Phishing is a plague that won’t go away. But resistance isn’t futile.
Since the dawn of the internet, Phishing has plagued the online community. Email is the oldest protocol to run on the internet and predates what we know today as the World Wide Web. Since the first emails were sent the possibility to spoof emails (i.e. fake a sender) has been readily available to malicious online users. Spam and phishing emails are as old as the internet itself. So, how is it that after decades with all of the advances in creating a complex and intricate digital universe has there not been a conclusive solution to curb this costly problem? More progress has been made on innovations such as jetpacks and flying cars, yet phishing remains unaddressed and has only become increasingly rampant. Since 2016, the aggregate impact of phishing attacks has grown nearly 4x: annual losses for large U.S. companies on average now run $14.8 million, or $1,500 per employee.
Let’s recap. What is phishing?
Phishing is a type of attack where an attacker sends a fraudulent (e.g. spoofed, fake, or otherwise deceptive) message designed to trick the recipient into either revealing sensitive information to the attacker or to deploy malicious software on the victim's infrastructure like ransomware.
A phishing attack can be defined as a social engineering attack where an attacker sends a huge number of emails, texts or chat messages over social channels that resemble legitimate messages with the goal to inject themselves into a conversation with the target. The messages are specifically designed to look like they are coming from a trusted source.
Why is phishing still such a huge problem?
In short, phishing, like our daily dose of spam, still works. According to Statista, spam messages accounted for 45.1 percent of email traffic as of March 2021. Like phishing, spam requires a very low investment and can reach millions of people in a very short period of time. Phishing and spam is what we call a shotgun approach - spray the internet and see if someone takes the bait. The reason it works is because people still click the emails, even the worst of them, because we have been socially engineered since we got our first email address to open something when we receive it. It’s really a case of human psychology and we know that humankind is often its own worst enemy. In the case of phishing, people just click first and think later.
The human problem
If you take an optimist’s approach, the biggest security problem stems from the fact that we as a species are, for the most part, nice, at least on the surface. We are engineered to be of service to others, especially if the person fits into our categorization of what a ‘nice person’ should look like. For example, if a clean cut, nicely dressed individual stops you on the street and asks you for directions to the nearest ATM, you will most likely stop and answer the question politely. The reason for this is that we are taught from day one to “always help others.” This behavioral training is imprinted on us from the moment we speak our first words. There is a reason that ‘please’ and ‘thank you’ are among the first words we learn as toddlers. We are taught early on that politeness and willingness to help others is a favorable behavioral attribute to function in society. Our approach or what is considered an acceptable level of willingness to help may vary from culture to culture, but in general, helping others is ingrained in our DNA. To help others makes us happy and makes us feel important and useful. Even the ancient Greek philosophers knew this and called it stoicism and virtues.
What does this have to do with opening email? Similarly to being stopped by a well dressed individual on the street sporting a fancy pair of loafers and a congenial smile, we feel compelled to click on an email or a text message when it’s ‘dressed’ properly. Spam and phishing emails are digital versions of a wolf in sheep's clothing. Our immediate response is to take it at face value. As said, we click first and think later.
The technical problem of the Internet
How has it become acceptable that roughly half of the messages we receive in our digital world are fraudulent and known to be malicious? This didn’t happen overnight. Over time, email by email, we become inured to it, accepting spam and phishing emails as simply a cost of being online. We have continuously tried to apply patches to the system to filter the emails and to duct tape our way around the problem, but at the core, it is really just a hard problem to fix. The core problem is that the internet was designed to be redundant and anonymous. When the core protocols were built, no protection against fraud was built into its framework. So, trying to rebuild the internet protocol to implement such security features years later is almost impossible considering all the legacy systems that depend on the core protocols of the internet.
It’s not for lack of trying. A number of people have tried to come up with signing protocols that identify the sender as the real sender (e.g PGP). The problem is that outside of those of us in what can be classified as the ‘paranoid security community’, there is very little incentive to change the protocols, which means getting adoption of new security protocols for the internet is very slow, if not impossible, which is why so far most of the attempts have failed.
Progressions and advancement of current phishing schemes
Phishing attacks have become increasingly sophisticated and often mirror the website being targeted, allowing the attacker to observe everything while the victim is navigating the website and transverse any additional security boundaries with the victim. As of 2020, phishing is by far the most common attack performed by cybercriminals with the FBI's Internet Crime Complaint Centre recording over twice as many incidents of phishing than any other type of computer crime.
With malicious email attachments, the attacker crafts an email, which is ostensibly from a believable source, and attaches a malicious file to trick the receiver into thinking that the email has been sent from a trusted source. Once the file is opened, the ransomware payload is unknowingly downloaded, the system is infected, and the files are held for ransom.
While the majority of phishing scams still happen over email, other channels are becoming an increasing threat. In the new world of bring your own device (BYOD) and mobile first, we are seeing a huge rise in phishing scams and malware spread via text messages as well as well known messaging apps such as Telegram, Discord and Whatsapp.
