One of the biggest secrets of success for hackers who mount phishing campaigns to rip off innocent e-commerce shoppers – and very successful they are – is leveraging basic psychology to entice victims into responding to their poisonous missives. In order to install the malware that will allow them to invade a user's computer or a company's network – giving hackers the opportunity to run exploits that steal user credentials or credit card details, or to install ransomware with which they can extort cash from victims – they need to get the victim to click on a link, open a document containing a malware-laden script, or run some other exploit that will give them entree to a system. And in order to do that, they need to mount a good “sales job” - incentivising them to follow the trail that will lead them to victimhood.
And as cynical – and sick – as it sounds, Memorial Day affords hackers an opportunity they await with baited breath. The unofficial start of the summer season, Memorial Day – when Americans remember those who sacrificed so much so that they could remain free – has morphed into one of the biggest shopping days of the year. But since it's also about the soldiers, many stores – online and offline – offer special deals that allow shoppers to donate part of their purchase dollars to veterans' groups, or otherwise express their solidarity with America's fallen soldiers. For many people, this kind of altruistic shopping is an important way to commemorate a day that pushes in two directions – somberly remembering the fallen, and celebrating freedom – the freedom to shop, and freedom from the strictures of the long winter.
Thus already primed to respond to offers for Memorial Day bargains, hackers have hit upon what seems to be a peerless plan to snare well-meaning victims. All it takes is an e-mail offering deals, with, for example, links to a web site that lets them buy at a discount, and donate at the same time. By this time, hackers have become experts at emotional engineering, and they put those skills to good use, turning what should be a mere shopping experience into practically a patriotic duty. Like at other times of the year when emotions run high, Memorial Day is a time consumers need to be especially careful with what they click on.
So what's a shopper to do? The standard advice to protect oneself hasn't changed in years. Don't click on links or attachments from people you don't know, or from suspicious-looking sources; don't enter credit card data on sites that look dodgy; check the URL of sites to ensure you are where you are supposed to be, and not on a phony hacker-run site designed to look like the real thing; and of course, install an anti-virus/anti-fraud solution.
The problem is that people have been doing this for years – but the problem just gets worse every year. The latest gambit for hackers, ransomware, has been growing by leaps and bounds; reported ransomware attacks grew 167 times between 2015 and 2016 - from 3.8 million to a whopping 638 million. According to the FBI, hackers “earned” over a billion dollars in ransomware attacks in 2016, some five times over the amount they netted in 2015. Those attacks clearly encompass users of all skill levels - and of large organisations, where IT teams are paid to prevent such attacks by instituting security protocols and educating users on how to avoid becoming victims (and thus infecting the entire network).
It's not working. “Everyone” knows that they shouldn't click on a suspicious link, but what is “suspicious?” These rogue messages are socially engineered to elicit a response – meaning that they are difficult to resist. Often, phishing messages are very difficult to distinguish from the “real thing;” if an employee gets a message purportedly from the president of the firm to open an e-mail attachment, are they more likely to call up the boss and ask if s/he actually sent it out – or will they just take a chance and open it? And even defence systems individuals and organisations implement to catch these threats - antivirus systems, sandboxes, and the other recommended solutions – are failing. Many of these phishing messages contain sophisticated zero-day threats that antivirus systems and sandboxes cannot detect, because they don't have a signature yet that can be added to the system.
The impotency of "traditional" solutions
Thus the “traditional” solutions – from self-restraint to advanced tech solutions – are not working. What then, can be done? What's needed is an advanced approach that doesn't take any chances – one that will take the choice of whether or not to take a chance on a link or an attachment out of the hands of users. The only way to do that is to shift the burden onto a tech solution that is capable of allowing users to access messages – but only after those messages have been vetted and approved.
Technologies based on sandboxes and similar “isolation” techniques might be useful in this situation. A sandbox, of course, holds back a file that appears to be suspicious, or does not fit the profile of what is permitted on a network. Thus, many sandboxes will prevent attachments or images from entering a network, on the theory that workers don't need them.
That's not always true, though – which requires sandboxes to up their game a bit. A more advanced version of the sandbox dissects messages, attachments, and scripts on the server, disarming and removing the threats, and then reconstructing the message and sending it on. All functionality is kept intact, enabling workers to safely access the items they need. A good backup system is also essential – and all these activities should be outsourced to a full-service MSSP (Managed Security Service Provider) that takes the burden of dealing with threats off the shoulders of an organisation is a good strategy, given the difficulty of keeping up with business and cyber-defence at the same time. Using these strategies, e-commerce sites can save themselves – and their customers – a great deal of heartache, and make it safe for people to shop on Memorial Day, or at any time of the year.
Aviv Grafi, CTO, Votiro
Image source: Shutterstock/Ai825