The Philippines’ Post-Pandemic Phishing Problem – Part 2
We had previously discussed the rise of phishing and smishing in the Philippines, which reached pandemic-like levels during the COVID-19 outbreak and has persisted ever since. In the article, we took an in-depth look at what phishing and smishing are and explained why they are more than just an annoyance but rather a major problem with major ramifications.
Among the experts we consulted were ChrisConnell, Managing Director for Asia Pacific at Kaspersky; AngelRedoble, FVP & Group CISO at PLDT Group and Smart Communications and Cyber Defenders Council member; and OscarVisaya, Country Manager for the Philippines at Palo Alto Networks. We also used details from an op-ed previously submitted to Cybersecurity ASEAN by Chua Zong Fu, Vice President, Consulting at Ensign InfoSecurity.
These same experts have contributed their insights once more in this second instalment of this two-part series, as did EricNagel, General Manager, APAC, at Cybereason; MiguelCorreia, Application Security Analyst at Checkmarx AppSec Team; and MagniSigurðsson, Senior Manager at Cyren Detection Technologies. Here, we will take a look at why phishing and smishing are here to stay and what can be done to counter the growing menace.
One Click Is All It Takes
Phishing is popular because it takes only one click for it to do damage. This was the case last year for several Filipino teachers, who each lost between P26,000 and P121,000 (USD $440–USD $2,055) from their accounts at the Land Bank of the Philippines. It was initially surmised the Land Bank was hacked but an investigation by the state-run institution ultimately revealed phishing to be the cause.
Research firm Cyren also reported in February a large-scale smishing attack that purportedly victimised several customers of UnionBank. According to the firm, depositors were offered P10,000 (USD $200) as a special gift for being a “loyal customer.” The “offer” was sent via SMS, and it contained a link which redirected to a phishing site resembling the UnionBank login page.
“The fact that the attack is distributed via SMS text message can also make them more believable,” noted Magni Sigurðsson, Senior Manager at Cyren Detection Technologies, who confirmed there were victims but did not divulge the number of accounts compromised. He also warned Filipinos: “We will see similar attacks but the attackers will adjust or make changes to how they send out these attacks.”
Invariably, phishing is mostly motivated by the promise of immense financial gain—something underscored by a Bangko Sentral ng Pilipinas report that P2 billion (USD $33.9 million) worth of financial transactions may have been lost to phishing from 2019 to 2021. On top of that, Mary Rose Magsaysay, Deputy Executive Director at the Cybercrime Investigation and Coordinating Center (CICC) of the Department of Information and Communications Technology, told the Senate in its September inquiry that Filipino mobile phone users have lost “millions of dollars” due to smishing.
A Worsening Problem With Far-Reaching Ramifications
Phishing is a lucrative ruse, and this is the reason Sigurðsson’s prediction will hold true. These financial ramifications can become even more pronounced when phishing—usually through Business Email Compromise (BEC)—is used to infiltrate a company’s network or system. Such a scenario is something 94% of ASEAN organisations experienced in 2021, according to Palo Alto’s “The State of Cybersecurity 2022” report.
“Attackers are always looking to infiltrate an organisation, with phishing as the usual suspect of initial access. Once businesses are compromised through this activity, cybercriminals leverage their access to initiate or redirect the transfer of business funds for personal gain,” Visaya pointed out. “Many cases showed cybercriminals were simply asking their unwitting targets to hand over their credentials—and getting them. Once they have access, the median dwell time for BEC attacks was 38 days, and the average amount stolen was USD $286,000 or P16.9 million.”
Sharing the same view is Eric Nagel, General Manager, APAC, at Cybereason. In an exclusive sitdown with CSA, Nigel describes phishing as “foundational” to something more sinister, like a hack or data breach. And it appears such is the case with two recent high-profile cyber attacks in Australia involving private health insurer Medibank and major telco Optus.
Phishing is only getting more sophisticated, yet it has actually gotten a lot easier to do because of readily accessible phishing kits. Their accessibility, though, is not even the worse part. They are also very effective and quite sophisticated as well, with Visaya noting how up to 90% of phishing kits now include built-in evasion techniques that render traditional web security ineffective.
“These kits effectively provide Phishing-as-a-Service for attackers, with an off-the-shelf capability to evade detection,” Visaya explained. “Modern-day phishing attacks don’t usually involve the use of malware either, which would alert commonly deployed detection technologies. Today’s phishing is stealthy and employs many different obfuscation techniques to elude traditional web security scanning, making it a growing challenge for organisations.”
Rounding Up the Perpetrators
So, what are the relevant stakeholders doing to stop phishing/smishing attacks in the Philippines? Or should the question be, can anything be done at all to address this worsening problem?
Turns out, something is actually being done. In November 2021, the Quezon City Police District arrested 39 individuals purportedly engaging in a phishing scheme targeting foreign nationals living outside the Philippines. The arrests, carried out with the help of the Criminal Investigation and Detection Unit and the District Anti-Cyber Crime Unit demonstrate the state’s apparent capability to go after phishing perpetrators.
