September 12, 2013 EC-Council

 By Limor S. Kessem, Cybercrime and Online Fraud Communications Specialist, RSA

Anyone aware or involved in information security this day and age, would be quick to agree that the threats linked with using the Internet have drastically changed since the early to mid 90’s when the use of this media explosively impacted culture and commerce. Early threats had little way of spreading, the magnitude of users was tiny compared with today’s Internet traffic and the biggest worry was viruses wreaking havoc on peoples’ personal computers.

Online threats have come a long way and can now be held accountable for a growing list of misdeeds and crime. From the pettier financially-driven theft – which actually yields the least of collateral damage – to theft of priceless intellectual property, facilitating business espionage, involvement in disrupting critical infrastructures and penetration of secure systems that can translate into cyber-war; the demons of the digital world impact our finances, our identities and the world as we know it today.
Although more diverse and more advanced than ever, it appears that almost all threats still have that one, rather benign looking gateway… Surprisingly, that gateway is… Phishing! How do most threats connect with Phishing? And why is this older and well-known threat still so prevalent today?

Looking at the short historical timeline of online threats, Phishing can be considered an ‘old threat’. The term Phishing has been discussed as early as 1996; a quick calculation shows that Phishing is 16 years old now, and yet, the world has not been able to rid itself from this phenomenon. Phishing is still one of the top threats on the Internet today; its direct and indirect costs tax the global economy with billions of dollars in fraud damages every year.

RSA reports released early this year show that worldwide losses from Phishing attacks alone amounted to over $520 million during H1 2011; a 43% increase in attack numbers translated into $755 million through H2 2011. The total number of monetary losses was Rs 5760 crore (or $1.28 billion USD globally) with India ranking in the top 5 most targeted countries for phishing attacks, having been robbed of a $38 million USD portion of that pie.

What makes Phishing such a successful threat? In one word: Evolution. They say “The Strongest Survive” and in that sense it appears that Phishing has what it takes—a good DNA and the ability to evolve over time.

At the core of this threat lays a powerful magnet – human emotion. Although Phishing is a 21st century crime, manipulation, deceit and persuasion are not. What makes Phishing successful is the use of social engineering which drives most schemes used by cybercriminals today to manipulate online users into disclosing crucial information. The concept of social engineering  is deeply rooted in many fundamental social psychology principles and thus its perpetual success.

There are several aspects of psychology we can draw-on in understanding how social engineering works, specifically the psychology of persuasion. In social psychology, there are two alternative routes of persuasion that can be employed when attempting to elicit a response from another:

  • A central route to persuasion, which involves the recipient thinking about the message.
  • And a peripheral route to persuasion , relying on superficial clues within a message to get a person to purposefully not think  – but rather react emotionally and react immediately.

Again, neither is new, that peripheral route to persuasion has been, (and still is), vastly used in confidence scams and in telemarketing fraud.
Because persuasion is such a pervasive component of our lives, it is easy to overlook the external influences affecting us.  When it comes to Phishing, cybercriminals rely on those peripheral routes to persuasion in order to be successful in getting a victim to respond via an emotional reaction to anxiety or excitement.

Every Phishing attack, of all types (Broad spectrum spam, Spear Phishing/ Whaling) begins with a ploy and built-in emotional triggers. Regardless of the method of delivery of the Phishing URL or the e-mail containing the message, the intended user has to be convinced that he needs to go to that page for a reason valid enough to then impart with access credentials and personally identifying information – the sort of data the user already knows is a secret that should only be shared with the trusted source who issued it.

The better ploys add these common human motivators and emotions to the mix:

  • Rightful Reward: Tax refunds
  • Greed: Unwarranted lottery winnings and 419-scam deals
  • False accusation: Tax Fraud report from the authorities
  • Curiosity: ‘Look who has been searching for you’
  • Right the wrong: Fake order confirmations from known online merchants or shopping sites
  • Trust: Fake emails from banks, service providers, investment houses, social networking friends or professional network colleagues/ business associates.

