Phishing attacks are nothing new, but their frequency has been on the rise the past year for one simple reason: they work. How can they be defeated?
There are numerous ways criminals can breach a company’s network. Yet one of the most time-tested and popular forms of attack remains phishing.
Launched via email, phishing attacks are typically aimed at tricking employees into giving up user names and passwords. Once a criminal has valid credentials, he has access to other accounts, applications, and confidential documents that require the same user name and password for access.
Stolen credentials can also be leveraged to target other employees to steal their credentials or persuade them to send money or digital assets. Also, once a criminal is inside a network, he can move freely about it, probing for weaknesses.
Stolen credentials can also be used to launch a ransomware attack, in which a company’s data is locked up with encryption (“Ransomware Makes a Comeback,” February). The criminal then demands a ransom before turning over the decryption key. Ransomware attacks have been gaining momentum lately because criminals can realize the payoff from their attack sooner. They don’t have to sneak out data, then find buyers for it.
In 2020, 57% of phishing attacks launched against companies were intended to gather network credentials, such as user names, passwords, and email addresses, according to Cofense, a Leesburg, Va.-based provider of phishing detection and response solutions.
What makes phishing so effective for harvesting network users’ credentials is that it relies on social engineering, or manipulating people into divulging confidential information.
“Criminals know that most cybersecurity solutions can be easily bypassed with emails that trick an employee into giving away their credentials,” says David Warburton, senior threat-research evangelist at Seattle-based cybersecurity provider F5 Labs. “It’s often far easier to steal credentials and walk in through the front door than it is to spend countless hours exploiting a vulnerability that will often trigger alarms.”
The increasing sophistication of the technology behind phishing attacks and how criminals are altering their strategies to make the attacks more profitable are alarming experts.
On the technology side, phishing kits and so-called phishing-as-a-service have made it possible for almost anyone to launch an attack.
Phishing kits are sold by criminals on the dark Web. They provide novice hackers with all the tools needed to set up and execute phishing campaigns. Kits can sell from $10 to $100 or more, though newer kits sell for more as they typically have the latest tools to foil email and other security filters.
Phishing-as-a-service (PhaaS) removes many technical barriers novice hackers face. These challenges include designing and coding phishing emails, spoofing Web sites, and, in some cases, finding buyers for the ill-gotten data. In return, the sellers get a percentage of the take.
Some PhaaS operations will even provide bandwidth on their own servers to power the attacks, as well as the latest software for beating cybersecurity filters. It’s not uncommon, in these cases, for PhaaS operators to charge a licensing fee as well as take a percentage of the profits.
“With PhaaS, criminals get automatic updates just as they would with a software-as-a-service application,” says Steve Ragan, security researcher for Akamai Technologies Inc.
What makes the emergence of phishing kits and PhaaS so scary is that it is another indicator organized crime has become even more embedded in cybercrime, according to Peter Cassidy, secretary general for the Anti-Phishing Working Group, a security-industry organization.
Just as phishing technology is evolving, so too is the motivation behind the attacks. Criminals are discovering they can do more with stolen credentials than breach a network. They can use those credentials to trick employees to send money or digital assets.
In these instances, criminals use credentials to hijack an internal email thread or create a new one by commandeering a legitimate user’s email account. The attacks, known as business email compromise, are launched by criminals looking to start an email conversation with an employee while posing as a trusted colleague.
It is not uncommon for the criminal to request that money be wired to a company executive who’s traveling or to ask that a digital asset, such as gift cards, be given out at an upcoming office party, for example. In the latter case, the links to the digital gift cards are emailed to the criminal posing as the employee organizing the party. In reality, the phisher has spoofed the company’s email server to receive the cards directly.
“More organizations suffered payment-fraud attempts from business email compromise attacks than any other method in 2019, costing them over $1.7 billion, according to the FBI,” says Jeremy Ventura, a sales engineer for cybersecurity provider Mimecast Ltd. “Typically, these attacks don’t contain malicious URLs or attachments. Rather, they target C-level executives, [and] finance [or] human resources departments to wire and transfer funds.”
Such tactics can easily fool employees because they believe they are engaging with a legitimate colleague, says Tonia Dudley, strategic advisor for Cofense.
Business email attacks have been gaining momentum, partly because many employees are working remotely due to the coronavirus pandemic. Unless a company has a virtual private network linking remote employees, maintaining internal cybersecurity standards among at-home workers is difficult.
“Companies continually need to be raising the bar when it comes to security for remote workers,” says Salvatore Stolfo, chief technology officer and founder for Allure Security, a Waltham, Mass.-based cybersecurity firm.
Beating Fraud Screens
Companies must also be aware criminals will phish to leverage corporate brand names.
One option is the man-in-the-middle attack, in which criminals establish a hypertext transfer protocol (https) connection between themselves and the company’s Web server and consumers communicating with the company’s Web site. With this connection, the criminal can intercept data and send emails to the customer.
For example, a criminal with an https connection between a credit card issuer and its customers can send an email to the cardholders “alerting” them that immediate action should be taken because of suspicious activity. The email can request that the customer validate herself by resetting her password, which the criminal intercepts.
But that’s not all. The criminal replies with an email requesting further validation from the customer, such as a Social Security number, date of birth, or both.
Criminals have also been known to use man-in-the-middle attacks to spot when a bank’s customer is transferring funds to a third party and reroute the transfer to an account they control, cybersecurity experts say.
Today, man-in-the-middle attacks are used more often to gather consumers’ personal information, such as home address, phone number, and email address. That information is then used to create a consumer profile.
The more a criminal knows about someone’s identity, the easier it is to assume that identity and beat fraud screens when opening an account, says Akamai’s Ragan.
Identified And Quarantined
Experts say one of the best ways to educate employees to spot an attack is to run phishing drills in which questionable emails are sent to them. Factors employees should focus on include the subject line, when an email thread was last active, and whether the sender is asking for information out of the ordinary or makes a peculiar request.
“Employees need to look at the action being requested, then slow down if it’s unexpected or a first-time request,” says Roger Grimes, data-driven defense evangelist for KnowBe4 Inc., a security-awareness training provider.
When employees spot a suspect email, they should immediately report it, even if they have accidentally opened it. The best defense is getting the attack out in the open so it can be identified and quarantined, says Cofense’s Dudley.