Unfortunately for internet users, hackers have developed increasingly sophisticated methods and malware for the purposes of stealing sensitive (and potentially profitable) information.
This occurs in all industries, but it has become especially common for hackers to focus on stealing employee tax information from companies with the intention of filing false tax returns and/or stealing a person’s identity.
The situation has worsened to the point that the IRS issued an alert to human resources and payroll professionals earlier this month. The alert cautioned professionals regarding an emerging phishing email scheme that purports to be from company executives and requests personal employee data.
“This is a new twist on an old scheme using the cover of the tax season and W-2 filings to try tricking people into sharing personal data,” explained IRS Commissioner John Koskinen. “Now the criminals are focusing their schemes on company payroll departments… If your CEO appears to be emailing you for a list of company employees, check it out before you respond. Everyone has a responsibility to remain diligent about confirming the identity of the people requesting personal information about employees.”
Spearphishing attacks tend to be so devastatingly effective due to the difficulty of identifying them, both in terms of human beings and automotive defenses.
“These scams do not generally have any active payload. They don’t have an attachment. They don’t have a URL of any sort that a traditional email security solution can associate with malicious behavior,” explained CTO of Agari Vidur Apparao. “Most of these attacks are pure social engineering.”
Social engineering refers to the type of malware attacks that don’t involve writing code to steal data, but instead require that a human be fooled into providing data to a malevolent and dishonest user.
“Eighty-five percent of these attacks [are] coming from public cloud infrastructure,” Apparao continued. “The fact that they’re coming from legitimate infrastructure makes them almost invisible to existing security solutions.”
The spike in social-engineering malware attacks requires that companies educate their members all the way down the corporate ladder, so entry-level workers with access to sensitive information cannot be fooled into giving it up.
“An entry-level HR person with access to personnel information may not have the same level of training for spotting social engineering and phishing that a high-level exec does,” stated Travis Smith, a security researcher with Tripwire.
This issue is further worsened by the fact that the attacks themselves are growing increasingly sophisticated and difficult to identify. “The criminals that are sending these phishing emails are getting increasingly efficient in how they’re attacking their victims,” reiterated Smith. “They’re doing a lot of profiling before they send these emails. They’re doing background research. They’re investigating a company’s business activities.”
That means any automated phishing-identifying solution is going to have to be pretty subtle to do its job effectively. Security company ZapFraud seeks to create exactly that with a patent it was awarded in early March. It’s not exactly autonomous delivery, but the patent does allow for software that detects email scams using what ZapFraud calls “storylines.”
“While you can’t enumerate all the ways a scam email can be produced, you can enumerate the building blocks,” explained Markus Jakobsson, CTO of ZapFraud. “By identifying the building blocks in a message, you can determine when something matches a story associated with risk.”