Phishing attacks rely on a single moment of inattention or ignorance. Follow a link and the results are front-page news. A strategy for combating these attacks on multiple fronts is vital. Alan R. Earls reports.
Phishing is one of the original forms of cybercrime and yet it still wreaks havoc. Witness the persistence of variations on the Nigerian prince email as an example. This tactic survives because it relies on flaws in human wetware instead of flaws in computer software or hardware.
Specifically, phishers confuse people into inputting passwords or other credentials the attackers want, says Joshua Eckroth, a professor of computer science at Stetson University.
Greg Schulz, senior advisory analyst at StorageIO, adds, “It’s all about and around social engineering; getting or tricking somebody into getting or giving you something you normally would not want to do.”
Today’s users are typically aware that the older form of phishing bait, Trojan horse email attachments from unknown senders, can contain malware. Related malware detection software has also improved to prevent those payloads from reaching users’ inboxes. Eckroth says today’s typical phishing bait evolved into important-seeming emails from banks or utility companies that ask you to log into “their” website: a fake look-alike. A few clicks and keystrokes later and the phishers have what they want, whether that is login credentials or the codes for that user’s hardware security fobs.
Joshua Eckroth, professor of computer science, Stetson University
About one third of people receive a phishing message and click through, often with disastrous consequences. Even worse, Eckroth explains, the most common variation on the theme today is a version of “spear-phishing” (a targeted attack) called “whaling,” which usually targets a “big fish” like a senior-level executive. The level of access those credentials give a phisher is truly dangerous.
So, how do people fall for the tricks of phishing and its cousins: vishing (over the phone), smishing (SMS fishing), pharming (website interception and redirection), and whaling? “Phishing emails and websites are often extremely convincing; typically the only way to tell if a message is legitimate is to look at the links themselves or hover over a link with a mouse,” Eckroth says. “And, even then, the link might be so similar that most message recipients wouldn’t flag the message as fake.”
Those hoping their cyber insurance policy covers them against successful phishing attacks need to think again. Jeff Wilbur, technical director of the Internet Society’s Online Trust Alliance (OTA), says many cyber insurance policies will not help because, ultimately, the phisher convinced an employee to act: a human failure rather than a breach achieved through technology. “We recommend you check your policy because often [phishing] is determined to be an act of a person as opposed to a hacker: if you fooled me, it was on me,” says Wilbur.
The phishers
Defeating foes often means understanding them. Who exactly are these phishers? What is their aim? How are they organized? There is a definite mystique — encouraged by Hollywood — that all hackers are evil geniuses; but most of what we have learned so far is that it is just one person asking another to be helpful.
Greg Scott was a long-time cybersecurity pro at Infrasupport Corp. and now works at RedHat. He is also the author of Bullseye Breach: Anatomy of an Electronic Break-In and studies the methods of these attackers. The motivation for most phishers turns out to be simple: money. Sometimes, however, their motive is politics or international espionage. “I imagine a few Russians had a laugh at John Podesta’s expense when one of their phishing emails convinced Podesta to give away his email password in 2016,” he says — all part of a chain of events leading up to Wikileaks publishing the Democrats’ private emails.
In one recent mass spear-phishing incident, an attacker emailed people, mentioning a compromised social media password. The message claims the victim’s email password is the same as their compromised social media password, then offers to leave the email account alone in return for a ransom. The email also claims that identifying the attacker is impossible, because the email itself appears to come from the victim’s own email account; suggesting the victim’s email really is compromised and the victim is powerless to do anything about it. “Since lots of people still use the same password for everything, the attack will probably scare a few gullible victims into paying the ransom,” says Scott.
As for a business model, most phishing attacks require no evil genius level of money or skill. The investment for general phishing is time and maybe a bit of money for an email list. “Compose a message, relay it to a few million recipients, find some gullible victims, and the ROI might be huge,” says Scott. In a typical spear-phishing attack, he says, the investment can be higher. The attacker has to buy a list of compromised social media passwords and email addresses, compose the message, then send it through a friendly relay.
All in all, there is a low barrier of entry to the phishing business. Wannabee attackers even buy toolkits or phishing packages through online marketplaces. “It really is a business, and more and more they’re using the same kind of sophisticated technology that the companies they attack use,” says Wilbur.
Phighting back
When a phisher strikes, “time is the most critical factor in defending against a phishing attack,” says Kent Blackwell, manager for security and vulnerability assessments at Schellman & Company, Inc., an IT audit and certification firm. Most attackers view the first 15-30 minutes in a campaign as the most important.
