Application security, Threat Management, Malware, Phishing, Threat Management

The time axis of evil: phishing’s golden hour

Crime analysis involves plotting data along an axis to discuss the X-Y relationships of two or more factors in a grid. In this manner trends can be quickly and visually identified.

Security company Trusteer recently released a very interesting study which plots the time of a phish against the successful percentage of victim responses showing that within 10 hours the criminal phisher's malware-hosting site will have achieved more than 90 percent of its total success:

One of our findings was eye-popping, namely, that 50 percent of phishing victims' credentials are harvested by cybercriminals within the first 60 minutes of phishing emails being received. Given that a typical phishing campaign takes at least one hour to be identified by IT security vendors, which doesn't include the time required to take down the phishing website, we have dubbed the first 60 minutes of a phishing site's existence is the critical 'golden hour.'

During the golden hour, our research suggests that:

  • More than 50 percent of stolen credentials are harvested
  • Within five hours, more than 80 percent are collated and become usable by cybercriminals
  • The first 10 hours produce more than 90 percent of the total credentials that will be stolen by any given phishing site

Therefore, blocking a phishing site after 5-10 hours is almost irrelevant.

The fact that so many internet users visit a phishing website within such a short period of time means that blocking a phishing website – which is sometimes a cracked legitimate site – within this golden hour has become absolutely critical.

Phish crush #1: Anti-spam = anti-phishing

Time and time again, the same measures used to block spam will effectively remove the threat of phishing emails sent through spam. If your employees never see the phish, the threat is effectively countered. Really important for 5–50 seat SMBs which often don't have an anti-spam solution and, therefore, must rely on endpoint anti-spam like ESET Smart Security.

Otherwise you could end up a victim of a phish/malware attack like this Orange County Escrow Owner ($465k) or this Missouri Escrow Business suing their bank. The trend is phishing'or spear-phishing, so it is preventable on a lot of levels.

Denial of spam threat = Caught in the OODA Loop

This recent study also validates the OODA Loop of cybercrime. Like this recent yet unrelated business example the cybercriminals are out-OODA'ing the good guys on a continuous basis. When they can operate within the reaction time of the good guys who blacklist or delist malicious sites fed by phishing attacks and still make up the majority of email, reactionary tactics are no longer enough.

Originally, OODA was a fighter pilot term. From Wikipedia about the OODA Loop:

Since the OODA Loop was designed to describe a single decision-maker, the situation is usually much worse than shown as most business and technical decisions have a team of people observing and orienting, each bringing their own cultural traditions, genetics, experience and other information.

It is no wonder that it is here that decisions often get stuck and the OODA Loop is reduced to the stuttering sound of 'OO-OO-OO' [2]

Top five phish crushing tactics

  1. Anti-spam = Anti-phishing. Your first Phish Crush is to simply block the attacks from ever being displayed to the target user. Easier said than done and a plethora of solutions at every level yet worth repeating because insiders dealing with IT managers and CIOs relate all the live-long day that their company's mobile laptops aren't protected with anti-spam when they're away from the network.
  2. Create your corporate social network of safety. Not just the employees within the data fortress walls are at risk from phishing, offsite removable media often brings the malware into the enterprise. Thwart this by incentivizing cybersecurity training at work and at home. One no-cost option is the free cybersecurity training offered by Securing Our eCity.
  3. Negotiate a better deal with your vendors. Negotiate a discounted employee rate for endpoint security products which include anti-spam. The example would be that if you are set to buy or renew an existing contract, make the AV vendors sweeten the deal by changing your RFP to stipulate an employee discount for your employees who choose to standardize on your endpoint or AV solution for their offsite lives. By negotiating a better rate for your employees you provide them with an incentive to jump on board the cybersecurity bandwagon, which adds an extra defensive layer to your fortress. Additionally, you could up the incentive to the employee by reworking the deal with the vendor to increase the 'discount' by kicking in a few bucks per license – with or without your employees knowing it.
  4. Deploy employee cybersecurity training, then consider it again. And again. And again. People learn through repetition and emotion. The key is to keep that 'teachable moment' of phishing from becoming a corporate catastrophe.
  5. Teach your children well and for little to no cost. The largest vector that spear-phishing cybercriminals use is social media. Facebook and MySpace unsurprisingly holds the largest population of 13–25 year olds in the Western world according to one 2010 survey. Providing and incentivizing noncorporate audience cybersecurity training for your employees' families helps harden the target against phishing through awareness. CIOs should collaborate with human resources to figure out the best avenue, however Securing Our eCity has many resources at no cost and on demand. Doing this at no cost to the company – priceless.

Plan, Do, Check, Act. TODAY.

Let's face it: Any malware picked up offsite combined with removable media could equal a breach, so education for that next layer – the employee's family – becomes an obvious low to no-cost solution, which can become incentivized through a little leadership and imagination.

Get with it, get your secondary social network educated and keep them educated and your risks will be mitigated. This isn't rocket science, but it does take some effort.

Since even the Pentagon has problems with removable media risks, access control through blocking USB drives and CDRWs from employee use isn't realistic. The other direction is to provide risk mitigation through education and cybersecurity at the lowest aggregated cost to your corporate social network.

Otherwise, the cautionary tale for any business that doesn't is clear:

Since the attack, the company has had to take out a loan to replace the money, which it was holding on behalf of its real estate clients.

"We're a title company and we had less than 48 hours to replace the money or shut down," Payne said. "After about 30 days, we converted the amount to a permanent loan that runs over 10 years at $4,300 a month. There's a lot of pucker factor going on there."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.