Developers highly vulnerable to targeted phishing attacks, say experts
30 July 2018
Software developers are highly vulnerable to phishing attacks that are launched by attackers to inject malware into enterprise systems and apps, Guy Podjarny, CEO and co-founder of Snyk, told a gathering of developers at the Node Summit in San Francisco.
It is often believed by many, including developers themselves, that they are the least susceptible to phishing attacks and malware injections as they know the ins and outs of their software programmes and would detect anomalies with great ease.
Developers are prime targets for phishing attacks
However, Podjarny said that there have been several instances in the past where attackers have been able to inject malware into software programmes using platforms that are exclusively used by developers.
For instance, Chinese hackers were able to inject a malware named XCodeGhost into Apple’s XCode IDE by adding malicious code into a CoreServices object file. The malware was designed to capture personal information of iOS device users and infected hundreds of iOS apps in the process. The said CoreServices object file was not an executable and could be accessed only by developers.
Podjarny isn’t the first to state the seriousness of hackers targeting developer platforms to infect iOS apps and software programmes. Back in 2015, FireEye’s Asia Pacific CTO Bryce Boland said that because of Apple’s climbing share in the desktop and mobile markets, the company’s products were “more valuable for criminals to attack”.
Boland believed that attacks will not be limited just to Macs and MacBooks, but will also target iOS, adding that attacks on Apple’s walled garden “will ramp up next year”.
He cited examples found by FireEye such as Masque Attack in 2014, which replaced authentic mobile apps with malicious ones, as well as three variations of the malware discovered in 2015 that were capable of demolishing other apps, breaking the app data container and hijacking virtual private network traffic.
Similarly, according to The Register who cited a blog post written by developer David Gilbertson, it is easy for attackers to create npm packages to steal credit card details. Hackers have also injected malware or malicious code into developer resources like Pypi and RubyGems in the recent past to obtain personal data.
“This is a timely reminder that no one, no matter how technically sophisticated or security-savvy they are, is ‘unphishable.’ Moreover, good social engineering preys upon assumptions and patterns that are particular to the victim,” says Tim Helming, director of product management at DomainTools.
“If an attacker knows how a given class of victims tends to think about content (for example, how and where security or technical personnel get information germane to their fields), then they have a real chance to trick the victim. The only unphishable person is one who does not use the Internet,” he adds.
How to protect developers from phishing attacks?
Considering that developers, like every other human being, can fall for phishing attacks that are cleverly disguised as emails from colleagues, superiors, or vendors, the security of software applications should not be entrusted completely to developers.
Instead, as Podjarny said, companies should introduce automation into security controls, implement automatic malware-detection scans, multi-factor authentication, and auto-expiring access tokens to ensure attackers are not able to gain access to or to inject malware into sensitive software programmes.
It’s not that enterprises across Europe are oblivious to the threat. Earlier this year, the European-wide Phishing Response Trends Report released by human-driven phishing defence solutions provider Cofense revealed that even though 78 percent of IT professionals in Europe were successful in dealing with a security incident originating from a deceptive email compared to just 66 percent in the US, 59 percent of organisations across Europe were looking to adopt automated email analysis solutions compared to just 33 percent in the United States.
“What we’re really looking at here is addressing human susceptibility and building human resiliency to work in concert with technology to combat security threats facing Europe,” said Rohyt Belani, co-founder and CEO of Cofense.
“Technology solutions alone have proved time and time again that they can only go so far to protect enterprises. It is not enough to lock down systems and force users into acting a certain way, instead we need to build a human-driven phishing defence posture that leverages human instinct for detection and technology to scale response,” he added.