A new research report, released today by phishd by MWR InfoSecurity, reveals the extent to which employees remain susceptible to phishing attacks and freely provide user credentials such as their username and password combinations, despite user awareness and education schemes on the dangers of clicking on unverified links.
In a review of 100 recent phishd simulated attack campaigns, targeting almost a million individual users, it was revealed that social media is the most effective lure to entice users to click a link in an email, despite the emails being sent to work email accounts.
Initiated with a request to connect via a social media platform, almost a quarter of users clicked the link to be taken to a fake login screen, with 54.23 per cent then providing user credentials and 80.85 per cent downloading a file.
Encouragingly, financial lures, such as sending an invoice for downloading, were proven to be the least successful and achieved only limited success when user credentials were requested. In contrast, human resources requests were the most effective, with more than 73 per cent of users who clicked the link providing their credentials.
James Moore, managing director of phishd by MWR InfoSecurity comments, ‘The results of these simulated phishing attacks brings to the fore many security professionals’ worst fears – many users are still not savvy to the potential risks posed by targeted phishing attacks. If these attacks had been real, around 990,000 users could have been compromised.
‘With so much of our lives, both professionally and personally, now conducted online we all too often click on links and open attachments without a second thought to checking the legitimacy of the email and the sender.
‘This core behaviour is difficult to modify. More than 10 per cent of targeted users fell victim to the first two stages of our simulated attack and disclosed their user credentials, but more concerning is that out of those targeted with a social media request or a promotional offer, more than 10 per cent downloaded a potentially malicious file via their corporate email accounts.’
Key findings
· More than 60 per cent of passwords obtained were found to be between 8-10 characters – the obligatory minimum requirement for many organisations
· 34.9 per cent of passwords consisted of an upper case first letter, a series of lower case letters, and then numbers with no symbols
· Just 3 per cent of the employees targeted reported the simulated attack
· A quarter (25 per cent) clicked on the link in the phishing email
· 5.5 per cent of passwords ended in 2016, the year in which they were set
Moore says, ‘Passwords are the gift that keeps on giving for cyber criminals. For users, remembering multiple passwords is frustrating so the same username and password are, usually, repeated across a plethora of platforms from email accounts, social media to online retailers, with often little differentiation between work or personal profiles.
‘Once hackers have the credentials combination, it is like having the keys to the kingdom. The hackers have access to a corporate environment, additional services, which don’t require any further authentication, and can change email rules or download and externally share files.’
Four proactive steps
· Monitor the internet for dumped user credentials and new attacks
· Train employees to report malicious emails
· Build controls that assume compromised credentials
· Monitor externally accessible servers, such as a mail server of VPN, for unusual activity
Moore concludes, ‘Despite continued warnings, many organisations need to stop assuming that only email could be accessed in an attack. The reality is that emails could just be the starting point for a continued attack on the organisation.
‘A hacker could dump entire mailboxes, access file shares, run programs on the compromised user’s device and access multiple systems – all with the same user credentials. Robust, and sometimes basic security controls, such as two-factor authentication or disabling fie and SharePoint remote access, could be highly effective in fighting the risk of long-term credential abuse.’