Q3  2014  State  of  the  Internet  Security  Report  –  Emerging  Trends:  Phishing  Attacks  Selected  excerpts  

Akamai’s  Q3  2014  State  of  the  Internet  -­‐  Security  Report  explores  the  growing  threat  posed  by  phishing  attacks.  The  report  describes  a  politically  motivated  attack  campaign  by  the  Syrian  Electronic  Army  (SEA)  and  discusses  the  ongoing  risk  to  enterprises.  

In  Q3  2014,  multiple  phishing  attacks  targeted  Google  Enterprise  users  in  order  to  harvest  user  credentials  and  gain  access  to  third-­‐party  content  feeds.  Hacktivists  compromised  the  feeds  on  popular  media  websites  such  as  CNN,  the  Associated  Press  and  others.  

Third-­‐party  content  often  appears  to  the  user  as  links  to  similar  articles  or  sponsored  links  to  commercial  sites.  Third-­‐party  content  on  a  website  will  be  generated  using  cascading  style  sheets  (CSS)  and  JavaScript  or  Flash.    

The  first  block  of  <script>  tags  pulls  in  content  from  the  third-­‐party  site.  When  a  user  loads  the  page,  this  JavaScript  code  will  run  in  the  context  of  the  site  in  which  it  is  loaded.  Because  the  content  runs  within  the  Document  Object  Model  (DOM)  of  the  page,  JavaScript  loaded  from  the  content  provider  may  be  able  to  access  and  affect  other  portions  of  the  page.  

Phishing  attacks  

In  the  summer  of  2013,  Akamai  first  observed  the  Syrian  Electronic  Army  (SEA)  targeting  media  outlets.  Attackers  sent  an  email  to  a  large  number  of  employees  in  a  targeted  company  or  its  third-­‐party  content  provider,  luring  the  recipients  to  click  a  link.  

Using  this  technique,  the  SEA  were  able  to  successfully  phish  credentials  from  employees  and  deface  target  sites  or  their  social  media  accounts,  or  deface  a  target  by  attacking  a  third-­‐party  content  provider.  

Attackers  Mine  Gmail  for  More  Credentials    

After  the  phishing  site  harvests  a  user’s  credentials,  the  attackers  are  notified  and  use  the  credentials  to  log  into  the  victim’s  Google  account,  which  may  provide  access  to  valuable  information.  The  attackers  look  through  the  Gmail  account’s  inbox,  trash,  sent  items,  and  contacts  for  useful  confidential  information,  such  as  passwords,  server  names,  and  names  of  contacts  within  the  company  or  with  partners.  Items  in  Google  Docs,  Google  Voice  and  Gmail  have  all  been  made  accessible  to  the  attacker.  

With  access  to  an  employee’s  enterprise  Gmail  account,  an  attacker  can  send  spear  phishing  messages  to  target  the  employee’s  contacts  in  the  same  company  and  at  other  firms.  The  attacker  will  have  valuable  contextual  information  from  the  victim’s  stored  emails  to  craft  better  messages  that  may  get  others  to  compromise  their  own  accounts.  

   

 

Prevention  and  mitigation  

Phishing  attacks  always  require  fooling  a  user  into  giving  up  their  authentication  credentials,  so  the  first  step  to  prevention  is  user  training.  SEA  primarily  targets  media  agencies  that  publish  articles  about  Syria’s  President  Bashar  al-­‐Assad.  A  targeted  company  should  be  on  high  alert  for  phishing  scams  and  have  proper  user  training  about  what  a  phishing  attack  can  look  like.    

Sites  that  use  third-­‐party  content  should  have  a  plan  for  quickly  disabling  defaced  content  and  have  a  third-­‐party-­‐free  version  of  the  site  ready  to  use  in  an  emergency.  A  static  version  of  third-­‐party  content,  pulled  from  the  site’s  own  servers,  can  fill  in  temporarily.  

All  sites  that  use  third-­‐party  content  providers  should  periodically  check  to  ensure  that  the  feeds  are  coming  from  the  expected  locations,  and  providers  should  continually  check  to  ensure  that  the  content  being  served  is  the  correct  and  intended  content.  

Get  the  full  Q3  2014  State  of  the  Internet  –  Security  Report  with  all  the  details  

Each  quarter  Akamai  produces  a  quarterly  Internet  security  report.  Download  the  Q3  2014  State  of  the  Internet  –  Security  Report  for:  

• Analysis  of  DDoS  attack  trends  • Bandwidth  (Gbps)  and  volume  (Mpps)  statistics  • Year-­‐over-­‐year  and  quarter-­‐by-­‐quarter  analysis  • Application  layer  attacks  • Infrastructure  attacks  • Attack  frequency,  size  and  sources  • Where  and  when  DDoSers  strike  • How  and  why  attackers  are  building  DDoS  botnets  from  devices  other  than  PCs  and  

servers    • Details  of  a  record-­‐breaking  321  Gbps  DDoS  attack  • Syrian  Electronic  Army  (SEA)  phishing  attacks  target  third-­‐party  content  providers  

The  more  you  know  about  cybersecurity,  the  better  you  can  protect  your  network  against  cybercrime.  Download  the  free  the  Q3  2014  State  of  the  Internet  –  Security  Report  at  http://www.stateoftheinternet.com/security-­‐reports  today.  

About  stateoftheinternet.com  StateoftheInternet.com,  brought  to  you  by  Akamai,  serves  as  the  home  for  content  and  information  intended  to  provide  an  informed  view  into  online  connectivity  and  cybersecurity  trends  as  well  as  related  metrics,  including  Internet  connection  speeds,  broadband  adoption,  mobile  usage,  outages,  and  cyber-­‐attacks  and  threats.  Visitors  to  www.stateoftheinternet.com  can  find  current  and  archived  versions  of  Akamai’s  State  of  the  Internet  (Connectivity  and  Security)  reports,  the  company’s  data  visualizations,  and  other  resources  designed  to  help  put  context  around  the  ever-­‐changing  Internet  landscape.