When you think of your computer’s security, what is the most feared threat that comes to mind?
For many, the worst threat is ransomware, banking trojans, or keyloggers that can track every keystroke and collect sensitive data. Others would come up with so called zero-day threats that exploit unpatched vulnerabilities in software, browsers, or operating systems. None of these threats are a joke, and the losses caused by them are devastating to users and organizations alike.
Ransomware damages are anticipated to more than double by the end of 2019 with attacks on businesses occurring at the rate of 1 in every 14 seconds, according to Cybersecurity Ventures. What is more, the market for these threats is growing at a staggering pace and shows no signs of slowing. Today we are going to talk about the threat that often serves as precursory in the chain of infection by ransomware and other aggressive threats.
What is Phishing?
Phishing is a kind of fraudulent communication (often an email, but sometimes an SMS or IM) crafted to trick the recipient into believing that it is coming from a legitimate party. The message’s intent is to obtain the victim’s sensitive data or install malware.
How Does Phishing Happen?
All types of malware have one thing in common—they require an entry point like a compromised computer, mobile, or IoT device to initiate the attack and furhter expand it by propagating malware across the network.
Before malicious code executes on a user’s machine, it has to be delivered, and hackers use a variety of methods to accomplish that. One of them is through email, more specifically, through phishing campaigns.
And is phishing ever popular!
The Growing Threat of Phishing
According to the SANS 2017 Threat Landscape Survey of organizations across 5 industries (Finance, Government, Cybersec, Technology, and Education) various types of phishing are among the leading threats to the network security. Email is dominant among threat vectors.
Why does phishing occupy the top rank of threats and what makes it so effective?
To fully answer this, it’s important to understand the shadow economy of the dark web, which serves as both a covert trading post for data obtained through phishing and a one-stop-shop for phishing tools. In understanding how simple setting up a phishing campaign is, we can begin to fathom the threat. Knowing some phishing basics, however, will significantly improve your phishing security.
How Does Phishing Work?
Attackers may contact victims under the guise of a government agency, financial institution, social website, or vendor (Apple, Microsoft etc.) From there, several scenarios are possible:
- Users may be lured to a fake website URL, mimicking their bank or other entity under the pretense of updating their details, etc. Needless to say any data entered is captured by the adversary. In some cases the website URL can be real, but the website’s login page may be compromised instead.
Users are urged to download or open an attachment, containing a malicious payload. There are plenty of possible payloads that can be delivered, from a dropper that installs ransomware to a vulnerability exploit that plants spyware to collect data as part of a larger scale advanced persistent threat.
Besides certain technical implementations for malware delivery, phishing attacks heavily rely on social engineering. Basically, social engineering is the practice of using various techniques to manipulate users’ behavior that results in their opening an email or clicking a harmful link. Subject lines and the content of the emails are crafted to:
- abuse a user’s habit to trust. For example, attackers use an email that appears to come from the organization’s own IT department or another trusted partner.
- create a sense of urgency. For instance, a phishing bid might make an urgent request for information that comes from the victim’s superior in the organization.
- exploit curiosity by possibly linking to some “hot” topic on social media.
- scare the user as with a fake alert of unusual activity in a critical account.
Researchers at Proofpoint stated in their 2017 Human Factor Report that:
BEC (Business email compromise) and credential phishing attacks targeted the human factor directly—no technical exploits needed. Instead, they used social engineering to persuade victims into sending money, sensitive information, and account credentials.
By taking advantage of human psychology, hackers are able to access sensitive data without investing in developing sophisticated malware. Users who fall victim to successful manipulation often act in the spur of the moment and don’t bother to take a second, more critical look before releasing sensitive data.
Phishing Campaign Examples
A Phishing Attack Using Google Docs
Some of the most notable phishing campaigns in 2017 included Google Drive users falling prey to a rather sophisticated scam scenario.
Users received a standard invitation from a contact to edit a file on Google Docs. Upon clicking, it would direct users to a real Google account selection page but with a caveat. After selecting a Google account to use for opening the shared document, Google Docs would request access to manage the user’s email—which is not required for real Google Docs. If the user clicked on the Google Docs on permission screen, it would display Developer Info with some fake credentials.
In a nutshell, attackers abused the existing Google infrastructure and the possibility to create a third-party web app with the same name as Google product, tricking trusting users into giving access to their Google email accounts. Upon receiving the access, the malicious app would further replicate the case by sending phishing emails to contacts in the compromised mailbox. Despite quick mitigation by Google, this phishing scam affected around 1 million Gmail users.
Just got this as well. Super sophisticated. pic.twitter.com/l6c1ljSFIX
— Zach Latta (@zachlatta) May 3, 2017
A Phishing Campaign Involving Fake Patches for Spectre and Meltdown
A more recent example that serves as an example of a social engineering attack exploiting scareware tactics involves phony vulnerability patches for Spectre and Meltdown.
The recently discovered CPU vulnerabilities, Spectre and Meltdown, have received wide media coverage due to their severity and possible risk for leaking sensitive data from affected computers’ memory. Chip and OS vendors alike have been releasing patches to mitigate the risks, but it didn’t take long for adversaries to take advantage of the situation.
Security company, Malwarebytes, identified a spoof phishing page that copied the German Federal Office for Information Security (BSI) website. German users were lured to visit the page to download vulnerability patches, but the contents of the .zip archive for download were malicious. Malware, called Smoke Loader, came under the guise of patches and silently downloaded other malicious payloads on as dictated by an operator through its command and control servers.
