It’s Phishing Season in Canada: Don’t Take the Bait
Last week, the Canadian federal government announced its plans to create a secure, stable and resilient digital infrastructure in Canada. To help improve incident response and stop cyber-threats, the Government of Canada is investing $155M in our cybersecurity strategy. With the evolution of online attacks and our country's number two ranking for hosted phishing sites, this initiative is critical for protecting the country's enterprise and cyberspace.
According to recent Websense Security Labs research, Canada currently holds second place under the United States for the top countries hosting the most phishing sites. Combined, they account for more than 80 percent of all the phishing sites we encounter. Why, you ask? American and Canadian websites have great reputations on the Internet making them a lucrative target for cybercriminals.
Today, hackers have adjusted their phishing tactics in ways that get past traditional email security. Increasingly, we are seeing a shift from mass phishing campaigns, where indiscriminate emails are spammed out, to a more concerning type of attack targeting individuals with highly customized content - this is what is known as spear-phishing.
Just a few weeks ago, hackers breached an unclassified computer network used by the White House via a spear-phishing attack. And, in February 2011, the Canadian government was hit by a spear-phishing attempt. The hackers fooled Canadian federal IT staff into providing access to government computers and eventually gained access key government systems.
Because of this, employees, executives in particular, should question the legitimacy of emails during this rise in spear-phishing attempts. Don't be a victim. Here's how spear-phishing works and how you can protect yourself.
- Step 1 - Hackers target recipients by gathering intelligence on them from the likes of social networking websites.
- Step 2 - Hackers compromise a legitimate domain or server, where targeted recipients may have an existing relationship, to gain access to a legitimate and therefore reputable email address.
- Step 3 - Hackers use gathered intelligence to create phishing emails, which are sent via a reputable email address (often spoofed by the attackers) to targeted recipients.
- Step 4 - A large percentage of recipients act on the email by clicking on an embedded URL that links to a website that surreptitiously downloads malware. The site may be created specifically for this attack, or it could be a legitimate site that has been compromised.
- Step 5 - The malware looks for network vulnerabilities, perhaps to shut down security defenses and create back-door access to internal systems to capture valuable corporate information.
- Step 6 - Confidential data such as intellectual property and customer data is stolen.
As low-volume, targeted phishing attacks proliferate, organizations need to reexamine their email security posture and employee education strategy. Therefore, I suggest:
- Educating your employees and build awareness of spear-phishing campaigns and how they are executed. For example, try pen testing your employees. Give them real-world examples of phishing attacks, allowing for the opportunity to relay immediate, focused feedback and training to those who fall victim to the exercise.
- Deploying an inbound email sandboxing solution to continually analyze and monitor for malicious content.
- Using real-time analysis to constantly inspect your web traffic with a web security gateway solution to stop malicious URLs from reaching inboxes
Spear-phishing is becoming one of the most successful types of attack methods penetrating networks and stealing data today. We can't meet this and other cyber security challenges alone. It's imperative for the public and private sector to work together to fight cybercrime and restore Canada's cyber reputation. Please join me in applauding Canada's recent steps to fight cybercrime and share what you're doing to protect Canadian enterprise.