More cybercriminals are encrypting their phishing websites according to a report from Phishlabs. The report reveals that 58% of the phishing websites in the first months of 2019 were using the secure HTTP protocol. This is a 12% jump compared to the last quarter of 2018.
#Phishing are now massively using #https. Pro-tip, the "lock" doesn't mean it's safe. https://t.co/Y0awMjQSaF
— Adlice (@AdliceSoftware) June 21, 2019
Expert Comments:
Usman Rahim, Digital Security and Operations Manager at The Media Trust:
“HTTPS as a security defense was more effective when websites ran mostly owned and operated code. That has changed. Now that third party code predominates such sites, most code on a website runs outside of the owner’s IT perimeter. This means, the activities of visitors of an encrypted site are visible to third and Nth parties. And since those third/Nth parties tend to have weak security defenses and are popular attack targets, they make visitors all the more vulnerable to snooping, theft, and fraud.”
Corin Imai, Senior Security Advisor at DomainTools:
To ensure that the general public was informed of the risks, the FBI issued a warning earlier this month inviting citizens not to use a padlock on an address bar as a benchmark for the security of the website they are visiting. This, in addition to typing URLS of websites holding sensitive data, rather than accessing them from a link received via email, is among the best practices that all organisations should train their workforce on: reversing the phishing trend will only possible through a collective effort to spread information.”
Tyler Owen, Director of Solution Engineering at CipherCloud:
This highlights a paradigm shift that needs to occur with security organizations where the crown jewels are the data, not the assets themselves. Once organizations begin to focus on the data, more than the locations where the data sits, they will become secure. Had this data been encrypted with technology that prevented the data to be exported in a clear text, unencrypted format, 2.7 million Canadian citizens would not have their data out on the internet now. Ben Franklin’s quote, “An ounce of prevention is worth a pound of cure” rings as true today as when he said it. The technology that would have prevented this breach is certainly cheaper than the cost of credit monitoring and the reputation hit Desjardins will take.”
Colin Bastable, CEO at Lucy Security:
So Desjardins’ security systems, policies and procedures did not alert them even after the event. How embarrassing. Thank heavens for the Thin Blue Line. Perhaps the employee was planted – there have been a series of similar inside jobs at UK banks recently. The credit monitoring agencies will be excited – money for old rope.
The knowhow and technology to prevent this sort of nonsense has existed for years, but apparently the desire is widely lacking.”
Ben Goodman, Senior Vice President, Global Business and Corporate Development, ForgeRock:
While organizations hold their employees to a higher standard, they must utilize security measures to protect themselves from internal attacks, as well as external. This is where the notion of ‘Zero Trust’ comes into play – securing interactions for everyone. Leveraging the same security measures internally, as well as externally, ensures organizations they are protected from malicious activities, no matter where they originate.”
Robert Ramsden-Board, VP of EMEA at Securonix:
Today there are tools which banks and other organisations are recommended to deploy to help identify insider threats before any real damage occurs. These tools utilise machine learning to understand user behaviour and alert security teams when abnormal user activity occurs.
Insider threats often get a lower level of attention and priority, however this incident demonstrates the consequences of such attacks can be significant. As a result, organisations are advised to give these types of attacks a bigger focus.”
lia Kolochenko, Founder and CEO at ImmuniWeb:
Employee awareness and continuous education programs, as well as properly implemented internal security controls, can greatly reduce risk of human mistake and ruin even the most sophisticated phishing attacks. However, a malicious employee is a much more complicated case. First of all, security teams are already overloaded with tasks, processes and endless alerts, and therefore frequently disregard incidents caused by presumably trusted colleagues. Worse, some of the employee’s malicious activity is technically undistinguishable from the legitimate daily work. Nonetheless, major incidents akin to this one, are usually easily detectable and preventable.”