The phishing phenomenon

It takes only one careless employee to unleash an attack. Too many people are taking unnecessary risks says Sathya Mithra-Ashok.

  • E-Mail
By  Sathya Mithra Ashok Published  December 6, 2007

Phishing tactics are often ruled by a break-even point. This point defines the number of responses at which the scam begins to pay-off. For most phishing mails, this is rated at an average response rate of 5% of the total number of mails shot through. For every 5000 mails that are sent out as part of a scam, 250 e-mail receivers have to click and fill in details or download attachments to make the scam pay off.

While this is the case for most consumer-oriented or generic phishing scams, the number of responses needed to tip the scales is alarmingly lower for targeted or a small-oriented phishing try. Some say a 0.1 response rate would be enough to set off the attack, while others claim that one wrong move on a single employee's part is all that is needed for enterprises to lose precious data in a targeted attack.

Those numbers are hard to ignore. Harder in the face of recent attacks that research agencies in the US suffered. Both the Oak Ridge National Laboratory and the Los Alamos National Laboratory were victims of a phishing breach in the last few months. Oak Ridge, which was the most recent one, has a staff of 3800 and conducts research that is connected to security and military purposes.

According to reports following the breach, attackers used sophisticated methods and over seven phishing e-mails to gain access to a database containing personal information of people who had visited the lab over a14-year period.

There is no doubt that the attack was a specifically targeted one, which had involved studying the organisation and the kind of work it does before the attacks were devised. Though the nature of the attackers are not yet known, some industry vendors state that it could be anybody from a normal crime gang to state-sponsored cyber espionage groups.

Scary as that might sound, the truly chilling statistic is that it took only around 11 employees in that organisation to click and download the attachment, across seven different phishing attempts, to cause that enormous loss of data. That works out to just less than 0.3% response rate but that was all it took for the hackers to get in.

And the truth is that, it could take much less for them to get into any Middle East organisation; especially since most of them are least aware of the potential damage these threats can cause, leave alone being protected against them.

If there has been one consistent fact about Middle East enterprise users I have noticed across nine months of writing a security section in NME, it is their nonchalance towards external attacks, particularly targeted phishing attacks. Most large organisations in the region believe that are de-facto shielded by the geographic nature of their location. For most of them, not only does this protect them from phishing attacks, but also from the very idea of becoming targets for most attackers.

Many fail to realise that the internet, the great leveller of our times, enables a targeted attack to be aimed at any organisation - Middle Eastern or otherwise - from any other part of the world. Even those who do fail to understand that defending against these threats can be an intensive and continuous process.

Enterprises which wish to protect themselves from such attacks - where the criminals prepare much in advance, educate themselves on the nuances of the organisations and make themselves familiar with the subject matter of daily discussion within the organisation - have to adopt a two-pronged strategy that involves a small portion of technology and a mighty portion of human psychology and behaviour.

Preventing damage for an enterprise involves stopping every single employee from clicking on attachments which look suspicious, teaching them to look for signs that give away a phishing attempt and familiarising them with the message of how dangerous their actions can prove for the organisation.

Though most organisations in the region are yet to invest time and effort into getting their employees ready for an attack, it is time that they do just that.

That is assuming they do not want to run the risk of just one, unaware, slightly careless employee setting off the next attack with the possibility of losing not only losing data and causing havoc but also wishing goodbye to the firm's reputation and the chance of future business and profits.

4231 days ago

This is not just carried out on suspicious emails - some emails come using the logos of reputable firms such as Microsoft, for example. Having been on the receiving end of one of these attacks where my email was hijacked for three days until MSN took control again, I can vouch that it is not a suspicious email that generates the attack. It is usually something that you would not think twice about opening. The resulting chaos caused by emails generated by hijackers and the inconvenience of not being able to access your own email accounts is alarming. Even more alarming is how to vet all your emails. I now have a sophisticated protection system on my computer and since installing it have prevented 86 phishing attacks in a week. This is scary considering mine is a private account. How many attacks must be carried out everyday? One can only imagine.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code