Most cyber attacks start with a social engineering attempt and, most often that not, it takes the form of a phishing email.
It’s easy to understand the popularity of this attack vector: phishing campaigns are relatively inexpensive (money- and time-wise), yet successful. Attackers don’t need to create/buy technical exploits that might or might not work – instead, they exploit what they can always count on: users’ emotions, fears, desires, and the fact that, despite knowing better, it only takes a moment of inattention to make a mistake.
“Cybercriminals play on users’ expectations of trust in email communications, and the human instinct – despite training and warnings to the contrary – to click on malicious links, give away credentials or even install malware and ransomware on endpoint devices. The reality is that people are always soft targets, and social engineering and phishing attacks are outpacing legacy technologies and training-only solutions,” Kevin O’Brien, CEO at GreatHorn, told Help Net Security.
That’s not to say that security training doesn’t have a role to play.
“In the fight against phishing, consistency is often a business’s best deterrent. Since an organization’s employees typically serve as the first line of defense, arming workers with a thorough background on relevant threat types and generic preventive measures can provide demonstrable value,” he noted.
“But, while interactive, most phishing awareness training or ‘Spot the phish’ phishing simulation exercises are rarely tailored, making them ineffective when it comes to spotting real-life phishing attempts.”
Effective oldies and emerging phishing approaches
While brand impersonation is the “gold standard” method for effecting credential theft, O’Brien says they are seeing new and innovative phishing attacks emerge almost every day.
“Phishers frequently exploit global brands like Microsoft, Dropbox, and DocuSign in their scams because the brands’ good reputation lulls victims into a false sense of security,” he explained.
“Once trust is established, it’s easier to convince people to interact with malicious links and attachments. And because the URLs for these brands are hosted on seemingly legitimate websites, they can more easily evade many common email security tools.”
Microsoft has been phishers’ favorite brand to impersonate for quite a while, as compromised Office 365 accounts allow attackers to launch insider attacks targeting anyone in the organization in just one step.
“We also recently identified a set of widespread credential theft attacks that directly impersonate – of all things – cybersecurity companies themselves,” he shared.
“Legacy email security companies require that their customers publish – via DNS entries – that they are using their services. The attackers spoofed some of the less well-known aspects of the email specifications, such as the return path and received headers, to appear as though they were coming from well-known email security companies.”
Another type of approach they’ve recently seen in customer environments is the “Note to self” attack: the attackers spoof the user’s email display name, put “Note to self” in the subject line and drop a link or attachment into the email.
Even if targets are not in the habit of mailing themselves notes, such an email often piques their interest and occasionally tricks them into doing things that they know they should not do under other circumstances. And, according to O’Brian, this approach is particularly successful at duping mobile users because the email is rendered differently on a mobile phone than on a computer.
A note on BEC scams
Email campaigns aimed at stealing login credentials are prevalent and can fuel even more dangerous and disastrous attacks such as business email compromise (BEC) scams.
FBI’s Internet Crime Complaint Center (IC3) shared in April that BEC scams, along with email account compromise (EAC) scams, have brought about nearly $1.3 billion in losses last year.
“IC3 recently released new data regarding business email compromise, showing that the damages have reached over $26 billion. Moreover, the FBI says that these scams are continuing to grow every year, with a 100% increase in the identified global exposed losses between May 2018 and July 2019,” O’Brien noted, and pointed out that the losses are certainly much higher.
“The FBI only investigates claims over a certain dollar amount, so there are many cases not reported. Also, these numbers are also only hard losses – the cost of IP theft, fines, consumer protection, etc. aren’t included in these estimates.”
BEC scammers are constantly trying new approaches to evade security tools that organizations have in place. As Armorblox CEO Dhananjay Sampath recently told Help Net Security, they’ve evolved from sending a single email with malware or a phishing link to using multiple emails and social engineering methods, such as mentioning out-of-office responses, or injecting personal information such as details of a real estate purchase, or using workflow information.
O’Brian expects the evolution to continue in the coming years and attackers to shift from simple financial extraction attacks to incorporating additional types of attack.
He also anticipates improved execution and targeting by attackers impersonating brands, as well as a continuing rise of ransomware aimed at organizations.
Advice for CISOs
O’Brien advises CISOs and IT leaders to keep telling themselves that there is no silver bullet for the phishing problem and to tackle it holistically.
Security awareness and phishing training for employees is a great idea, but should not be the only thing they rely on because users make mistakes and are inconsistent.
“Consider this: a little over 10% of Americans don’t use seatbelts, and 80% of them admit that when they’re in the back of an Uber or a Lyft or driving a short distance, they often don’t buckle up. They know it’s safer to do it, and they still don’t do it. The situation with security awareness training isn’t that much different and that’s why you can’t ever train the problem away completely,” O’Brian pointed out.
Detection technology will also never be able to identify and stop all phishing attacks, and that’s why, instead of just looking to block “bad things”, companies need to focus on identify suspicious ones and give users the tools to make better decisions about them.
“User training and business processes need to be reinforced with in-the-moment education to warn people what to do when. And we need integrated IR tools to remove things that get through – because things will get through,” he said.
CISOs and IT leaders must accept that just implementing the best “set it and forget it” tools is not the right answer when it comes to phishing (or any other threat, really). They should cultivate a security-first culture by embracing a dynamic and continuous approach to risk assessment, prioritization, and remediation.
“Companies are facing increasingly asymmetric threats from sophisticated and well-funded adversaries and they must use the leverage that we have to outpace them,” O’Brian concluded.
“As with any asymmetric struggle, it is in better technique and more rapid innovation where organizations can find advantage. That’s where my focus has been and will continue to be.”