GRAPHICS

What Phishing Actually Means

Dec 1, 2016 | 15:20 GMT

Stratfor's graphic of the day features a standout geopolitical map, chart, image or data visualization reflecting global and regional trends and events.
These cyberattack techniques are not simply hacks into email servers. They also have possible physical applications.

(Stratfor)

This year has demonstrated the enduring popularity -- and efficacy -- of phishing and spear-phishing, cyberattack techniques that rely on social engineering to gain illicit access to networks and information.

The rise of the internet and related technologies has transformed the world, revolutionizing nearly all aspects of everyday life, including crime. In September, the Global Cyber Security Leaders summit in Berlin highlighted the cyberattack tactics that pose the greatest concern to security professionals. Many of these threats transcend criminal activity and involve state or state-sponsored actors using tricks of the cybercriminal trade to advance their countries' agendas. Though the weapons used to conduct cyberattacks are relatively new — and rapidly evolving — the tactics have been around for centuries. Over the past year, several major crimes have combined the new platforms and greater access that the information age affords with the age-old art of social engineering.

This year has demonstrated the enduring popularity — and efficacy — of phishing and spear-phishing, cyberattack techniques that rely on social engineering to gain illicit access to networks and information. In August, following a yearlong doping scandal that eventually barred 118 Russian athletes from participating in the 2016 Summer Olympics, the World Anti-Doping Agency reported that Russian-backed hackers had used a phishing attack to infiltrate its networks. The attackers then stole information about athletes in the agency's database, including Yulia Stepanova, the Russian runner who blew the whistle on her country's doping program.

Though the hack in general seemed to be an attempt to incriminate other athletes, the intruders released personal details about Stepanova, such as her home address, in an apparent act of intimidation. No ill has befallen her or her family, but she had good cause for worry: The director of Russia's anti-doping agency died suddenly in February, two months after he tendered his resignation in response to the scandal. Even without evidence of foul play in his death, its timing was enough to spook Stepanova, and the passive threat against her illustrates the possible physical applications of a cyberattack.

Similarly, a spear-phishing attack on Ahmed Mansoor, an Emirati human rights activist, could have had grave repercussions offline. In August, Mansoor received a series of enticing text messages in which the anonymous sender included a hyperlink said to lead to new revelations about torture in the United Arab Emirates' prisons. Having been the target of previous spear-phishing attacks, Mansoor knew better than to click on the link and instead forwarded the messages to a Canadian research group. The group determined that the text was an attack containing software that could have allowed his attackers the means to track his movement. Though it is unclear what the assailants planned to do with the information, it is easy to imagine that they might have tried to do their victim physical harm. So even as technology advances, humans are still vulnerable to the same old tricks.