How long do you think it may take cybercriminals to hack into your computer? According to a new report by cloud-based cybersecurity firm Duo Security, it may take less than half an hour for hackers using phishing email campaigns to access systems and steal sensitive information.
Duo Security collected data from 400 organisations using its free web-based tool Duo Insight, which allows internal IT teams to test employee response by sending out phishing campaign simulations. The firm said that of the 11,542 users who received such phishing emails, 31% clicked on links that could have potentially compromised systems via malware or virus attacks.
The security firm said: "In a real-world scenario, attackers can run a phishing campaign that takes only 5 minutes to put together, and within 25 minutes they've got access to corporate data resulting in a data breach. Those users who clicked the link in the phishing campaign open their organisations to hackers through unsecured internet browsers, plugins (Flash and Java), and out-of-date operating systems on their devices. Hackers can easily exploit those vulnerabilities and get even more than they would get with just a set of credentials. In this case, attackers would have complete control over the compromised device."
The phishing simulation links sent out by Duo did not install malware, instead it prompted users to enter their login credentials. Alarmingly, 17% of users ended up providing their usernames and passwords "giving an attacker in a real-world scenario the keys to corporate data".
The firm also noted that 62% users receiving the phishing emails were using outdated browser versions. Given that one of the key roles of browser updates is to limit vulnerabilities that can be exploited by hackers, ensuring that users operate on the most recent and updated browsers becomes imperative when attempting to avoid becoming victims of cyberattacks.
Duo R&D engineer Jordan Wright said users are more likely to click on links when the emails are tailored with a particularly engaging title, such as "bonuses_2016.doc" with notes attached reading: "Here are the new bonuses for 2016, take a look, let me know what you think."
"For 99% of cases, just opening up the email will not be the attack vector," Wright told the Daily Dot. "We've seen cases where there are vulnerabilities in mail clients. There is one that came out in Microsoft's Outlook not so long ago, where just opening up the email could be enough to get compromised. But it's hard for businesses to tell people not to open their email. We consider clicking the link to be the attack vector that we care about."
Wright suggested that the best way to ensure that employees do not fall victims to such phishing campaigns is to encourage and "reward" those that alert organisations about suspicious emails.