According to Phishing.org, the practice of phishing started around 1995. Nearly 25 years later, phishing is still used by attackers of all levels of sophistication. The 2018 Verizon Data Breach Investigations Report (VDBIR) ranks it as the third most common technique used in incidents and confirmed breaches and finds that 70 percent of breaches associated with nation-state or state-affiliated actors involved phishing. However, even low-level hackers are using phishing with success thanks to a rich ecosystem of threat actors on cybercriminal forums and messaging applications sharing tips and tools.
Here are just a few examples of the techniques this wide swath of actors can choose from when executing their phishing campaigns.
Social media: The Sony Pictures Entertainment attack, the Bangladesh bank heist and the WannaCry outbreak all involved highly proficient, state-backed attackers using a variety of pretexts to convince targets to click on the link in their phishing emails. Pretexting involves masquerading as another entity to obtain the information desired from the target. In these campaigns, the phishing emails appeared to be official notification emails from Facebook or Google and the attackers also sent messages directly through social media sites like LinkedIn.
Expert assistance: Less sophisticated threat actors have access to a wide variety of forums and groups where they can learn the latest phishing techniques, as well as purchase step-by-step tutorials and phishing templates to conduct their own campaigns. Novices don’t even have to venture into the dark web to get access to these illicit tools – they are readily available on the surface web on well-known sites.
Spoofing: Individuals are more likely to open an email when they believe it is from a legitimate sender, so attackers often choose to spoof or forge the email header in their messages to increase their chances of success. Spoofing is often used in Business Email Compromise (BEC) and can be quite convincing, as evidence by the fact that BEC and Email Account Compromise have cost organizations billions of dollars in losses over the last five years. Tutorials on spoofing techniques include everything from how to create, compromise or find a Simple Mail Transfer Protocol (SMTP) server from which to send the spoofed emails, to how to prevent emails from ending up in spam folders or the hosting IP from ending up on blacklists.
Cloning websites: More sophisticated actors tend to use platforms such as Metasploit or Social Engineering Toolkit (SET) to create a clone of a legitimate website and an impersonating URL. For aspiring phishers, a website cloning or mirroring service known as XDAN CopySite makes it easy. All they need to do is enter the domain of the website they want to clone, and within seconds they have a static version of the site – enough to be convincing at first glance. Phishers will then host the html file, or series of files, on a website using an acquired domain. Sophisticated actors also have a few shortcuts available. For example, Metasploit includes a credential harvesting script and will even host the web server for the attacker.
While barriers to entry continue to fall and techniques become more advanced, individuals are not taking the bait as frequently. The 2018 VDBIR says on average only four percent of people in any given phishing campaign will click. Still, attackers need only one person to click to accomplish their mission.
So, what can organizations do to further mitigate their digital risk from phishing attacks? These five steps can help:
1. Limit what information your organization and its employees share online, including on social media sites such as Facebook and LinkedIn. The most successful phishers will perform detailed reconnaissance on targets, so they can craft the most effective emails and social engineering lures.
2. Monitor for registrations of typo- or domain-squats that can be used by attackers to impersonate your brand, send spoof emails and host phishing pages.
3. Implement additional security measures such as Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC) and DomainKeys Identified Mail (DKIM). These can make the spoofing of your domain more difficult.
4. Protect your accounts in case phishers do manage to steal user credentials. Two-factor authentication measures should be mandated across the organization and implemented wherever possible.
5. Train your employees how to spot phishing emails and alert security teams to suspected phishing attempts. Eventually, a phishing email will fall through the net. Employees need to know how to report these quickly without fear of repercussions of being the victim of a social engineering attack.
Although phishing is now in its third decade, organizations must remain vigilant. Threat actors rely on tried and trusted methods; as long as there is even a four percent chance that phishing techniques will be successful, they will continue to use them. Furthermore, with little to no learning curve, we can expect more threat actors will jump on board. Fortunately, by continuing to prioritize the right controls and training policies, organizations can reduce their chances of being reeled in.