Today in the Evolve IT Lab, Lachie and Jason turn their attention to Phishing. Phishing emails come in all shapes and sizes, and unfortunately, no single product will fully protect your organisation from phishing attacks. A multi-layered defence against phishing attacks, combining advanced security technologies and ongoing education, is the best way to protect your organisation.
95% of successful cybercrime attacks start with phishing. Here are some examples of the devastation that phishing has caused.
In early, 2017, WannaCry utilised a weakness in Microsoft’s operating systems to infect computers with a worm. When the worm was executed, it encrypted the infected operating systems, making the computer unusable. The hackers then demanded a ransom for unlocking the encryption. Australian SME's that did not have up-to-date IT infrastructure were particularly exposed to the WannaCry attack.
Also in early May, gmail users were targeted in a phishing operation that spread very quickly. The phishing email took down 3 million workers worldwide when they clicked on a link that looked like someone was sharing a google docs document with them.
A new ruthless malware has plagued across the world named the Petya virus. The virus is similar to WannaCry in the way it attacks the Windows Server Message Block (SMB) service, which is used to share files across local networks. This variant also tries to hack the admin password so it can spread itself across the network utilising the windows remote admin tools.
PetrWrap hit Europe with an assault on Tuesday targeting high-profile businesses rendering their devices useless. Webroot released a statement saying, "Once the machine is infected, the computer will immediately restart to what looks like a ‘chkdsk,’ (check disk) but isn’t“ Below is an image of what the check disk looks like.
Lachie: G'day guys and welcome to the Evolve IT Lab. My name is Lachie, and we got Jase back, welcome again, Jase.
Jason: G'day, Lachie. Hello everyone.
Lachie: All right. Today, Jase, we are gonna talk about phishing what it is, how they achieve it, what their goals are I think it's a really interesting topic and something that we certainly get haunted with on the daily basis, cybercriminals and how they manipulate certain data so let's get started why don't you explain what phishing is.
Jason: Okay, so phishing is essentially a social engineering with the aim of stealing sensitive information.
Lachie: Yeah, right. Okay. So, once they get the information, what are their goals?
Jason: Okay, essentially it's about theft, and it's about making money so cybercriminals are motivated by money and they use phishing as a mechanism to make money.
Lachie: Yeah. Okay, cool. So, within those goals are they targeting certain individuals or is it something...
Jason: Yeah, absolutely. They're looking for people in positions of authority or just key decision makers, people who might have access to really sensitive business information.
Lachie: Yeah, okay. Someone that's got a lot of respect in the company perhaps. Okay. So, once they got their goals, how do they achieve those goals?
Jason: Yeah. So, they'll use the internet much the same way that you and I already do. They'll search for a target, and they'll use social media. They'll use information that can find about the company, they'll look for things that can match up, and they'll use that to build a profile on someone with the aim of targeting that person.
Lachie: Yeah, right. And so how do they target the people? Like, what information could you expect that you'd get from one of these cybercriminals in the phishing attack?
Jason: Yeah. So, they'll be looking to try and steal password information, they'll be looking at trying to access perhaps sensitive financial information, and it will often look like it comes from an entity or a business that that person may well know and know really well.
Lachie: Yeah, right. Okay, cool. So, now that we know what their goals are, how they are gonna actually achieve it, how can people protect themselves from a phishing attack?
Jason: Yes, so probably the big thing would be education, just getting an understanding about what phishing is and the mechanisms that cybercriminals use to exploit, you know, the people to try make money out of that information. They'll use social media they'll look at what information is publicly available, and education is probably key there. There are obviously tools like security software, network appliances, all these things play a part, but education is really important.
Lachie: Brilliant. So, once people are educated and everything like that, they should be able to fight back against phishing I guess.
Jason: Yeah, be able to recognise it, see it for what it is, mitigate that threat.
Lachie: Brilliant. I'd recommend everyone done as a web search on themselves just to find out how much information is out there on you, because I was surprised when I did a Google search on myself, yeah.
Jason: I think most people are, and I don't think people realise how much information is publicly available about you.
Lachie: Yeah, great. Okay, well certainly an interesting topic and I'm sure we haven't heard the last of it, but get out there do a Google search on yourself. And hopefully, you got a lot of value out of this video.
Lachie: Thank you. See you next time.
HOW EVOLVE IT CAN HELP?
At Evolve IT, we understand the unique challenges of organisations and have helped a range of business improve their cybersecuirty.