How Is Phishing Changing?
As a rule, phishing attacks are characterized by massive reach targeting wide audiences, where the effect of attack depends on the volume of emails sent.
However, according to PhishLab’s 2017 Phishing Trends and Intelligence, threat actors have been adjusting monetization of the attacks, shifting from simply using a victim’s credentials to immediately steal money to reusing credentials in the hope of gaining access to more accounts. As monetization methods evolve, there is increasing benefit of having access to stashes of data and credentials.
Enter spear phishing—selective attacks aimed at organizations or specific individuals within them. They involve a more sophisticated approach.
What is Spear Phishing and How Is It Different from Common Phishing Attacks?
Spear phishing is not about quantity. The main emphasis of spear phishing attacks is on the quality of the victim within the organization.
Spear phishing is not about quantity. The main emphasis of spear phishing attacks is on the quality of the victim within the organization.
One subset of spear phishing called “whaling attacks,” are targeted at C-level employees. When adversaries are set on infiltrating a certain organization in order to steal valuable information or financial assets, the premise is that the higher rank of the target guarantees them several benefits:
- Immediate access to privileged information including to bank accounts delivers higher return on investment (ROI).
- High-value and high-volume data accessed through a compromised executive account is considerably more significant than that of the common employee.
- The possibility to propagate data collection to some of the most important sources within and outside the organization increases the value of these attacks.
- Obtaining the victim’s connections list, which can be used for further attacks, further improves ROI.
Plainly, such a total prize is well worth the effort for adversaries.
The Main Steps in a Spear Phishing Attack
- Preparing and Collecting Intelligence: At this stage the adversary identifies a potential target within the organization. They research the organization structure to determine which victim is going to be targeted. Next, the attacker will get an appropriate email address for the victim, which is probably the easiest part given the number of ways it can be done. Simultaneously, any publicly available information on the victim is scraped from available sources like social networks. It may be used for impersonating someone the victim trusts. Other measures include evaluating the IT infrastructure in order to understand the possible tools that may be used to compromise the victim’s computer and the company network, evading detection by network security tools and staging an advanced persistent threat.
- Gaining Access To a Victim’s Account Through a Laboriously Crafted Spear Phishing Email: An attacker will prepare a legitimate-looking email aimed at luring the target to open it and perform a specific action like downloading an attachment or visiting a spoof website, effectively compromising the computer and exposing credentials. In their Spear Phishing Report, GreatHorn provides statistics on some of the top methods hackers use.
- Identifying Possible Sources of Valuable Data Within the Organization: At this point, hackers may pry into internal communications and expand their attack surface by identifying additional sources of sensitive data.
Collecting Information and Establishing a Persistent Presence On the Network: It may take only 1 person in the organization to open a weaponized email for cybercriminals to “get their foot in the door.” The attack is accomplished by keeping activity covert with different evasion techniques and expanding the types of malware that linger on the network after the insurgency.
In a possible scenario, threats may circulate on a company’s network for a considerable amount of time before being discovered by the IT department. These attacks are known as APTs, advanced persistent threats. As a rule, multi-stage APT attacks require highly skilled hackers backed by criminal groups or even nation states. Not every spear phishing or social engineering attack develops into an APT. The following example highlights the flexible nature of phishing threats.
An Example of Spear Phishing
One of the most illustrative cases of spear phishing is the seasonal increase in spoof emails aimed at obtaining employees’ W-2 tax form information. According to the IRS for the 2017 tax season, these spoof emails spread from the corporate sector and have been plaguing other organizations like schools, hospitals, etc. Employees’ personal data on W-2 forms is used by criminals to file for tax returns and collect the refunds. Additionally this data can be sold on the dark web. Barkly blog provides some disturbing stats regarding the case: in the past 3 years W-2 spear phishing cost organizations over $1 billion. At least 120,000 employees have been exposed to a breach of their personal data during the 2017 tax season with the number of affected organizations totaling 204 —a 16% increase from 2016.
How To Improve Network Security Related to Phishing?
Possible solutions to phishing threats in an organization include a real emphasis on improving employee awareness and implementing internal policies that govern how sensitive information is shared between the company and its partners.
The network is as weak as its weakest link, and virtually anyone in the organization can fall victim to an elaborate social engineering attack that could render all network security tools useless in a blink of an eye.
IT staff should consider developing an ongoing programs to keep employees informed about the evolving threats and how to identify them, along with ability to quickly escalate an issue with a suspicious email to the IT department. Tools like Isitphishing.org that allow users to qualify is the website link as phishing-related, should be available to employees.
Essentially, the training and information should be aimed at developing safe habits when it comes to email usage. Email validation and authentication policies, like SPF and DKIM, should be deployed to ensure that the incoming email communications are coming from a real partner’s mailbox and domain, not an address forged to look like one. Among other tools, secure email gateways could be helpful to filter out possible malicious emails or attachments.
Finally, the rise of AI and its subsets like machine learning has created a new market of email defense tools that employ predictive analytics by set of parameters to detect and separate mal-spam from benign emails on the fly. These tools can go a long way to helping individuals and organizations identify and protect themselves from phishing attacks.
Have you been the victim of a phishing attack? What tips do you think are the most helpful for mitigating a phishing threat?