Order Out of Chaos: Tackling Phishing Attacks

Sometimes the old ways are the most effective. While black hat artificial intelligence and 5G threats grab the headlines, phishing remains the top challenge for global organizations. Like all good cybersecurity, there’s an art to responding effectively. And in this case, it requires a combination of commodity tools, cutting-edge machine learning techniques and human-powered defense. That’s how to create order out of chaos and beat the phishers at their own game.

The Biggest Threat

Of the 52.3 billion unique threats that we blocked in 2019, 48 billion (91%) came via email. You can bet that the majority of these were phishing attacks. In fact, according to this Cyber Risk Index report released earlier this year, it’s the No. 1 threat facing organizations today.

We know that, at its most basic form, phishing is a confidence trick. Attackers use social engineering techniques to trick the recipient into doing their bidding. Usually, they manage this by creating a sense of urgency and spoofing the email so that it appears as if sent by a legitimate entity, such as a bank, a supplier or a fellow employee. Ultimately, the phishing attack is just the first stage. The bad guys want one of two things: either employee logins with which to launch follow-on attacks or for recipients to unwittingly initiate a malware download.

The malicious payload itself could be anything from a banking trojan to an information-stealer or even ransomware. Phishing has become a top vector for the latter over recent months, enabling cybercriminals to cause chaos across the globe. We detected more than 61 million ransomware components last year, up more than 10% in 2018.

Phishing isn’t just an email-based threat, of course. In recent years, cybercriminals have expanded their repertoire to include phone-based scams (vishing) and SMS attacks (smishing). According to the FBI, these cumulatively accounted for more reported cyberattacks than any other in 2019, at 114,702 — costing victims nearly $58 million.

Scammers Are Pros

Phishing attacks have proven so popular over the years because they ultimately rely on exploiting an organization’s weakest link: its users. But that doesn’t mean the cybercriminals have been standing still. Today’s scam emails are a world away from the error-laden missives of years gone by. They’re more likely to be grammatically accurate, written in a convincing style and containing all the logos and corporate footers you’d expect from a legitimate email.

To add legitimacy, they may appear to come from a trusted colleague’s account. This is what has made Office 365 such an attractive target for hackers. As traffic is whitelisted by most filters, it offers a ready-made threat vector right into the heart of an organization, if cybercriminals can breach enough accounts. This may explain why we’ve seen the number of blocked phishing URLs that spoof the Microsoft cloud platform soar by more than 100% in the past year. Sometimes hackers hijack the legitimate accounts to revive old email conversation threads, adding in their own malicious links.

This is just the tip of the iceberg. We’re seeing new phishing techniques all the time designed to circumvent traditional security filters. One is an innovative new attack designed to bypass two-factor authentication security by using real-time man-in-the-middle style techniques. Another uses poisoned Google search results to direct unwitting users to a malicious web page controlled by the attacker. A third uses custom “404 Not Found” pages to pose as a login form to potential victims, allowing attackers to pair their domain with an infinite number of phishing landing pages.

Phishers and Fakers

We’ve also begun to see phishing stretch its legs beyond the realms of stealing corporate logins and triggering malware downloads. One development is the business email compromise (BEC) scam, which also uses social engineering but contains no malware. In this instance, the goal is to impersonate a CEO or senior exec in an email sent to a member of the finance team, requesting a large wire transfer or corporate funds. BEC was responsible for nearly $1.8 billion in losses in 2019, more than any other type of cybercrime and around half of the total reported to the FBI.

A further development is the use of AI-powered deepfake audio clips to trick employees. Already one company has lost $243,000 through such a scam. There are concerns that fake videos could be the next trick up the scammers’ sleeve.

Time to Fight Back Against Phishing

So where do we go from here? As phishing attempts are first and foremost attacks on employees, this is where mitigation efforts should begin. This means building a considered staff awareness and training program, using realistic simulation exercises that can be customized according to emerging phishing trends. It’s really important not to overload employees, so keep lessons down to 15-minute bursts, develop a solid cadence and host them often, and make sure that all staff from the boardroom down to temps and contractors are included.

You should also make sure you have the tools and processes in place to fight back against phishing. This could include making it easier for users to report phishing attempts they find. Also, implement a defense-in-depth technology approach that includes regular software patching to reduce the attack surface and anti-phishing email security. Look out for modern AI-powered techniques that can analyze the sender’s writing style to spot sophisticated attempts that don’t match legitimate emails. This can work well alongside more traditional filters that detect suspicious IP addresses and sender domains.

Phishing arguably represents the biggest challenge facing IT security teams today. But finding an elegant solution to the chaos of inbound email-borne threats is well within the grasp of the modern CISO.

Featured eBook
Managing the AppSec Toolstack

Managing the AppSec Toolstack

The best cybersecurity defense is always applied in layers—if one line of defense fails, the next should be able to thwart an attack, and so on. Now that DevOps teams are taking  more responsibility for application security by embracing DevSecOps processes, that same philosophy applies to security controls. The challenge many organizations are facing now ... Read More
Security Boulevard
Avatar photo

Greg Young

Greg Young is vice president of cybersecurity for Trend Micro and focuses on enterprise security, especially for networks, clouds & virtualization, IoT/operational technology (OT/SCADA), and micro-segmentation. With 30 years of IT and cybersecurity experience, Young has been a trusted adviser to thousands of companies around the world. Prior to Trend Micro, Young served as research vice president at Gartner, where he spent 13 years covering security for network and clouds. Young has received several honors for his work including the Confederation Medal from the Governor General of Canada, a mention in Network World's "12 Most Powerful Security Companies" and has been named one of Sys-Con's "100 Most Powerful Voices in Security.”

greg-young has 2 posts and counting.See all posts by greg-young