The Latest in Phishing: September 2015

We bring you the latest in phishing statistics and attacks from the wild.

• How much does phishing cost an average large company? Almost $4 million USD annually, according to new research from the Ponemon Institute, which also looked at how the right security awareness and training for end users can cut that risk dramatically.
• Citizen Lab, an interdisciplinary laboratory based at the Munk School of Global Affairs at the University of Toronto, released a report detailing a phishing campaign targeting Iranian dissidents. There was not a threat actor named. What made this phishing attack unique was its use of a fake two-factor authentication code in addition to the phishing email.
• A Salesforce vulnerability discovered by cloud application security company Elastica could have allowed hackers to send phishing emails that appear to be from a trusted Salesforce domain. Additionally, it could have enabled attackers to execute scripts and steal cookies and session identifiers of Salesforce customers, which could have lead to a takeover of a Salesforce account. Salesforce was quick to patch the vulnerability on August 10, 2015 after the report was released in late July.

Increase your security response team's efficiency with PhishAlarm Analyzer

• Which company departments are most susceptible to phishing attacks? A Verizon report says legal and HR departments are the worst offenders; in response, lawyers wrote about how education can help prevent this common form of social engineering.
• Get a request to edit a Google Doc recently? An architect at Elastica found attackers using malicious web sites hosted on Google Drive to trick users.
• The National Counterintelligence and Security Center (NCSC) is launching “awareness campaigns” about phishing, with director Bill Evania mentioning that the majority of large breaches in the public and private sector start with spear phishing.
• SMX, a large provider of cloud email services, told its New Zealand customers to be wary of increasing numbers of incidents involving spear phishing and whaling attacks. Whaling attacks are like spear phishing, in that they’re highly-targeted phishing attacks but they’re focused on corporate upper management.
• Cyren released its 2015 Q2 Cyber Threats Report and found a 38% overall quarterly increase in phishing attacks. It also found that attackers are increasingly focused on extracting corporate data from businesses instead of consumers.
• A Proofpoint Threat Report found that during the first half of 2015, attackers have been using more malicious attachments compared to 2014, when they were more focused on sending malicious URLs in emails.
• A list of 385 million emails revealed that UK firms are being targeted by a Dridex banking Trojan allegedly originating from Russian-based cyber-gangs. Phishing emails are being used to lure people to download malicious attachments that infect computers.
• Research from Norton revealed that millennials are not great at protecting themselves online. The study showed that 26% had been affected by a phishing scam. Additionally, almost 3 in 10 millennials share “everything that happens in their day-to-day life” online.
• ‘Operation Pawn Storm’ is a phishing attack spoofing the Electronic Frontier Foundation’s (EFF) website. The EFF has a full write-up for those wanting to learn more.