March Hackness: The Perfect Phishing Bracket
Shalabh Mohan | Area 1 Security | @area1security
Tar Heels or the Wildcats. One of them is the likely winner of this year’s NCAA tournament (with due apologies to Michigan State & University of Virginia fans; those two upsets destroyed my own personal bracket earlier this month).
While the collective zeitgeist is focused on the ups and downs of NCAA’s March Madness, we decided to do our own bracket related to something less fun than basketball but still a watercooler conversation topic — cybersecurity. We went through millions of attack records from 2016 within our dataset to come up with the perfect phishing bracket for this year. Phishing is the primary cybersecurity attack risk (source: Verizon Report) and attackers have their own version of a brand leaderboard to target unsuspecting individuals, employees, and through them, the organizations which they are associated with.
Although the majority of us might quickly scan through the above 64-brand bracket, entirely unsurprised but still relatively pleased that our organization is not listed, we are not quite in the clear.
Not even close, actually.
Predictably, large conglomerates with enormous amounts of consumer accounts (read: financial institutions and cloud services) are the topmost phishing lures. But what does that actually mean for them, and more importantly, what does that mean for us?
A “phished brand” is a brand that cybercriminals imitate in malicious cyber campaigns; so in essence, the brand is the bait for the phishing scam. While this is certainly detrimental to the brand, with damages extending far beyond the actual data loss and remediation costs, the phished brand is not the only victim in this scenario.
Analogous to real fishing, where the bait does not exactly triumph, the brand is just a vehicle by which to “catch” the true target: the fish. This is where unsuspecting and harmless employees of an organization come into play.
We are the fish. Small fish that is.
Small fish we may be, but the companies we work for are the true big fish the attackers are after. Motivations vary from data and intellectual property theft, financial account access, corporate M&A activity to corporate espionage; to just name a few. But make no mistake — they are coming after us. Constantly. Cybercriminals are unbiased and will prey on victims across all verticals, sizes, and countries.
Analyzing the full bracket above, we see similarities with a Pareto distribution wherein these top 64 brands accounted for 70% of all phishes seen during the analysis period. These attackers are exploiting our inherently trusting nature. They are disguising malicious emails and links as legitimate communications from trusted brands. The top 64 brands. People trust Apple and Wells Fargo.
Furthermore, and to nobody’s surprise, US companies are the most targeted phishing lures. More surprising, however, the USA is also the majority source (62%) of all phishing URLs. Where an attack is coming from matters much more than you think, as it allows us to create better defenses against such attacks.
Now, let’s see who made it to the Sweet Sixteen and the Phinal Phour:
While an avid basketball fan might have a general sense of which teams will make it to the sweet 16 and beyond, only 0.01% of the contestants in this year’s ESPN bracket challenge actually came out with a perfect bracket after day one of the NCAA tournament.
Unlike NCAA basketball, which is inherently unpredictable, cyber-attackers tend to follow the book very closely. By analyzing millions of attack records, by looking at small and large patterns within them, and by understanding where and how the attackers are using these socially engineered techniques, we can anticipate what that perfect ranking of the top 64 most-phished brands looks like.
And much before we hit NCAA’s March Madness season, the attackers have already chosen their Sweet Sixteen and Elite Eights. And as we speak, those phishing messages are working their way into our inbox through some way or form. The onus is on us collectively to make sure we anticipate and upset the attackers’ bracket. Not only this month, but on a consistent, ongoing basis.
Phishing bracket referenced in SC Magazine Article Here.
