FEATURE
remembering that dark web markets aren’t
reliable, accurate or regularly available.
Infighting, scamming and competition are
rife and volatility is high.
That said, we should be optimistic
about the future. The bad guys aren’t the
only ones using disruptive technology. By
focusing on data as a core asset and cyber-
enabled fraud as a supply chain of stolen
and leaked data, organisations have a great
chance to mitigate the impact of breaches.
About the author
Emily Wilson is vice-president of research at
Terbium Labs, an information security and
data intelligence start-up based in Baltimore,
US. She is responsible for tracking industry
news and trends among actors on the dark
web, including specific breach operations,
popular targets and the appearance of new
The art of phishing:
past, present and future
Adam Binks, SysGroup
What may seem like one of the oldest tricks in the cyber criminal handbook
is on the rise – phishing. These scams are becoming so common and advanced
that it’s often difficult to discern between genuine and fake emails, and the vast
majority of cyber attacks begin with a phishing email.1
These scams prey on our instinctual
responses to panic; they threaten loss of data
or account details, hoping that you will click
through immediately and give up your infor-
mation. However, 23% of phishing emails
are still opened, with 12% of those targeted
clicking on the infecting link. That means
that protecting companies against human
error should be a top priority. In short, we
know that the key to combating phishing is
to look within companies to eliminate the
risk of naive individuals that hackers prey on
to click a link or image in an email.
The risks
With an estimated 3.7 billion people send-
ing around 269 billion emails each day,
April 2019 Computer Fraud & Security
sites for trading or discussing stolen data. She
provides analysis for Terbium Labs’ custom-
ers on the appearance of their information
online, along with ongoing analysis on the
appearance of fraud, drugs, weapons, extrem-
ism and other information. As a dark web
expert, Wilson has spoken at several industry
tradeshows and conferences, including RSA,
Inside the Dark Web and Data Connections.
She is frequently quoted in press articles
and is a routine guest on The Cyberwire
weekly podcast. Wilson has a background in
international relations and foreign policy,
with an emphasis on post-Cold War Eastern
Europe. She has worked with the Institute
for the Theory and Practice of International
Relations at the College of William and
Mary on a project to analyse foreign policy
trends among academics and decision makers.
Wilson has spent her career working with
it’s no wonder that phishing is the most
common form of attack. However, as peo-
ple become savvier and the fight against
hackers gets stronger, we are seeing these
criminals find different ways to target vic-
tims, with social media and mobile phone
app attacks on the rise. In a business envi-
ronment, these phishing campaigns can
include tricking employees into download-
ing malware as a route to theft or engaging
with a fake social media profile.
We’ve seen cases where cyber criminals
have used regular contact via emails or
direct messages to build up trust over
a number of months, or years in some
cases, with employees targeted for spe-
cific data or information. This can be as
simple as an email address or a password,
start-ups across a variety of industries, with
a particular focus on research and product
development. She has a degree in interna-
tional relations from the College of William
and Mary.
References
1. ‘Into the Web of Profit’. Bromium.
Accessed Mar 2019. www.bromium.
com/resource/into-the-web-of-profit/.
2. ‘The world’s most valuable resource
is no longer oil, but data’. The
Economist, 6 May 2017. Accessed
Mar 2019. www.economist.com/lead-
ers/2017/05/06/the-worlds-most-valua-
ble-resource-is-no-longer-oil-but-data.
3. ‘2018 Cost of a Data Breach Study’.
IBM/Ponemon Institute. Accessed
Mar 2019. www.ibm.com/security/
data-breach.
Adam Binks
or as obviously incriminating as banking
information or personal details. While,
separately, small pieces of data may not
mean much, when placed in the hands of
a hacker they are everything they need to
carry out criminal activity online.
The approaches that hackers take vary
and there are new trends emerging all the
time, but it nearly always involves a sub-
ject line designed to catch the user’s eye.
Claiming the user is a competition winner
is a popular one among hackers targeting
retail customers, while email spoofing has
caught out many an employee in a busi-
ness setting. Appearing to have been sent
from a service provider or a member of
your own team, spoof emails are designed
to catch busy workers off-guard. They
usually ask you to follow a link and input
personal or company details, or to open an
attachment laced with malicious software.
9
 FEATURE
Sophisticated phishing
While everyday phishing attacks remain
one of the biggest threats to businesses
worldwide, a more sophisticated form of
phishing is also on the rise and has argu-
ably worse consequences. This is a result of
people becoming more aware of Internet
scams, meaning that cyber criminals
are getting smarter and staying one step
ahead of people’s scepticism. Also referred
to as spear-phishing, it is a much more
advanced way of targeting a specific group
or individual, tailoring an attack based on
their job function to increase the chance of
the email being opened and actioned.
CEO fraud, also known as business
email compromise (BEC) is an example
of this, which sees phishers use names of
co-workers or business partners to make
an email, direct message or social plat-
form look legitimate – posing as the CEO
of the company and sending an email
from a spoof account to the CFO asking
for an urgent payment to be made and
discussed later, for instance. This relies on
the assumption that the CFO would fail
to question the motives of the boss and
would make the transfer immediately.
Sophisticated scams like this generally
take more time to set up and execute but
have a bigger impact if successful. What’s
worrying is that a recent study released by
Mimecast revealed that there was an 80%
increase in sophisticated phishing attacks
that impersonated someone familiar to
the targeted individual.
Think practical
With all of this in mind, what steps can
companies take to ensure they are as
secure and prepared as possible when
it comes to the war against phishing?
We’ve all read about the large-scale data
breaches across the world, but relatively
few stop to think about how they hap-
pened, who is responsible and how their
own actions could impact the company
for which they work.
First, it’s important to remember that
email is the route in for many phishing
10
Computer Fraud & Security April 2019
attacks, so having the right technology
measures in place, such as anti-virus soft-
ware and robust firewalls, is key. Not only
do they protect emails, they also keep IT
infrastructure safe, too, protecting against
other common threats and potential hacks.
Company-wide education is also
important in combating or preventing
these attacks. Training may seem like a
simple idea, but it is the most effective
way to prepare for a phishing attack.
It needs to spread further than the IT
department, making all employees aware
of what phishing attacks look like, the
risks they pose and steps to take in case of
a breach. There are training courses avail-
able with external security companies that
can help, too. For example, Kaspersky
and WatchGuard take companies
through a number of training sessions
to improve their security. These include
role-playing common scenarios and
encouraging employees to make errors in
a controlled environment in order to spot
potential threats going forward.
Initial and ongoing training is critical
when it comes to mitigating the internal
risk of sophisticated phishing. The whole
team should be onboard from the start
to ensure everybody is on the same page
with policies and processes. It should also
be part of any induction when bringing
in new team members and there should
be regular updates with the entire team to
keep the risk front of mind.
Look out for mistakes
While cyber criminals are getting smarter
and attacks are often well disguised, there
are some standout points to train employees
to look out for when it comes to phishing.
The first, and arguably the most obvi-
ous, point is that if an offer in an email
looks too good to be true, it’s almost
certainly a spam email. Whether it’s
an extravagant free holiday or even just
vouchers for your favourite store asking for
you or your company’s details, the chances
are it’s fake.
Poor spelling or grammar is another big
giveaway. It’s unlikely that a professional
organisation will send emails with these
sort of mistakes – or at least not often – so
they’re a good sign that something isn’t
right. The same goes for email addresses –
spoofing works by using a similar name or
email combination with a few small, often
unnoticeable, differences. Combat this by
encouraging your team to keep an eye on
the sender’s address to ensure the message is
from who it says it is from.
Another point to consider is shortened
links. This is a tactic used by attackers to
disguise a fake web address and relies on a
busy worker not having the time to check
if it is legitimate. If you don’t have a
reason to trust someone who’s sent you a
shortened link or you’re not sure why you
would have received it, you can search for
a shortened link checker online. If you’re
still not sure after that, don’t click on it.
Put a plan in place
On a business level, there are some stra-
tegic processes that can be put in place to
help protect against such phishing threats.
Having pre-emptive methods to deal with
potential system breaches, for example,
should be a priority. This includes regular
reviews, analysis of the company’s cyber
security strategy, regular training and hav-
ing the right technology in place. When
coupled with robust mail filtering and
advanced firewall technology systems,
organisations are one step closer to pre-
empting the risk.
Post-attack measures should also be
considered. A ready and tested phishing
incident management policy should be
put in place so that if a member of staff
does accidentally click on a link that caus-
es a breach then everybody knows what
to do, who to report it to and when, and
where to look for possible infection. The
faster you act on this threat, the less dam-
age it will have on the company.
What lies ahead
What has been a threat for more than 20
years is likely to continue, simply due to
the fact that it is easy for a hacker to carry
 FEATURE

