Are you my secret admirer? That was the question millions of people asked themselves 20 years ago when the Love Bug virus took the world by storm. This social engineering attack, also known as the "ILOVEYOU virus" or "Love Letter for you", infected around 50 million computers around the world in ten days and cost billions to eliminate.
When the Love Bug virus was created, Windows users received an
email with an attachment that pretended to be a love letter. The virus
used Outlook Visual Basic scripts as a gateway, and as soon as it got into
someone's email account, it would send the phishing email to everyone on the
contact list. The message read: "Please check the attached LOVELETTER
from me".
In a heartbreaking turn of events, the victims of the attack
were soon to discover the real purpose of the email - and it wasn't true love. To
top it all cost the elimination of the total damage caused by the attack,
including the elimination of the infection and restore all deleted files, 10 billion dollars.
The fraud turned out to be so serious that even the Pentagon and
the CIA shut down their e-mail systems for a short time. With the reports
of the attack that hit the front pages of most major news outlets on May 5,
2000, the Love Bug virus shed the spotlight on email security threats in ways
never before and made companies and individuals aware of the harsh reality of
cyber threats.
If you take a closer look, Love Bug was pretty nifty. As the computer worm, it spread quickly and replicated itself to spread. And
not only that, but he also did something that made him even more successful: he
exploited people's emotions and eventually enticed those in search of love to
Click on the malicious attachment.
The Love Bug is one of the earliest examples of a social
engineering threat, preceded by the Melissa virus and the Conficker worm that
followed shortly thereafter. Unfortunately, we are still dealing with this
type of attack 20 years later! Often
used by cyber thieves to cause harm, social engineering
attacks have evolved into sophisticated malware, phishing scams,
ransomware, and more. For Valentine's Day, let's take a look at how
phishing attacks evolve, highlight some of the key trends over the past two
decades, and explain how users can avoid falling for the bait.
Phish # 1: Criminal Deception
The term "phishing" was first mentioned in 1996 on a Usenet newsgroup. Although
many did not know what it meant at first, it laid the foundation for what was
to come. Phishing attacks
on AOL soon began, attempting to steal logins from users with
messages from alleged AOL employees. This technique became more
sophisticated as phishers began to create more believable subject lines and
impersonate family members. This later developed into "conversation
hijacking", in which users are led to believe that they are communicating
with someone they trust. The most common form of criminal deception today
is the spear-phishing attack where a hacker is investigating and pretending to know the person he is targeting.
Phish # 2: Business Email Compromise (BEC)
BEC is a more specific form of criminal deception that relies
heavily on social engineering tactics and
creates a sense of urgency to click on an email. This type of phishing
scam, also known as a "man-in-the-email" attack, takes the form of a
manager manipulating an employee or an unfortunate recipient into responding
with sensitive information. These attacks actually occur so frequently
that the FBI estimates, that BEC has caused
2016 to 2019 more than 26 billion US dollars in losses.
Phish # 3: Ransomware
Ransomware is still a hotly debated topic today, although it
really gained prominence in the phishing arena in September 2013 with the birth
of the ransomware CryptoLocker. The malware was distributed to more than 250,000 computers, locking files and
demanding payment of a ransom in exchange for a decryption key. Email used
to be the main way ransomware spreads, but the saying "everything old is
new" applies here as it is making a comeback and hackers are increasingly
resorting to older, more basic tactics.
Phish # 4: Phishing as a Service (PaaS)
As if there weren't enough "phish" in the ocean
already, a newer phishing tactic has emerged in the darkest parts of the web
over the past two years. In 2018, researchers discovered that hackers on
the dark web was selling actual phishing templates to make it easier for less
advanced adversaries to carry out these attacks. Not only are these
templates designed to authentically look like the brand they are intended to
imitate, but the marketing tactics used to sell the products themselves are
sophisticated; some even offer coupon codes for a better deal on the purchase.
Phish # 5: Thematic Attacks
Even if some phishing attacks with the theme of Valentine's Day
will certainly appear in the inboxes of unsuspecting users in the next few
weeks, the most prominent example of thematic phishing attacks recently have
been emails with the topic of
COVID-19, the updates on the pandemic and promise information on
vaccine distribution. Regardless of whether they are fake communications
from a large health organization or if they pretend to be from an employer who
provides information about updated processes, fear, uncertainty, and doubt are
always fueled.
Most importantly, these phishing techniques are only the tip of
the iceberg as technology continues to evolve and attacks become more
sophisticated, but they continue to serve as the basis for new techniques. To
protect themselves against sophisticated phishing scams, here are five tips that business should be aware of:
- Invest in security
awareness training to learn how to spot a phishing email.
- Make sure all systems have
the latest security patches.
- Hover
over suspicious links to verify authenticity.
- Install
an anti-virus solution ( try free antivirus software) and/or an anti-phishing toolbar and monitor them
regularly.
- Never
give out personal information on the internet unless absolutely necessary.
Comments
Post a Comment