“To see naked pictures of Carla Bruni click here”.
Don’t feel bad if you were tempted to follow the link. At the G20 conference in Paris in 2011, almost all those attending clicked on an attachment included with the above email. “Almost everybody who received the email took the bait,” said a government source. They got the pictures, all right, but they also downloaded a trojan horse. It is still not clear what the trojan did, besides using the participant’s address book to send similar emails to others. Experts are quite sure the email came from China and believe its purpose was to gather information. However, the details of its actions are still under investigation.
If you did happen to click on the above link, don’t worry. It was innocent. But ask yourself, weren’t you at least tempted to give it a try? How was it that educated people attending the G20 conference, people who clearly knew better, were still tempted to take the risk? Why is it that politicians who clearly know better risk their careers by having affairs, despite, no doubt, being warned by their advisors not to do so? The answer is that men are biological robots. This attribute is exploited by such phishing emails which, in effect, bypass logical filters and gain administrative rights to control the brains of its victims. I refer to such email ploys that subvert normal logic while appealing to baser instincts as ‘salmon phishing.’ Why? This requires a bit of an explanation.
Mr. Salmon is living a wonderful life in the sea. Food is plentiful and he is fat and happy chasing schools of herring with his friends. But one day Mr. Salmon feels uneasy. He has this unexplained desire to swim up a river to find a girlfriend. His friends take him aside and try to talk him out of his scheme. They logically explain how he will bang his head on rocks trying to jump over waterfalls, how bears will try to catch and eat him, how humans will try to make him bite on shiny objects with hooks on them, and how, in the end, even if he finds a girlfriend, she will invariably treat him with indifference. Then, yes, he may have his moment of fulfillment, but he will die shortly afterwards. All logic is against such a journey, but does Mr. Salmon listen to them? Of course not. Logic is the first victim of biological instinct.
Salmon phishing is a subcategory of something called ‘longline phishing’. Longline phishing is named after the fishing technique of attaching thousands of hooks to one long line. They are emails designed to escape the attention of spam filters and offer links to what seem to be credible sites. Typical phishing attacks can be traced to one IP address but longline attacks cannot be. Longline phishing emails are also written in perfect English with reasonable content, unlike many phishing attacks. In some way, they hope to lure you to what looks like a legitimate web site (and, often, is a legitimate web site) where you will receive the malware they want you to have. A study found that about 10 percent of employees who received such emails followed the links while they were connected to the company network. This percentage increased to 20% while they were away from the network, which means the malware would be on their smartphones or tablets and ready for action when they reconnected to the company network later on.
Longline phishing attacks are roughly designed to appeal to the companies and organizations they target. Salmon phishing doesn’t need to be so well-tailored to get the desired results. They appeal to basic human instincts such as sex, romance, fear, desire for status or power, and greed. The findings of a Halon study prove this to be the case.
“One in three Americans admit they would open an unsolicited email-even if it seems suspicious-depending on its subject line. For women, spam email messages containing invites from social networks are alluring, while men are tempted to open ones with the time-tested suggestions of money, power, and sex. Specifically, the survey found that women are more likely to open emails from social-media related accounts (8.2% to 5.6%), but that men are nearly three times as likely to open unsolicited bulk emails that promise monetary rewards (9.4% to 3.8%) and far likelier. to open emails professing to include naked photos of celebrities (2.8% to 0.6%).”
Remember that these are traditional spam emails that are often just filtered out. Now, combine this with salmon phishing emails that are more well-designed and escape filtering and you can imagine the increase in effectiveness. The Carla Bruni email was nearly 100% effective and this alone must have encouraged other cybercriminals to use this angle. Aaron Higbee, the Chief Technology Officer at Intrepidus Group, stated that 70% to 80% of employees are fooled into taking compromising actions when they receive test spearphishing emails. This leads me to suspect that a new wave of well-designed salmon phishing emails could be the next big threat.
For years, scammers have realized that they could prey on human weaknesses. The Nigerian prince scam still works. Last year, a lawyer in Iowa, Robert Allan Wright Jr, fell for it, as did a number of other lawyers. Millions of dollars are stolen from individuals looking for romance, even though the initial email begins with such phrases as “Hello my Dear!!!” or “Hi my new friend!!!” They’ve always seen your profile on Facebook, a dating site, or somewhere undefined online. Their English needs some work. The letters include such phrases as the following:
I believe, that the majority beautiful a thing expects us in the future.
I search for the person to the one whom I shall give all high temperature of my heart.
I have a black Hairs, and brown eye.
The daddy lays the turner at a factory.
In marriage I and have not left though met the man, but it has thrown me.
But you get the picture. Still, these emails work and, in fact, romance scams are on the rise. If you wonder how anyone could be fooled, just remember Mr. Salmon. People simply want to believe that maybe someone did see their profile and maybe they are interested in a relationship with them. Both men and women fall for these scams. For both genders, the most susceptible age is between 40 and 59. Oddly enough, this is the same age that most company workers are reaching higher positions and have more access to sensitive company data. Just imagine if the email was well written and the person wants to give you information and photos of themselves in the form of a zip file. Sure, just like in the Carla Bruni ploy, you may get some photos and information, but that’s not all you’ll get. Remember, hackers only need to fool one person to get into a company network. The more endpoints, laptops, smartphones, and tablets connected to a network, the easier it is to break into it.
So far, I have not heard of any hackers using this exploit. For this reason, I am somewhat reluctant to mention it. I don’t want to give out any free ideas for them to make use of. However, I see such exploits as inevitable. Perhaps, this information will subvert any zero day attacks. Perhaps, employees may be more cautious when clicking on links offering love, sex, money, and romance. Perhaps, this will be true, but I still have my doubts. I can’t stop thinking about Mr. Salmon.
The Solution to Zero Day Attacks: InZero System’s WorkPlay Tablet was designed to protect company information from zero day attacks originating from poor employee decisions in opening emails or browsing. Whatever employees do on their personal side of the tablet is unable to cross over to the work side of the tablet because the two are separated at the hardware level.