HKCSView: Gone phishing

Michael MuddWhen I was younger I used to like to dangle a rod and line in a river hoping to catch a small fish on a hook with a worm attached as bait. Today I fish off a friend’s trawler yacht in Hong Kong with an expensive rod and highly specialised lures for different kinds of fish. I tend to catch more fish today.

The art of casting and reeling is where we get the term phishing, a noun that describes the modern method of fraud to get people to part with something of value, in this case information and/or money.  It’s an electronic form of vishing, which is what the age old fraud of spoken social engineering (phone scams) is now called.

The scary phishes

In the recent past it was mainly targeted to reveal personal information; passwords; bank and credit card numbers, usually within an email that purports to be from a well-known legitimate enterprise. Derivatives that are built upon this are more specific, hence the term ‘spear phishing’ which are targeted at specific individuals or companies: when it’s aimed at the C-suite it’s called ‘whaling’. An Austria-based aerospace supplier FACC suffered from a spear phishing attack in early 2016 that resulted in a fraudulent €50 million (US$54 million) money transfer: it wiped out their profit for the year. The “whales”—CEO and CFO—are no longer with the company.

In Hong Kong, phishing attacks are found targeting financial and banking customers. Standard Chartered Bank in Hong Kong was forced to issue a statement in last May warning its customers against phishing.  According to the bank, email was sent targeting its customers with the request to “VERIFY MY ACCOUNT.” If the unfortunate recipient clicks on the link they are redirected to a fraudulent website which appears to be similar to the banks real website, for “online banking verification.” Among the information requested are the user’s e-banking account, password, transaction password, ATM card number and ATM PIN, information which is never asked by any bank online.  Other banks in Hong Kong have been experiencing similar attacks. Details of phishing attempts among banks are listed on the Hong Kong Monetary Authority’s website. In January 2017 alone, five major banks were targeted, including Hong Kong’s largest bank.

Dissecting a phishing message

Phishing is rapidly evolving from attempting to just steal information to also be the vector of choice for ransomware. The spam messages, often targeting businesses, appear to be notifications about bills, invoices or price lists are attached to the email. The attachments actually contained a Trojan downloader written in JavaScript, and in most cases the malware loaded the Locky encryption key or a derivative. They can lock important information or documents, which can only be decrypted after paying a bitcoin ransom.

The US based anti-phishing company PhishMe reported a dramatic increase in the number of phishing emails deploying ransomware payloads during 2016.  In last March, 93% of the phishing emails they collected intended to infect victims with ransomware. Over a third of the respondents to a recent survey by AlienVault reported their executives have fallen victim to a CEO fraud email, and over 80% believed their executives could fall for phishing scams in the future.