State investigators and law enforcement, with the help of PLDT and Smart’s Cyber Security Operations Group, are also now on the trail of several foreign syndicates suspected of masterminding the widespread smishing in the Philippines. These syndicates, Redoble noted in a statement in September, are “working with domestic operators to purchase prepaid SIMs in bulk and use these to send smishing messages.”
These efforts by multiple sectors of Philippine society somewhat explain why smishing attempts have somewhat been declining since the Senate inquiry in September. The larger problem of phishing, however, remains unsolved—and Redoble, Nagel and the other cybersecurity experts CSA has consulted foresee phishing as persisting for a very long time.
A People’s Problem First
That phishing will continue to be a problem is certainly bad news. But the biggest losers here, in the eyes of Redoble, are the common folk, most of whom are not as astute in terms of cybersecurity as others. And, unlike enterprises, everyday people are mostly defenceless in case they do click on that malicious link.
“More than 99% in the community who are using our cyberspace are not into this [cybersecurity] and cannot spot phishing,” explained Redoble. “So, it [phishing] will continue to be a big problem because it will victimise the most vulnerable in our community—parents, children and those who are just using the internet for their daily activities.”
A common refrain from security experts and involved stakeholders alike is to “educate” the public about cybersecurity strategies—not clicking on suspicious-looking links, ignoring unknown emails, avoiding so-and-so sites and so on. It makes sense to keep telling people about these “basic” reminders but doing so is not enough, according to Redoble.
“Unfortunately, we have been trying that approach [education] for the longest time. We tell people to install this, don’t do that, don’t this. It doesn’t work, it didn’t work, and it will still not work if that’s the only strategy,” said Redoble, who recommends instead that stakeholders such as telcos invest in protecting ordinary citizens. “We need to invest in technology that is efficient and effective, so we don’t have to tell people not to do this, not to do that—because the technology works. We need the same approach for the community, and that is why we are advocating technologies like Cybereason to be available to people, not just the enterprise.”
Put simply, Redoble wants consumers to get at least a measure of protection from modern cybersecurity technologies. And the simplest, easiest and most efficient way to do this is through telcos themselves. This should hold true for micro-, small, and medium-sized businesses that traditionally do not have a budget for cybersecurity.
Enterprises Must Invest
That is not to say the impact of phishing on enterprises is negligible. It is actually quite considerable, and it can take an organisation years before it can fully recover from a cyber incident precipitated by a successful phish. This is the reason businesses need to raise awareness among their staff about cybersecurity. They must also invest more in cybersecurity technologies.
In terms of technologies, Nagel recommends investing in at least Endpoint Detection and Response (EDR), especially given the rise of remote work that has rendered traditional perimeter defences such as firewalls insufficient. A good EDR, according to Nigel provides complete visibility into suspicious or abnormal behaviour—thus reducing the mean time to detect a threat and respond to it.
“At a very basic level, enterprises need to build up their perimeter defences. They need more sophisticated technologies,” explained Nigel, who also underscored how cybercriminals and their methods are continuously evolving—which means so should cybersecurity. “It’s [cybersecurity] always evolving. New technologies are coming online but the enterprises need to evolve at the pace the attackers are evolving. But over the past couple of years, attackers have evolved at a much faster rate than enterprises have managed.”
For Miguel Correia, Application Security Analyst at Checkmarx AppSec Team, the answer is “an intricate mix of proper investigation, regulations, audits, special techniques and mechanisms.” Audits, in particular, can help organisations find potential entry points or missing security mechanisms in their infrastructures/software while they deploy “custom honeypots for detecting information leaks and security breaches or utilise Intrusion Detection, Intrusion Prevention and Data Loss Prevention Systems.”
“The idea to retain is that to track data leaks, it’s necessary to track and log all data, devices, and users,” Correia added. “Then, on top of this, a strong regulation that heavily penalises organisations that do not comply with it is necessary to impose the push to have the said mechanisms in place. Authorities must be equipped with capable resources to help track, find, investigate and prosecute offenders.”
Living With the Cost of Digitalisation
Throughout history, humankind has been able to deal with every pandemic it has faced so far, first by figuring out how to leave with it before completely eradicating its root cause—or at least rendering it as close to inconsequential as possible (by developing cures and vaccines and/or creating better health protocol).
This phishing pandemic, however, figures to have a different ending, one in which there is no end in sight. Consider it the inevitable trade-off to increasing digitalisation, where the more the world is entrenched in the digital age, the more phishing and similar threats will persist and evolve.
But there is hope, and it circles back to a point previously made: Leveraging cybersecurity technologies and evolving them continuously—and at a fast enough pace. These same technologies, however, need to be brought to the community level where millions are potential victims sans adequate protection.
