If you get an email from someone who quotes poetry at you before demanding bitcoin under the threat of physical violence, don’t panic – you’ve probably just been hit by a phishing attack.
Phishing accounts for the vast majority of cyber attacks suffered by individuals and businesses – about 95 percent of them, according to Oren Falkowitz, CEO of the anti-phishing cybersecurity firm Area 1 Security. Phishing attacks can take many forms, but they usually begin when a hacker sends an email to the intended victim designed to get the victim’s attention, or “hook” them (hence the name “phishing”), by convincing the victim they have some sort of leverage over them before demanding payment.
Cryptocurrency has gained popularity as a method of payment for hackers for several reasons. The privacy enabled by digital assets like bitcoin (BTC), Dash (DASH), or Monero (XMR), for example, makes it easy for hackers to transact with their victims while hiding the hackers’ identity. The prices of these assets also tend to be volatile – this means that an ill-gotten hacker haul can potentially go from $1 million to $2 million if it was paid in cryptocurrency. Of course, it can also go the other way…like some investors, some criminals appear to be willing to roll those dice.
Still, a lot of phishers prefer their ransoms to be paid out in cold, hard cash. Area 1 Security recently published a cybersecurity report, “Phishing With Fear,” which identified 48,000 unique bitcoin addresses used by cybercriminals to steal almost $950K between January and May in 2019, but according to Falkowitz, current trends don’t seem to indicate that cryptocurrency is replacing cash as a preference among phishers. “We see it all,” Falkowitz said. “We’ve gotten reports of people getting demands for money transfers, and we trace the transfer to, for example, a legitimate bank in Hong Kong, and by the time someone gets a hint of what has happened, the money has been moved from that account elsewhere…Certainly, the anonymity of bitcoin offers some advantages…but I wouldn’t say attackers exclusively use bitcoin. It’s one element we outline in the report, but it has by no means replaced traditional transfer methods.”
Falkowitz said that although hackers generally send phishing emails to millions of people, they usually see relatively few successes; of the 4.8 million emails that the firm analyzed, only 1,600 led to the victims opening the emails and paying the hacker or hackers. “You can look at that as a percentage and say it’s very small,” he said, “but from an attacker’s point of view, it’s never been easier to send 4.8 million emails!” He also said it cannot be understated that those who fall for phishing attacks typically don’t do so out of malice, stupidity, or incompetence. “In 100 percent of these examples,” he said, “users believe that they are doing the right thing…because they believe the request – the ‘lure,’ the ‘hook’ – is authentic. If I work for the Disney company and I get an email from Bob Iger, I’m not gonna tell him, ‘well, I thought your use of the Oxford comma was a little funny, I thought it didn’t sound like you’ – I’m going to respond immediately.”
In addition to posing as an executive at a victim’s company, hackers will often use empty threats of physical violence or blackmail, Area 1 wrote in “Phishing With Fear.” One of the examples given in the report came from an individual who received a message that a mercenary hired by the hacker had hidden explosives at their place of business. Another example came from a victim who received a message claiming that the hacker had hijacked the victim’s webcam and recorded them while viewing pornography, and would publish the video unless they received a payment of $989 worth of bitcoin.
A common thread among phishing attacks appears to be the imaginative ways hackers find to get around security systems and to convince people to pay them. Cybersecurity measures like secure email gateways (SEGs) and spam filters are used to stop emails sent from accounts belonging to known malicious users. Now, cybercriminals need only create a new Gmail account to give themselves a clean reputation among security filters.
Hackers can also confuse text analysis software by filling an email with irrelevant text. “We’ve also seen a lot of attackers sort of spoof the text analyzers by inserting gibberish, or even poetry,” Falkowitz said. “By including sonnets and Byron, and you know, Mary Shelley – all this stuff in an email – the analyzer is saying, well, less than one-tenth of a percent [of the email] says, ‘send me money,’ so it doesn’t look that bad.” More often than not, when phishing attacks evolve, it isn’t the technology that gets more sophisticated. “We actually don’t see any real advances from a computer science perspective – I mean, setting up a wallet, and adding a link to a bitcoin wallet, I would call that computer science…the main thread of evolution is through the improvement of authenticity.”
So, what’s the best way to deal with a hacking attack?
For one thing, it’s wise to contact law enforcement if you receive threats of physical violence under any circumstances. Besides that, Falkowitz suggests not spending money on cybersecurity services that don’t get provable results. “If you look at the past five years, people have been spending billions of dollars on cybersecurity solutions…they’re all spending money but they’re not seeing any better results.”
As Benjamin Franklin once said, “He that would phish must venture his bait.” Well, okay…he was talking about fishing, not phishing. Still, it’s worth remembering that phishing attacks are designed to manipulate people by playing on their emotions. Paying the attacker – especially in cryptocurrency – may get rid of him in the short term, but it makes it much more likely he or she will strike again.