out. And it still works. No matter how
many large-scale phishing attacks we read
about in the news, there are still employ-
ees that will click questionable links or
download dubious attachments that let
criminals into the company. Cyber crimi-
nals will always try to stay one step ahead,
thinking of the next clever idea to get
access to our data or systems.
The key to mitigating and controlling
this threat lies in training employees to
know what to look out for, while being
prepared with recovery measures in the
event of a breach. If you can impress one
thing upon employees, let it be this: if
something looks ‘phishy’, it probably is.
Besides employee training, putting that
all-important resilient and security proof
technology in place is key to winning
the war against hackers.
About the author
Adam Binks joined SysGroup in 2014
and was appointed as CEO in April
2018. He has extensive experience in the
managed IT, hosting & telecoms sectors
across his 18-year career. Binks has pre-
viously held a number of senior manage-
ment & board level positions. Prior to
joining SysGroup, he was sales & techni-
cal director at Vispa, a managed hosting
and connectivity provider.
Reference
1. ‘New Mimecast Report Detects
400% Increase in Impersonation
Attacks’. Mimecast, 6 Jun 2017.
Accessed Mar 2019. www.mime-
cast.com/resources/press-releases/
dates/2017/6/new-mimecast-report-
detects-400-increase-in-impersona-
tion-attacks/.

