working Group (APWG), in its 2013 First Quarter report, there were more than 74,000 unique phishing campaigns discovered during the reporting period, leveraging over 110,000 hijacked domains and targeting more than 1100 brands.
Based on the data reported by the APWG and various security vendors, Phishing kits are rather inexpensive and the time to develop a workable campaign is rarely longer than a few hours. So the numbers mean that the attack surface is large, and the pool of potential victims is rather full. Combine this with a reported 30 percent success rate, and the criminals behind these campaigns are more than likely pleased with their return on investment.
Phishing at work
Still, Halon's study is focused on the consumer, so how do these figures translate to the corporate world? The simple answer is directly, because users who open malicious attachments at home are often the ones who do so at the office too.
To be sure though, CSO contacted two experts on the topic of social engineering: Chris Hadnagy, the President and CEO of Social-Engineer, Inc.; and David Kennedy, the creator of the Social Engineer Toolkit and the founder of TrustedSec. We asked them a few questions about what they do and their opinions about the Halon study.
"It is important to remember that as an attacker, often, all I need is one person with a vulnerable browser or software or client and that can give me access to click. So from an attackers perspective, a 30 percent success rate is great number for broad attacks," Hadnagy said.
In agreement, Kennedy said that when his firm stages attacks against large organizations, with customers in the Fortune 50 to Fortune 1000, their success ration is around 94 percent. The difference between what he does for his customers and what the criminals are doing with the previously mentioned malicious messages is focus.
The attackers in the Halon study are casting a wide, generic net for victims, and are still able to pull a 30 percent success rate. Those numbers will only climb if the messages are less generic and more finely tuned.
"It only takes about an hour or so to craft up a 'pretext' or attack that we know will be believable. It only takes the employee to believe the fantasy is real in order for them to click something...these are completely obscure emails that have no relevance or believability in a lot of cases and it's still a 30 percent success ratio...For us, the attacks have moved from the external perimeter to the [social engineering] route because of the ROI," Kennedy said.
In their day-to-day work, both Kennedy and Hadnagy seek to lower the ROI many attackers are seeing though social engineering. Each of their respective firms use ongoing training and education in order to accomplish this. Humans are the weakest link in the security chain, so there isn't an appliance or solidly technical control available to prevent focused Phishing attacks (spear phishing) or to stop someone from doing as the attacker has asked one-hundred percent of the time.
"I think the alarming trend in all of this is that we are literally defenseless right now with our current technology or procedures to handle these types of attacks," Kennedy explained.
"The problem with this one is that no piece of technology can fix this alone. It's a coupling of education and awareness, handling procedures, and technical controls on the user population. Our daily lives revolve around opening up emails at a rapid response rate, clicking just this one or that one has no relevance anymore and to take a few extra seconds to review the email isn't part of our daily tasks."
What about the topics of the messages referenced in the study, and the brands represented, is that typical? According to Hadnagy, when humans see emails that hit on things that are on our minds, we're more inclined to click.
"It is basic psychology that they use social media for women and money/power/sex for men as lures... Although highly targeted attacks may use a different lure, tuning into the psychology of the intended victim plays a significant role in a successful lure," he said.
Adding a corporate example to this, Kennedy told the story of one campaign where they used the customer's health benefits program as a lure. The point, he explained, is that whenever an attacker can impact someone personally, there is a higher degree of success. Health benefits issues would impact someone personally, and they fall in-line with normal day-to-day business operations, so as expected, people took the bait.
"If health benefits are in jeopardy and they need to do something that will take two minutes out of their lives to remediate and fix, they will do it without rhyme, reason or thought," Kennedy said.
"[Social engineering] is effective, it's the most effective, and has the most ROI for an attacker. The reason we don't hear about these more in the news is that we have nothing to detect these attacks. We're already compromised, we've already experienced it, and we just don't know it yet."
Everybody slips sometimes
How serious is this threat? Serious enough that even the professionals can be caught by social engineering tactics. As previously covered on CSO, Hadnagy ran the Social Engineer Capture the Flag (SECTF) contest at DEF CON this year. While answering our questions for this story, he shared an interesting anecdote.
As he was preparing for the DEF CON contests and a four-day training class at Black Hat, Hadnagy had made a large amounts of purchases from Amazon in order to procure the supplies needed. To make things easy, said supplies were then shipped to the hotels in [Las Vegas].
"Rushed, behind the 8-ball and trying to get 500 things done at once I [wasn't] thinking when I received an email that said: 'One of your Amazon Purchases was declined&.'. I almost clicked through until I double-checked the URL and saw it went to a [domain] in Russia," he explained.
"Even someone who does this for a living can fall for these things. Why? We are all human. No one is 100 percent all the time. Condition, psychology, curiosity, fear, greed—these are common themes that attract and make us react. I think this sounds typical for most people."