2018 was the year of the phish, and phishing attacks are only growing more sophisticated
Despite the bitter temperatures that January brings, fishing enthusiasts will brave the cold and traverse across the ice with saws and augers to drop a line or a spear in hopes of catching something. As it is on Lake Erie, so it is in the digital world. Freezing or not, on ice or online, “a phisher’s gonna phish.”
Just as the techniques of ice fishing have evolved over the past decades, so, too, have online phishing attacks grown more sophisticated. If 2017 was the year of ransomware, 2018 was the year of the phish, according to Proofpoint’s “State of the Phish 2019.”
It’s true that email has long been the attack vector of choice for many hackers, but “social engineering techniques are also used outside of email to gather data and infiltrate your organization. Cybercriminals regularly use pretexting, vishing, and smishing attacks to try to penetrate your defenses,” according to the report.
Many organizations have started incorporating simulated attacks into their security awareness trainings, which has caused attackers to become more creative. The “2019 State of Malware Report” recently published by Malwarebytes found that Emotet and TrickBot were effectively used in attacks that included “distribution via malspam disguised as legitimate email—your classic phishing/spear phishing campaign.”
Understanding New Phishing Trends
With the explosion of Office 365, attacks have evolved into more coordinated, multi-phased events.
“Phishing used to be much more isolated: hackers would send a PayPal phishing email to harvest credentials and immediately extract the funds associated with those accounts,” said Adrien Gendre, Vade Secure chief solutions architect. “Hackers first send phishing emails to harvest Office 365 credentials. Then, they use those compromised accounts to conduct targeted attacks laterally within the organization.”
In fact, Carbon Black reported in its recently published “2019 Global Threat Report” that nearly 60 percent of attacks today involve lateral movement. As a result, attackers are penetrating the networks and lurking about, identifying additional targets as they move through the different stages of an attack.
“It’s actually easier and more effective to take this phased approach because the spear phishing emails come from legitimate accounts inside your company—making the attacks virtually impossible to detect,” Gendre said.
Malicious actors are also exploiting zero-days in browsers and plugins that, according to Malwarebytes, were combined with spear phishing or social engineering attacks embedded within Office files.
Non-malware and fileless attacks also floated to the top as one of last year’s most popular attack methods. According to Carbon Black, “These types of attacks often originated from phishing campaigns that are leveraging Microsoft Office Word documents with obfuscated VBScripts. … This represented an evolution of current macro attack techniques, where these types of cmdlets are not typically associated with phishing campaigns.”
Attackers are also marrying two techniques into one single attack, as was reported by MalwareHunterTeam. In a recently discovered ransomware attack, researchers found that victims trying to pay the ransom were directed to a PayPal landing page that was actually a link to a phishing page, where their login credentials were stolen.
How to Get Ahead of a Big Phish
The Proofpoint report found that 83 percent of security professionals reported a higher rate of all types of phishing attacks in 2018, educating employees has never been more essential. In fact, nearly 60 percent of organizations that included such training in their cybersecurity awareness programs reported a marked increase in their employees being able to detect suspicious emails.
Though many employees were able to correctly define phishing, only 23 percent correctly identified smishing (SMS phishing) and as little as 18 percent knew what vishing (voice phishing) is. Part of the problem is that the tides continue to change, resulting in a constant ebb and flow of what employees need to know.
Education has to evolve at pace with the threats. It’s not a one shot annual box check. In a press release, Joe Ferrara, general manager of security awareness training for Proofpoint, noted: “As these threats grow in scope and sophistication, it is critical that organizations prioritize security awareness training to educate employees about cybersecurity best practices and establish a people-centric strategy to defend against threat actors’ unwavering focus on compromising end users.”