Avoiding the weaknesses

of a penetration test
Fabrizio Baiardi, Università di Pisa Fabrizio Baiardi

A penetration test is a traditional solution for evaluating and improving the

robustness of an ICT system. Such tests can be comprehensive, but problems
can arise when deciding how to use its results to select the countermeasures and exploit. Collect includes all the activi-
against a successful penetration. These problems may explain the successful ties used to discover information on the
attacks against systems that previously passed such tests. So, it’s useful to look target system, such as its hardware and
at some theoretical explanations of the weaknesses of a penetration test and
software modules, its topology, the con-
suggest some alternatives.
figuration of the operating systems and,
The increasing complexity of ICT systems able on their target. The main goal of run- most important, the weaknesses and vul-
has led to the adoption of red team strate- ning a penetration test is not to attack a nerabilities of its modules. The two main
gies to assess their robustness with respect system but to improve the system’s robust- mechanisms used to collect information
to intelligent attackers.1-4 This solution ness. Hence, the red team should report are fingerprinting and vulnerability scan-
overcomes the lack of formal tools and any weakness or vulnerability it discovers ning. Exploit includes all the activities to
metrics for the assessment. The most wide- so that the owner can select and deploy the attack a module and to acquire privileges,
ly adopted red team strategy is the pene- proper countermeasures. which the team uses to collect further
tration test where the owner of a system The activities of the red team result in information or to implement further
assigns to the red team the task of attack- building an attack chain or a privilege attacks in its escalation.
ing the system. The assignment includes escalation because the team can control The red team interleaves collect and
the goal of the attack – ie, the information the modules of interest only after acquir- exploit activities in the test because it
the team should steal or the system mod- ing the control of some intermediate can attack a module only after collecting
ules it should control – and the attack may modules or nodes. Hence, alternative information on its vulnerability. On the
only occur after deploying the system. A descriptions of a penetration test are other hand, it can collect information
deadline for the test may also be set. building an attack chain or implement- only after controlling some modules. By
Usually, the red team works in a stealthy ing a privilege escalation or moving in a choosing how to interleave these two
way to evaluate whether the system admin- lateral way in the target system. activities, the red team chooses its solu-
istrators and/or the intrusion detection sys- tion for the collect or exploit dilemma.
tems can discover the attack. Furthermore, Collect and exploit Let’s exemplify the collect or exploit
the team receives little or no information dilemma with an example: consider the
on the target system, to mimic a scenario The two main activities of a red team as segmented network in Figure 1 and
where attackers have no information avail- it tries to build an attack chain are collect assume the red team goal is to control

11
April 2019 Computer Fraud & Security