Malicious social media, text, app, and email links
Similar to malicious email attachments, malicious links are URLs in the body of ANY digital message. As with email, these messages are sent from someone or some organization that you believe to be a trusted source. When clicked, these URLs may download malicious files over the web thereby infecting the system or sending the receiver to a fraudulent website to trick them into entering sensitive information that the attacker can capture and use for nefarious activities (e.g. empty a crypto wallet)..
This evolution, and the ease at which these attacks are executed, means any organization can be the next victim and likely has already been a target.
How to address the phishing problem at its root?
Prevention is key in keeping organizations safe. The most effective strategy for stopping a ransomware attack relies on preventing the attack from ever entering your organization or preventing users from engaging (e.g. clicking, responding or opening) fraudulent emails or messages. The main problem here is that the majority of implemented systems for phishing attacks just target the email filtering and thereby ignore a large number of incoming links via other apps and messaging channels. To really understand how to start preventing damage from phishing campaigns, we must first take a look at the “kill chain.”
Understanding the kill chain
In cybersecurity there is a model called the “kill chain.” This model is so widely referenced it has actually been copyrighted by a large defense company.
The idea of a kill chain is that in each of the steps in the attack you are vulnerable. Conversely, if you can protect any step in the chain you can avoid an incident.
In general the kill chain of any phishing attack or ransomware attack can be defined as the following:
Phase 1: The attacker identifies the available threat vectors to leverage during the phishing attack.
Phase 2: The attacker sets up an infrastructure for launching the attack including setting up domains and web servers and certificates.
Phase 3: The attacker infiltrates an email chain of a message chain by reusing credentials and gathers information by reading private emails and or messages in social media.
Phase 4: The attacker delivers the malicious email, message, or link leveraging the identified threat vectors (URL, attachment, copy) to the user.
Phase 5: The user opens the email and takes action in the browser.
Email phishing is no longer the only problem to fix
Most, if not all, phishing attack prevention schemes focus on the phase of the delivery mechanism such as email, but they miss the point of the problem since many phishing campaigns are now moving away from direct emails and into the more modern chat applications (e.g. Discord, Telegram, WhatsApp, Signal) mirroring the actions of the users they are defrauding.
While deploying email filtering solutions will remedy part of the problem, it does not solve for an ever increasing number of these attack vectors.
Detecting malicious infrastructure and preempting the attack
Phishing campaigns need infrastructure to work. It’s not enough to just send a message on facebook or text. The message and the link needs to lead somewhere and that requires infrastructure. This infrastructure can be tracked and alerted in advance by using Open source intelligence data such as newly registered domains and certificates that look similar to the targeted organization. If we detect similar domains and certificates and block those in firewalls and proxy servers before the phishing emails or text messages reach the recipients, we have already averted the attack before it can occur.
Detecting likely targets through identifying leaked passwords and phone numbers
Most of the users targeted by phishing attacks are infiltrated on personal accounts with reused passwords from third party sites. Through our investigations of phishing and ransomware attacks we have found that it is very common that the person(s) sending the emails originally are actually real accounts that have been hijacked by the attackers.
Likely targets for this type of attack can easily be identified by using open source intelligence sources (OSINT) and look for potential users identified by their corporate emails and or private emails. In recent attacks we have even seen that the attackers have used the users login credentials in conjunction with leaked phone numbers to fool text based (SMS) two factor authentication methods.
In order to solve this, we must detect likely users in the organization that have leaked emails, passwords and phone numbers can greatly reduce the risk of the attack.
Training and informing the users
We all have mixed feelings about “training sessions” as a means for educating users on the importance of cyber hygiene at an organization, but we agree it should still be a part of improving a company's security posture. As previously mentioned, it is human nature to want to help our fellow human beings. So, we need to perform tests and awareness training to make sure that the users are aware of the threat in the channels that the threats occur. Most companies' policies still only mention email as a threat vector and if they have some awareness training it’s still just covering email and miss all of the other attack vectors.
Further, knowledge sharing on new and identified risks is a necessary step in awareness training. Seeing a generic training video does very little to help people relate to the problem. Actionable intelligence is not only relevant, but empowers users with knowledge on how to take action should they be presented with the threat.
Why are we still blocking in-email targeting phishing only? Blocking access in browsers is the path forward.
Looking again at the kill chain, we always come back to the fact that the users are clicking on a malicious link or opening a malicious attachment, which nine times out of the ten happens in the browser. More chat apps means more vectors for malicious actors to drop fraudulent links to come after people.
At FYEO, we know there is a need for a new approach to phishing protection. We realize in today’s digital landscape email phishing protection is only part of the path to fixing the problem, but will not be enough in the future. It has become an impossible task to scan every chat application for malicious links which is why we need an application to stop it the moment the user clicks the link and it hits the browser.
FYEO is developing a solution to prevent phishing campaigns from succeeding by combining open source intelligence sources with in-browser real time protection. The FYEO DI Agent will live in the browser as an extension and bring to the surface real-time warnings that a site may be malicious from the moment a malicious link is clicked. This empowers employees (agents) to be proactive in the fight against phishing and makes them allies in the fields to Heads of Security to stop these attacks before they can do real damage.
To learn more about FYEO Agent protection, contact us at firstname.lastname@example.org.