This may be the season to be jolly, but it's also the season to be wary of hackers in the most unforeseen places. As people rush to get their shopping done using unfamiliar websites, giving out their personal information online, and throwing caution to the wind, the holidays provide the perfect opportunity for hackers to take advantage of unsuspecting consumers. Unfortunately, it's this sort of high-risk behaviour that gives hackers the opportunity to go after what they want most: users' personal information, which they can use to make fraudulent purchases or to perform targeted attacks.
Similar to how companies research various potential revenue streams before deciding to dedicate resources towards building that business, hackers today meticulously research various attack options and timing to determine when, how and where to launch attacks, analysing a slew of factors before choosing a specific target and type of attack. In fact, looking back over the last several years, it is possible to identify patterns and trends in terms of the attack type and frequency.
Phishing vs. Spear-Phishing
Before we outline the Hacker's Calendar, it is important to understand the type of attacks we are describing, which mostly consist of phishing and spear-phishing. While Phishing attacks are mass-targeted, spear-phishing attacks, commonly known as Targeted Attacks, are tailored to a specific individual.
Phishing attacks, for example, still the easiest form of social engineering, are achieved by casting a wide net of fraudulent emails to thousands, if not millions, of recipients. By spamming large groups of people, the “phisher” hopes that a percentage of people will actually be spoofed and directed to visit a website where they may be asked to update personal information, such as a password, credit card, or social security number that the legitimate organisation already has. Of course, the website is phony and will capture any information the user enters on the page.
Targeted attacks, on the other hand, are much more sophisticated and are organised to attack a specific person or organisation. Often these attacks are carried out over several months, utilising social media to learn about a target, thus ensuring a successful attack. For the spear-phishing attack, there is no pre-determined schedule that hackers tend to follow, unlike with phishing attacks that tend to be more common around major events or holidays, when hackers can take advantage of a person's vulnerabilities.
Deciding when to attack
So, what are the factors that a hacker considers before choosing a specific target and type of attack? The main thing for a hacker to bear in mind before initiating an attack is what type of information he wants: credit card numbers? Social security numbers? Email addresses? Banking information? Based on the type of information he hopes to uncover, the hacker will determine when and where to attack. To understand this more clearly, lets break the year down a bit.
The first quarter of the year may see an increased number of attacks aimed at insurance companies, healthcare organisations or government entities as enrollment opportunities often occur towards the end of the previous year. Over the first several months of 2015, for example, hackers attacked insurance companies to gain access to the huge databases housing millions of Social Security/National Insurance numberss. In January, a major hack on insurance giant Anthem, allowed fraudsters to access the personal information of over 80 million people, while in March health insurer Premera found that hackers had exposed data on another 11 million people. As open enrollment for health insurance typically begins in November and December, it is logical to expect that we would see these types of cyber-attacks at the beginning of the year. In fact, Anthem pointed out that the data breach likely began as early as 10 December, and that related intrusions likely continued until 27 January, when suspicious database queries were first detected.
Staying up-to-date on enrollment cycles and keeping track of important dates helps hackers plan their strategy and find the best time to attack. In this case, phishing attacks can come in very handy, as new enrollees are often unsure of how to fill out new documents.
As tax filers scramble towards the April tax deadline, so do hackers, making April a great month for hackers to acquire personal information like social security numbers or banking information. Crafting a creative phishing email that can convince a victim to click on a link promising early tax rebates or tax reductions, is all part of the game. A user falling for the scam simply follows the link to a spoofed website, inserting their personal details right into the hands of the hackers, who need only two things to pull off tax fraud: your name and national insurance number. It's no wonder that statistics show hackers gained access to the personal information of more than 104,000 taxpayers this spring alone.
Q3 brings with new graduates eagerly awaiting their chance to enter the workforce. For hackers, this means a fresh group of targets, as students are often inadequately prepared for the majority of cyber-challenges that will face in the 'real world.' A young employee who has never received a spear-phishing e-mail may not realise how hackers write e-mails tailored and targeted to a specific recipient or organisation. They may also be unaware of the implications of clicking on a malicious link, and usually their social media profiles will provide attackers with the intelligence they need to perform a targeted attack, which may come in the form of a highly convincing email to an individual or small select group of employees, convincing them to click on an e-mail attachment installing a malicious software on their system. The attachment may, for example, purport to be a PDF file from an HR director, with information for new hires or it may be disguised to look like a message from your actual bank to set up payment options.
As Christmas approaches, hackers tend to get very busy- especially from late November through the New Year. With the increase of buying goods online, it's the perfect time for cyber-criminals to gain access to, and exploit, the personal information of online shoppers.
We can especially expect to see a rise in phishing campaigns during this time of year, since these attacks are often less goal-oriented, more opportunistic and most effective in exploiting human emotions.
So, how can you prepare yourself during this busy season to stay ahead of the holiday fraudsters?
Below are a few things to be aware of:
· Electronic greeting cards that may contain malware
· Credit card applications or online shopping advertisements from bogus retailers
· Phony shipping notifications
· Fake requests for charitable contributions
There are endless opportunities for a hacker during this time of year making these more “simple” and sneaky attacks likely to be seen in the coming months.
A few important tips to remember before the holiday rush:
1. Make sure your protection is up-to-date;
2. Never open suspicious or unexpected attachments;
3. Do not give out personal information
4. Be suspicious. If something looks too good to be true, it usually is;
5. Be sure that the email address you receive emails from is authentic before clicking on any links inside the email, and;
6. Remember that you are the last line of defence.
Happy (and safe) Holidays!
Contributed by Itay Glick, CEO and Founder of Votiro