You’re Not One of the 30% of Americans Who Open Malicious E-Mails. You’re Too Savvy. Well Even an Expert Can Get Stung.
In a recent study of 1,000 American adults, 30 % admitted they would open a suspicious email. Women were tempted to open emails with invitations from social networks. You can probably guess what got men to open emails – money, power and sex (not necessarily in that order). Of the people who did open malicious emails, one out of eleven had their systems infected.
And, as it happens, users who open malicious attachments at home are likely to do the same at work. Why not? One of the perks at work is there’s generally readily available free tech support.
In the survey 15.9% of malicious emails purportedly came from financial institutions, 15.2% from social media sites such as Facebook or Twitter and 12.8% from online payment services, like PayPal.
Steve Ragan, in an article on csoonline.com, quotes Anti-Phishing Working Group (APWG) figures that in the first quarter of this year, there were more than 74,000 unique phishing campaigns with over 110,000 hijacked domains and more than 1,100 brands targeted.
Ragan goes on to note that phishing kits are relatively inexpensive and the time to develop a workable campaign takes a few hours. Therefore, “the attack surface is large, and the pool of potential victims is rather full. Combine this with a reported 30 percent success rate, and the criminals behind these campaigns are more than likely pleased with their ROI.”
Chris Hadnagy, the President and CEO of Social-Engineer, Inc., observes, “It is important to remember that as an attacker, often, all I need is one person with a vulnerable browser or software or client and that can give me access to click. So from an attacker’s perspective, a 30 % success rate is great number for broad attacks.”
David Kennedy, the creator of the Social Engineer Toolkit, said, “It only takes about an hour or so to craft up a ‘pretext’ or attack that we know will be believable. It only takes the employee to believe the fantasy is real in order for them to click something…these are completely obscure emails that have no relevance or believability in a lot of cases and it’s still a 30 percent success ratio…For us, the attacks have moved from the external perimeter to the (social engineering) route because of the ROI.”
What it takes to drive up an attacker’s success rate is to make the malicious email relevant to the recipient. Kennedy notes that a good example would be health benefits because they impact the recipient personally and also are in line with day-to-day business operations. “If health benefits are in jeopardy and they need to do something that will take two minutes out of their lives to remediate and fix, they will do it without rhyme, reason or thought,” offers Kennedy.
But even smart, savvy experts can slip up on occasion. Hadnagy, who ran the Social Engineer Capture the Flag (SECTF) contest at DEF CON, a conference for security experts, made a large numbers of purchases for the contest from Amazon.
Hadnagy explains, “Rushed, behind the 8-ball and trying to get 500 things done at once I (wasn’t) thinking when I received an email that said: ‘One of your Amazon Purchases was declined &’. I almost clicked through until I double-checked the URL and saw it went to a (domain) in Russia.
“Even someone who does this for a living can fall for these things. Why? We are all human. No one is 100 percent all the time. Condition, psychology, curiosity, fear, greed — these are common themes that attract and make us react. I think this sounds typical for most people.”
ThreatMetrix is the fastest-growing provider of integrated web fraud and cybersecurity solutions. The TrustDefender™ Cybercrime Protection Platform helps companies prevent unauthorized access to web and mobile applications, protect sensitive data, and secure transactions against account takeover, payment fraud, identity spoofing, malware, and data breaches. ThreatMetrix protects more than 1,900 customers and 9,000 websites across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.
To join in the cybersecurity conversation, follow us on Twitter @ThreatMetrix.