In terms of numbers and effectiveness of attack ploys, it appears that the most successful campaigns rely on trust. This explains a current and prominent trend of Phishing via social networks or purporting to be a known source, which infallibly yields more victims. Creating that rush of strong emotion within a potential victim repeatedly enables cybercriminals to elicit an immediate response as the victim’s ability to think logically will likely be hindered.

Attack metrics show that the effect of trust-abuse is further enhanced when people receive social engineering messages on their mobile phones, making them respond even faster and be the first to reach newly launched Phishing pages.

Why the mobile phone? Because once again, the user trusts that only those who know him/her have his/her number; moreover, the mobile phone is much more a personal device than say a PC, that others also use at home or at the office.

A recent article about social engineering via social networks, challenging readers with “Can I Get You in 5 Tries?”, showed how banking on trust can be so effective that it ends up convincing the savviest. It appears that none is exempt from the most human downfall – emotionally driven action.

Phishing is the key to many other web-borne ailments. Although social engineering has always been a major tool in the arsenal of online fraud operators and scammers, it took organizations quite some time to finally realize that Phishing was a serious problem for everyone. Even if the first to feel the crunch was the financial industry, we know today that no entity is safe from the harm and indirect damages a successful Phish can inflict.

Phishing, and more precisely Spear Phishing, as it turns, is the entry point of the worst of threats into an organization’s system. Invariably having to rely on the human factor in order to compromise the security of systems and networks, here too, attackers planning malware infections or even APT schemes use the same methods to get their foot in the door. That ‘door’ attackers are looking for may just be easier to find than ever before. With a Consumerization trend rapidly and quite insidiously  invading everything we do, the ease of Phishing the human is set to increase. Research firm KPMG’s e-Crime Report 2011 cautioned that the “the future of targeted malware delivery is inextricably linked to social networking”.

When it comes to targeted attacks, the problem is magnified since the recipients of Spear Phishing are not your average webmail recipient, but rather individuals working in corporate environments with access to the organization’s resources. Here the threat crosses delivery vectors and simultaneously reaches targets on their mobile devices as well as their corporate email address; criminals know this and rely on it paving the way in.

How likely is it then, for someone inadvertently reading email on a work-issued Blackberry phone to recognize a message in which every step was calculated and made to lead into perfect infiltration? How likely is it that if the message contained an interesting file, the user would open it at that very moment? How much later will the phone be synched with that user’s corporate PC?

Make no mistake – Spear Phishing malware campaigns are premeditated, planned and well organized; attackers use toolkits and advanced sending techniques to ensure the right amount of exposure to the intended recipients.

The correspondence used is not only well articulated, but also makes use of modern filtering evasion techniques to bypass security mechanisms and land in the recipients’ inbox, and not their “Junk” email folders, further augmenting the chances that message will be opened, and its content unleashed on the target system.

If we take for example financial fraud scenarios, where Phishers have become extremely business-oriented, actively looking at methods and measures to ensure maximum profitability of each campaign and carry the same attitude over to the realms of malware in the enterprise, data breaches and infiltrating organizations – here criminals are all that more focused, driven by precise goals and higher stakes/ bottom line profitability motivators.

It is only logical that those who prepare the bait that will open the door take its crucial role very seriously, and thus plan more carefully, rendering the foe harder to detect or dismiss.

Cybercrime is a big threat to India’s large online population, which loses billions to online fraud every year. At the end of the day we see that Phishing is only picking up more speed; attacks are qualitatively better than ever and numbers are increasing every year. At this level sophistication and criminal intent, there is a need to stop these threats. Organizations need to gear up to prevent risks and learn how to mitigate them once the attacker is already in the system.

RSA, The Security Division of EMC, is the premier provider of security, risk and compliance management solutions for business acceleration. RSA helps the world’s leading organizations succeed by solving their most complex and sensitive security challenges. These challenges include managing organizational risk, safeguarding mobile access and collaboration, proving compliance, and securing virtual and cloud environments.
Combining business-critical controls in identity assurance, encryption &
key management, SIEM, Data Loss Prevention and Fraud Protection with industry leading eGRC capabilities and robust consulting services, RSA brings visibility and trust to millions of user identities, the transactions that they perform and the data that is generated. For more information, please visit and