The CMU CERT team I referred to in my last post also has some interesting analysis on the actual mechanics of these phishing attacks. Based on reviewing their incident database, the CERT team was able to categorize phishing attacks into two broader types: single- versus multi-stage.
What’s the difference? Think of single-stage as catching lots of small phish, and multi-stage as landing the big one.
Single-Stage Attacks: Mass Marketing
In a single-stage attack, the hacker is interested in collecting information on a specific user. They accomplish this through a volume approach: blasting out emails, and hoping to get some small percentage of click-throughs. It’s essentially mass marketing applied to phishing. The CMU folks have learned that response rates are roughly between 3% and 11%. So hackers probably know in advance the yields they’ll achieve from the campaigns based on their various lists.
Single-stage phishing is the one we often come across in our inbox—i.e., FedEx shipment waiting, credit card cancelled, etc. Once the bait is taken, the hackers receive personal data directly from the user, who has typically been tricked into entering details into a web form—credit card, social security numbers, passwords, etc.
Multi-Stage Attacks: The Business Class of Phishing
Multi-stage is the better planned, deadlier attack launched by more sophisticated cyber-thieves In this case, the hackers are not interested in obtaining just basic personal data from a single user.
According to CERT, their “response and information capture” phase (see the graphic below) now has multiple parts: hackers probe the system to obtain higher privileges with the goal to find more granular data (PII, IP), possibly learn about system internals for another attack, find additional phishing targets, or even use the data to target more high-value phish—executives.
While the academic community continues to explore why we click on some obviously spammy stuff, the CERT team has some solid advice on mitigation:
- Organizations need to view compliance not as an obstacle to job productivity, but as an essential part of an employee’s responsibilities.
- IT needs to deploy more programs to train staff on identifying social engineering schemes.
- There should be a focus on improved tools for computer and network defense cyber monitoring.
Varonis eBook explains how phishing works: get our free Anatomy of a Phish!
Image credit: Presus museum