PhishNet: Your best phishing trip
While it may seem bonkers to anyone who lives and breathes in the digital space, the importance of cybersecurity has taken a while to hit the mainstream’s radar.
This all changed this year thanks to the arrival of some particularly nasty malware that spread like wildfire through computer networks on a global scale.
First up, the WannaCry ransomware attack, which launched in May, hit systems in 150 countries, locking users out of their data unless they coughed up a fee in Bitcoin. The malware succeeded in infecting Russia’s interior ministry, banks in Spain, China and the USA and it even managed to shut down the UK’s National Health Service.
In June, ExPetr (originally tagged as NotPetya) arrived. Like WannaCry it hit networks around the world in quick succession. Unlike WannaCry, however, the creators of this malware didn’t want any monetary pay off. They simply wanted to destroy data wholesale.
If there’s a silver lining to this rather dark cloud, it’s the fact that thanks to these two attacks, cybersecurity is now a top priority for both businesses and private individuals; once again, this is strange given that South Africa is a country where data theft and phishing attacks are endemic.
This isn’t an irony that’s lost on Ronnie Apteker, who works at Internet Solutions’ cybersecurity education service, PhishNet. This year, the news cycle of cyber attacks is filling up his diary exponentially.
“A lot more people are becoming more aware thanks to the media coverage of hacking stories,” says Apteker. “There’s a lot of anxiety out there in the corporate sector especially; they want help, they want guidance and they want to feel secure. There’s a lot of interest.”
“I want to make sure that I use the word ‘interest’,” Apteker says. “That’s to say there massive interest but that doesn’t mean there’s massive demand – we’re not selling like hotcakes or anything. People need to understand what we’re offering, what we can do and how to implement the technology.”
“In my opinion, the media has done a great job of identifying this problem – there’s been a huge increase in the coverage of cybersecurity,” he says. “Ransomware is a big motivator. That malware is out of control and lots of companies are becoming more aware of it.”
“The other problem is that the data on companies is free and readily available. We can look up a client on Google and we can find out who their financial director is, their CEO, who represents them in advertising, their company logos and more,” he says. “We’ve actually been able to use that data to put packages together for pitches.”
The nature and the scale of malware attacks that have hit global headlines have become larger in the last few years. Black-hat hacking no longer requires users to understand the fundamentals of operating systems. The general public still remains ignorant about everyday necessities such as encryption and best practice when it comes to clicking on links in emails sent from unknown sources. These two factors have combined to make the present day a boomtown for cyberciminals.
“Online crime is on the rise and the reason for this is that hacking has become a career choice for many people – especially given the rise of unemployment right next to it,” says Apteker.
“On top of that, the skill barrier has been lowered significantly,” he says. “And also, the impersonality of hacking lends it the – inaccurate – veneer that it’s a victimless crime. There’s the idea that the targets, like big corporations, can take a hit. So it’s more appealing and easier to fall into than traditional crime. It’s the idea that no one’s getting hurt, the hours are better and the pay-offs are larger too.”
So what is PhishNet offering? Well, if you remember a movie from the early 90s called Sneakers in which social engineers and hackers were hired by corporations to break into their systems in order to identify security weaknesses, you’re in the right ballpark.
PhishNet’s team launches phishing campaigns against clients – at their behest of course – to help their IT and security departments bring the staff up to speed on the nature of phishing attacks, and what best practices they should implement in order to prevent them.
“What we’re essentially doing is phishing a company’s employees in a safe environment before some tries to do the same thing maliciously,” says Apteker.
“Phishing is the most common attack vector for hackers,” he says. “It’s a non-stop, daily activity that happens on a global scale. Digital-savvy people can recognise the signs of a phishing attack – you don’t know the sender of the email or the email address looks suspicious – but for the rest, one click on a link can expose an entire network.”
The problem, Apteker says, is that the ‘digital-savvy’ individuals of whom he speaks are in the minority. Companies that employ thousands of people have a duty both to themselves and their interests – be they clients, proprietary information, assets and so forth – to ensure that each employee doesn’t become a weak link in their security. All it takes is one person to click on malware link and a company’s entire database is up for grabs. According to Apteker the lack of knowledge about phishing attacks is a huge problems.
“We had a client – who I won’t name – who asked us to give them a heads up before we launched the phishing campaign it had commissioned against it,” he says. “We had to explain that if a hacker wants to get into your system, they aren’t going to give you any warning. They’ll just do it. In order to simulate that, we can’t warn a client ahead of a campaign.”
Take a garden variety phishing attack: a flash drive arrives in the mail addressed to a company employee. The logo and letterhead on the covering letter checks out and the recipient doesn’t think twice before plugging the flashdrive into their laptop or PC to download its contents. Right there, a hacker may have access not just to the data stored on one device, they may have access to the entire company network.
The infiltrator’s next move, incidentally, may not even happen that same day; once a backdoor is installed it may be weeks or months before it’s used, by which time the employee responsible for enabling it may not even remember how it happened.
It’s this sort of attack that the PhishNet service is aimed at preventing, by launching controlled campaigns on clients and sifting through the results in order to educate employees.
So once a PhishNet campaign has happened, Apteker and his team brief their clients on the results. The upgrades to rank and file cybersecurity knowledge include everything from mail hygiene, to remote access, firewall implementation, to day-one exploits and more.
“The service runs a phishing assessment on a company’s staff and we have an array of campaigns we can run,” Apteker says. “There are various packages and the costs differ depending on the level of penetration required.”
In an environment where state banks and health services can be shut down by bedroom hackers, PhishNet doesn’t just seem useful or necessary – it seems vital.