Why? Because all it takes to defeat the entire campaign is one user flagging the email. A common line of thinking in security, according to Blackwell, is that users are the greatest weakness in an organization’s security. While this belief can be true, the inverse is also true. “The best defense against any phishing attack is your people; one well-trained user is enough to stop even the craftiest of phishing attacks in its tracks,” Blackwell adds.
In one case, a pro at a cybersecurity vendor got a real-time sense of his enemy — and turned the tables — when the recipient of a suspect message raised a red flag. The message claimed to be from the company CEO, stating that a major customer was upset about a bad delivery. The sender then asked the employee to text the CEO. Fortunately, the security pro had a burner phone and texted back. After a promise to deliver a $20,000 wire transfer to soothe the “customer,” the attacker shared his bank account information. With that, the security pro alerted the bank to the fraudulent activity, identified the attacker’s origin point in Nigeria, and shut down the IP address. In this real time game of IT chess, for once the defender won.
Justin Sherman, cybersecurity policy fellow, New America
Unfortunately, a win is rare. In practice, more often than not, human defenses are unreliable. One reason is human “wiring.” Phishing is a form of social engineering, so it targets flaws in our decision-making processes. Simply showing employees that phishing exists is not enough. Employees need to learn how to think differently. Raising employee and consumer awareness of specific deception techniques is one of the best ways to fight phishing attacks, says Justin Sherman, cybersecurity policy fellow at New America, a nonpartisan think tank.
“Our brains have evolved to make rapid decisions through heuristics, or mental shortcuts, which can be useful in some cases but degrade the effectiveness of our decisions in others,” he says. This is precisely what phishers target. For instance, he notes, we all rely on “representativeness,” where we mentally group similar experiences or stimuli into categories. If we see four wheels, a license plate, and headlights, Sherman explains, we don’t need to explicitly think about what that means; our brains just say “car.” This is what phishers target with emails that look legitimate, for example, knowing that if they use a copy of the Amazon logo and related fonts and colors, we won’t look closely enough to realize the email is not from a legitimate Amazon address. “We’ll click on the link, enter our username and password, and get hacked, since it’s representative of a real email,” he says.
(Story continues below)
Four ways to fight phishing. Emailers offer advice…
Matthew Vernhout, vice chairman of the Email Experience Council, an organization of email marketing professionals with a vested interest in keeping email trustworthy and legitimate, recommends a four-point approach to fighting phishing:
1. Get educated. Consider investing in phishing awareness training for employees.
2. Improve business processes. When dealing with large monetary transfers, build a secondary verification into the process. For instance, he notes, the company could decide that anything over a certain fixed monetary value requires two forms of verification from the requestor. This solution could be an email supplemented with a phone call or a signature from the requestor’s manager. “Put this process in writing, inform the rest of the company, and stick to it, whether it is a request from the CEO or a lower-level accountant,” says Vernhout.
Matthew Vernhout, vice chairman, Email Experience Council
3. Invest in solid technology. A good anti-spam product is the first line of defense and will help catch many fraudulent emails before they reach the inbox. Increasingly, these tools work with email authentication solutions like SPF, DKIM and Domain-based Message Authentication, Reporting & Conformance (DMARC). Once email is properly authenticated, consider taking the next step with Brand Indicators for Message Identification (BIMI), an industry-wide effort that leverages SPF, DKIM, and DMARC to provide recognizable and authenticated logos. “While it’s in beta now, you can get your affairs in order to opt-in when BIMI opens for broad use,” Vernhout says.
4. Craft a response plan. Mistakes happen. Knowing a plan is in place in the event of a successful phishing attempt will organize the team around minimizing the attacker’s access. This plan should include senior IT resources, financial teams, and communication groups to mobilize any of the necessary resolutions. These could include system hardening, network forensics, financial management, and communications (internally and externally). Ever considered cyber insurance to cover breach and BEC compromises? “It may be worth pondering, especially now, before the issues become more prevalent to your organization,” Vernhout adds. — AE
Sherman says another example of human frailty is optimism bias, where people think they are better at a given task than the average person. Many people text and drive despite knowledge of the risks, because they believe they can do it safer than others. “Online, this same optimism bias can lead us to behave recklessly when opening attachments or clicking on email links—again, thinking that we’re somehow more likely to detect the trickery than the oblivious `average user’ we hear so much about,” he says.
Network security requires everyone to do their part. Educating employees and consumers about these cognitive heuristics and the ways they are exploited is essential to addressing the problem. Overall, the key is for employees to consume information and make decisions more critically. Asking things such as “is it normal for my credit card company to ask for x?” does not take much effort but can be the difference between staying safe online and becoming a victim of identity theft, Sherman stresses.
