July 6, 2015
Phishers’ New Ruse: Trusted Tech Brands
Phishers focus on stealing information from email accounts because it’s easy to spoof people using a Google or Apple logo.
Most of us don’t think twice about opening and maintaining multiple free email accounts where we live out our digital lives. And we’re getting more and more comfortable by the day at downloading and using mobile apps.
Yet those behaviors can harm us. ThirdCertainty sat down with David Duncan, chief marketing officer for threat intelligence and security company Webroot, to discuss how cyber criminals are hustling to take advantage of our love of free Web mail services and nifty mobile apps.
Infographic: Where malicious phishers lurk
3C: Phishing attacks leveraging our love of Google, Apple, Yahoo, Facebook and Dropbox are skyrocketing. How come?
David Duncan, Webroot chief marketing officer
Duncan: There are 10 times more phishing attacks based on emulating tech companies than financial firms. You’d think it would be the other way around, but it’s not. The focus is on stealing information from your various email accounts because it’s easier to spoof people into acting on something that appears to come from Google or Apple than from Bank of America or Citibank.
Free resource: Stay informed with a free subscription to SPWNR
3C: Because we’re less suspicious of Google and Apple than big banks?
Duncan: Yes. Phishers prey on the fact that we see those brands as trustworthy brands.
3C: What ruses should folks watch out for?
Duncan: It’s the typical ones. You’ll get something advising you of the need to change your password or share your contacts. They’ll send you a link to click. A certain percentage of gullible users will click on the link and follow instructions to give up their credentials.
I can’t say I know of any specific new strategies other than the fact that the focus is on impersonating big domains like Google and Yahoo because people don’t think too much about something that appears to be coming from those trusted sources.
3C: Is there really a one-in-three chance the average person will fall for a phishing scam?
Duncan: Yes, there is a 30% chance of Internet users falling for a zero-day phishing attack over the course of the year. It used to be about one out of every seven phishing emails actually got through. But we’re human beings, which means we’re gullible.
3C: What about mobile apps? What’s the risk there?
Duncan: A year ago, we tracked about 8 million mobile apps, and around 75% were trustworthy and 10% were benign. So 15% were malicious or suspicious. Now we’re classifying 15 million mobile apps, and we’re finding 35% to 40% are suspicious or malicious in character.
3C: That’s a pretty significant change.
Duncan: People don’t think of installing an app on their mobile device as installing a potentially unwanted application that’s being delivered from an untrustworthy app store.
3C: So is this mostly an Android exposure?
Duncan: Probably 90% is Android, maybe 10% is iOS. Apple has a more secured kind of walled guard for verifying and authenticating the source of applications. But it also depends on what users are accustomed to. If you go over to certain geographies in the world, people may not necessarily always go to the iTunes store. There are a lot of third-party websites where even iOS apps are cheaper or they’re free.