Phishing Isn’t Always about the Benjamins

moneyIf you can step back and look at it objectively, phishing is a bit of an art form. Unlike ‘regular’ spam, which often intentionally dumbs it down to weed out intelligent people, phishing campaigns are generally well-crafted and well thought-out, and in some instances, targets are researched ahead of time so phishing attacks can be customized. The most effective phishing campaigns come in the form of emails that are virtually indistinguishable from the real thing. Phishing is arguably the most dangerous of all forms of spam, because the risk for financial loss is greater. But it can be even more dangerous to misunderstand the threat, and if you thought phishing was all about the dollars and cents, you’d better think again.

It’s natural to focus on things like bank fraud and information theft for the gain of money when thinking about phishing. But what if phishing is more than that? Think about the recent theft of celebrity photos from iCloud. That’s a perfect example of phishing for gain other than money, and in that attack, the damage was disastrous for those affected. It affected Apple’s reputation, and reputation is money. In fact, it’s opened the company’s iCloud service up to other potential attacks.

It affected the celebrities whose pictures made it out into the wild, both emotionally and financially. Lawsuits cost money. The emotional toll could affect the ability to work. And yes, we’re back to talking about money, but it’s not financial gain for the hackers; it’s financial loss for the victims.

PC Magazine recently published an interesting story that discusses the ‘other’ purpose of phishing. In Tasty Spam: Phishing Isn’t Just About Your Money, writer Fahmida Y. Rashid points out how security firm Cloudmark reminds us that’s it’s not all about the Benjamins. Phishing is one of those security threats that needs to be fully understood in order to be combated. “Phishing for financial details is highly lucrative but also high risk,” says Rashid. As one Cloudmark expert said,”bank fraud gets more attention from law enforcement and carries higher penalties than, say, selling worthless diet pills.””

There are plenty of ways to grab information and leverage it to one’s advantage, and while it’s tempting to think the spammers are greedy little psychos who just want to impress their hacker friends by quick financial fixes, the reality is that hackers are smarter and more patient than that. “Less sensitive accounts are still valuable, since they can be used to send more spam over email, SMS, or even social networks,” writes Rashid.

The article provides several helpful examples of non-financial phishing attacks. In one instance, a blatant if not simplistically brilliant attack displays a splash screen with all the major email account providers, letting the user choose one instead of the hacker trying to guess which provider they’re on. Then it’s simply a matter of entering login credentials, and voila, the user has hacked himself.

Apple is a choice target these days. “Apple IDs are also popular phishing targets…Once stolen, these accounts may be used to send iMessage spam, or to remotely take control of iPhone and iPads. The attacker may use the “Find my iPhone” feature to remotely lock the device, and then demand the victim pay a ransom to regain control.“ Again, there’s financial gain here, but not the kind we normally associate with phishing.

And even gamers aren’t safe. With a glut of MMO games out there like Star Wars: The Old Republic, The Elder Scrolls Online, and World of Warcraft, to name a few, the landscape is a target rich environment for hackers. “If you play games, keep an eye on your video game accounts. Criminals may be reselling in-game items to other players who are willing to spend real money to get these objects. Even though most modern games launch with two-factor authentication features, gaming accounts are still getting compromised. The above email tricks users into thinking they need to take attention.“

Craigslist is another target for phishers, where hackers will try to steal login details for email accounts. And PayPal, an old standby for hackers, is still out there as a target, but Cloudmark points out that it’s not as popular with hackers as it used to be, perhaps because “PayPal’s fraud detection algorithms have gotten better, more mail servers are checking for DKIM signatures (if a message doesn’t have a valid PayPal DKIM signature, then it is flagged as a forgery), or PayPal’s users are just savvier about these messages.”

It’s a new world out there, and we need to be vigilant, every hour of every day. But remember when you’re performing your threat assessments that phishing, while it may still be about the almighty buck, is also so much more.