Executive Viewpoint 2013 Prediction: PhishMe
If 2012 was the year of BYOD, 2013 will be the year of mobile malware designed to take advantage of it. We have seen a growth in consumer apps that violate privacy, for example by tracking your GPS data, but in 2013 we will see criminals targeting mobile device users, specifically with the intention of getting inside their corporate email system. For example, if a user receives an email (or SMS) that appears to be from a friend, suggesting that they check out a wonderful new app, then they can easily be tricked into clicking a link they shouldn’t. (Especially is it is much harder on a mobile device to check the underlying URL for a link or the email headers – signs that will show an experienced user that something isn’t quite what it seems.) Just that one click could install malware on the device, which accesses your corporate email account and sends out emails to your colleagues, perhaps directing them to another link to download more malware onto your corporate network. If users have devices that they use for both personal and corporate purposes, they must be security aware. Just like your colleagues wouldn’t appreciate you coming into a work with the flu, because you might pass it on to them, don’t let your infected mobile device do the same to the corporate network! It all comes down to user education – so unsuspecting employees don’t fall victim.
Another trend we’ll see more of in the security space is an evolution of spear phishing. Currently a phisher might send an email to John saying “It was great to meet you at XYZ event last week, here’s a link to some of the research we covered on the day which might be interesting to you” (because the criminal has seen from his Twitter feed that John was at an event last week). But John might not remember meeting that person and might feel a bit suspicious and not click on the link. However, criminals are starting to build up trust by using a two-pronged approach to spear phishing (using pre-texting or post-texting) to try to make the automated emails seem more human. So the criminal might initially send an email to John saying ‘It was great to see you at XYZ event last week, I’m just working on a report that I think you might find interesting – I’ll send it over to you tomorrow.” And lo and behold, tomorrow comes, John receives the email he has been told to expect, and his defences are down – so he is much more likely to click the link. And the criminal has his way in to the network. The best technological defences are unlikely to stop an email like this, so you have to train your users what to look out for.