Q3 2014 State of the Internet Security Report – Emerging Trends: Phishing Attacks Selected excerpts Akamai’s Q3 2014 State of the Internet Security Report explores the growing threat posed by phishing attacks. The report describes a politically motivated attack campaign by the Syrian Electronic Army (SEA) and discusses the ongoing risk to enterprises. In Q3 2014, multiple phishing attacks targeted Google Enterprise users in order to harvest user credentials and gain access to thirdparty content feeds. Hacktivists compromised the feeds on popular media websites such as CNN, the Associated Press and others. Thirdparty content often appears to the user as links to similar articles or sponsored links to commercial sites. Thirdparty content on a website will be generated using cascading style sheets (CSS) and JavaScript or Flash. The first block of <script> tags pulls in content from the thirdparty site. When a user loads the page, this JavaScript code will run in the context of the site in which it is loaded. Because the content runs within the Document Object Model (DOM) of the page, JavaScript loaded from the content provider may be able to access and affect other portions of the page. Phishing attacks In the summer of 2013, Akamai first observed the Syrian Electronic Army (SEA) targeting media outlets. Attackers sent an email to a large number of employees in a targeted company or its thirdparty content provider, luring the recipients to click a link. Using this technique, the SEA were able to successfully phish credentials from employees and deface target sites or their social media accounts, or deface a target by attacking a thirdparty content provider. Attackers Mine Gmail for More Credentials After the phishing site harvests a user’s credentials, the attackers are notified and use the credentials to log into the victim’s Google account, which may provide access to valuable information. The attackers look through the Gmail account’s inbox, trash, sent items, and contacts for useful confidential information, such as passwords, server names, and names of contacts within the company or with partners. Items in Google Docs, Google Voice and Gmail have all been made accessible to the attacker. With access to an employee’s enterprise Gmail account, an attacker can send spear phishing messages to target the employee’s contacts in the same company and at other firms. The attacker will have valuable contextual information from the victim’s stored emails to craft better messages that may get others to compromise their own accounts.