Q3 2014 State of the Internet Security Report – Emerging Trends: Phishing Attacks Selected excerpts Akamai’s Q3 2014 State of the Internet -‐ Security Report explores the growing threat posed by phishing attacks. The report describes a politically motivated attack campaign by the Syrian Electronic Army (SEA) and discusses the ongoing risk to enterprises. In Q3 2014, multiple phishing attacks targeted Google Enterprise users in order to harvest user credentials and gain access to third-‐party content feeds. Hacktivists compromised the feeds on popular media websites such as CNN, the Associated Press and others. Third-‐party content often appears to the user as links to similar articles or sponsored links to commercial sites. Third-‐party content on a website will be generated using cascading style sheets (CSS) and JavaScript or Flash. The first block of <script> tags pulls in content from the third-‐party site. When a user loads the page, this JavaScript code will run in the context of the site in which it is loaded. Because the content runs within the Document Object Model (DOM) of the page, JavaScript loaded from the content provider may be able to access and affect other portions of the page. Phishing attacks In the summer of 2013, Akamai first observed the Syrian Electronic Army (SEA) targeting media outlets. Attackers sent an email to a large number of employees in a targeted company or its third-‐party content provider, luring the recipients to click a link. Using this technique, the SEA were able to successfully phish credentials from employees and deface target sites or their social media accounts, or deface a target by attacking a third-‐party content provider. Attackers Mine Gmail for More Credentials After the phishing site harvests a user’s credentials, the attackers are notified and use the credentials to log into the victim’s Google account, which may provide access to valuable information. The attackers look through the Gmail account’s inbox, trash, sent items, and contacts for useful confidential information, such as passwords, server names, and names of contacts within the company or with partners. Items in Google Docs, Google Voice and Gmail have all been made accessible to the attacker. With access to an employee’s enterprise Gmail account, an attacker can send spear phishing messages to target the employee’s contacts in the same company and at other firms. The attacker will have valuable contextual information from the victim’s stored emails to craft better messages that may get others to compromise their own accounts.
Prevention and mitigation Phishing attacks always require fooling a user into giving up their authentication credentials, so the first step to prevention is user training. SEA primarily targets media agencies that publish articles about Syria’s President Bashar al-‐Assad. A targeted company should be on high alert for phishing scams and have proper user training about what a phishing attack can look like. Sites that use third-‐party content should have a plan for quickly disabling defaced content and have a third-‐party-‐free version of the site ready to use in an emergency. A static version of third-‐party content, pulled from the site’s own servers, can fill in temporarily. All sites that use third-‐party content providers should periodically check to ensure that the feeds are coming from the expected locations, and providers should continually check to ensure that the content being served is the correct and intended content. Get the full Q3 2014 State of the Internet – Security Report with all the details Each quarter Akamai produces a quarterly Internet security report. Download the Q3 2014 State of the Internet – Security Report for: • • • • • • • • • •
Analysis of DDoS attack trends Bandwidth (Gbps) and volume (Mpps) statistics Year-‐over-‐year and quarter-‐by-‐quarter analysis Application layer attacks Infrastructure attacks Attack frequency, size and sources Where and when DDoSers strike How and why attackers are building DDoS botnets from devices other than PCs and servers Details of a record-‐breaking 321 Gbps DDoS attack Syrian Electronic Army (SEA) phishing attacks target third-‐party content providers
The more you know about cybersecurity, the better you can protect your network against cybercrime. Download the free the Q3 2014 State of the Internet – Security Report at http://www.stateoftheinternet.com/security-‐reports today. About stateoftheinternet.com StateoftheInternet.com, brought to you by Akamai, serves as the home for content and information intended to provide an informed view into online connectivity and cybersecurity trends as well as related metrics, including Internet connection speeds, broadband adoption, mobile usage, outages, and cyber-‐attacks and threats. Visitors to www.stateoftheinternet.com can find current and archived versions of Akamai’s State of the Internet (Connectivity and Security) reports, the company’s data visualizations, and other resources designed to help put context around the ever-‐changing Internet landscape.