Of course, technical fixes are vital as well. Blackwell says email defense services are a helpful addition to an email security perimeter, but only if configured correctly. “Too often these services are dropped into an existing network architecture, configured to work at a basic level, and never touched again,” he says. Network defenses should be tuned regularly to fit every organization’s specific setup, and email is no different. For example, he explained, administrators can add organization-specific terms to their phishing filters such as the names of executive-level employees, human resource services such as payroll and benefits, or anything related to the help desk or IT, which might increase the likelihood of spotting or thwarting a phishing attempt.
Wilbur and the OTA believe authentication technology helps. “We have recommended this for a long time,” he says. The two key standards are Sender Policy Framework (SPF), a validation protocol that detects and blocks email spoofing, and DomainKeys Identified Mail (DKIM), which signifies that a domain’s administrator authorized the incoming email from that domain. “They complement each other,” says Wilbur.
(Story continues below)
How to phight phishing
Security pros constantly invent better mousetraps, but mice never stop evolving. If the “mice” keep evolving, how exactly can organizations stop attacks? The secret is to reduce vulnerabilities within the organization as much as possible, according to Josh Bartolomie, director of research and development at Cofense, who presented during the recent SC Media webcast Phishing: Sinister or Simply Good Business (for the Cyberattacker).
Two-factor authentication and strong password security are a must, but these steps are only the beginning. The best defense, according to Bartolomie, is combining security awareness training with good technology. By making it harder to execute attacks, it gives the defenders “a wider window to prevent the attack running through our network or to minimize the damage,” he says.
In practice, attackers often target lower-ranking employees with mock demands, perhaps in the form of a message supposedly from a senior business executive. This method has proven very successful. Executives are also major targets in and of themselves; they might have more in-depth access than other employees. Bartolomie says companies can ramp up spam filtering to a higher level for those executives and add a security point of contact. VPs must deal with check-in calls as a result — an annoying but necessary adaptation.
Finance, HR and legal teams handling sensitive, business critical information are another frequent target for attackers. HR teams might respond by filtering incoming emails and running suspicious messages through a sandbox environment where they can’t do any harm.
The best defense of all is motivating employees to join the company protection effort. Sometimes security teams are too ‘cloak and dagger,’ he warns. If mock phishing attacks are never followed up on, employees are left to wonder if attacks are ever real at all.
Transparency and communication helps to bridge the gap. Security teams can share examples of recent phishing emails and congratulate employees who spotted suspicious messages through a newsletter or recognition program. “Send out attacks you’ve seen in the last few weeks, add people to [the] newsletter who spotted malware attacks,” says Bartolomie. He added to avoid shaming employees if they make a mistake during tests. “It makes people less apt to engage or report.”
So, while the mice might keep evolving, companies can stop leaving out “cheese.” And, of course, keep working on better traps. — AE
DKIM is cryptographic and there are concerns with performance, but that issue is not a big problem, Wilbur says. “DKIM protects people you are sending to from getting email that’s not from you and it protects you from anyone incoming that’s pretending to be you.” And while there are other mechanisms to fight phishing, “email authentication is foundational,” he adds.
Unfortunately, Wilbur notes, adoption of these technologies is still limited with the exception of a small number of high-profile companies, typically financial institutions. He notes, in particular, that one outstanding example is Aetna under CISO Jim Routh.
Wilbur is by no means alone in advocating for two-factor authentication. Verizon’s 2018 “Data Breach Investigations Report” (DBIR) also recommends the same. According to the authors note, “Phishing campaigns are still hugely effective. And employees make mistakes. Two-factor authentication can limit the damage that can be done if credentials are lost or stolen.”
Another technology that must be adopted, according to Wilbur, is multifactor authentication for users. Phishers can still spoof authentication systems, “but it is much harder,” he says. Further measures, such as biometrics and integrating a phone or mobile device into the authentication process, are also helpful. Phishers can spoof phones or perhaps even biometric authentication but he adds that this policy also makes their jobs harder.
Wilbur says that each of these technologies has “edge cases” where they don’t work perfectly, but they cover each other’s gaps pretty well when used together. What if something does not authenticate? The message can go in a separate folder, allowing senders to dictate policies about handling failed messages.
“If you have your authorization acts together and you can be highly confident about rejecting what is false,” he says, which means that questionable mail simply won’t get to the inbox.
Ultimately, shoring up every line of defense against phishers is a must. Just like fishing, the trick for phishers is getting “fish” to take the bait, being in the right place at the right time, and knowing what bait to use, says Schulz.
Even for savvy technology users, a mere moment of inattention can have severe consequences. If IT infrastructure prevents employees from receiving the bait in the first place, no one can bite. Some phishing messages will get through, but ongoing user education ensures that even the people least comfortable with computers understand how to identify, report, and avoid the threat.
And that has got to be a good thing.