Fighting Phishing: Look Beyond Employee Education

Phishing remains one of the oldest, but most effective and persistent threats to enterprises of all sizes. Year after year, attackers keep returning to these methods to bypass security protections, penetrate corporate networks, spread malware and steal data.

Report after report shows that the problem is getting worse, not better, despite the best efforts of IT and security teams to educate employees to be vigilant of these emails and the spoofed websites that come with them. 

Verizon’s 2019 Data Breach Investigation Report, for example, stated that nearly a third of all breaches in 2018 involved a phishing email attack. That’s a lot of employees clicking a suspicious link from someone they don’t know.

Beyond data breaches, the Verizon report also showed that 78 percent of all cyber-espionage incidents involved phishing emails as well as installing backdoors within networks to allow attackers to maintain persistence within the corporate infrastructure.

Beyond Data Theft 

An example of these types of nation-state sponsored espionage campaigns using phishing emails and spoofed websites is an Iranian-backed hacking group variously referred to as “TA407,” “Silent Librarian,” or “Colbalt Dickens,” depending on which security research report you’re reading. Over the years, this particular group has targeted some 140 organizations in the United States, and another 170 schools and universities in 21 other countries, according to security firm Proofpoint.

The U.S. Justice Department has also indicted several of its members on computer crime changes.

The end goal appears to be the theft of intellectual property from schools, research organizations and private businesses. During a recent wave of attacks, Secureworks researchers found the group registering new domains to create spoofed web pages that also included SSL certificates to add an extra layer of authenticity. The researchers also detected hackers using free tools from GitHub and code repositories to create phony landing pages that looked like the messages came from the library system associated with a school or university.

What the activities of this group and others show is that phishing is not only effective, but it’s getting more sophisticated, with similar techniques targeting employees’ inboxes, smartphones and even voicemails, said Alex Guirakhoo, a strategy and research analyst at Digital Shadows, a security firm based in San Francisco.

“Common techniques include tricking individuals into enabling macros, opening an attachment, or clicking on a hyperlink, which triggers the infection process (if malware is involved),” Guirakhoo told Dice. “One of the most popular phishing vectors is via email. Still, the same tactics used in an email phishing campaign can also be applied to online messaging platforms, SMS messages, or video and phone calls.”

Over the last year, Guirakhoo says the most successful phishing campaigns have shared some common techniques that IT and security teams need to watch:

Link Manipulation

An email may include links that resemble (spoof) legitimate URLs or manipulated links that feature misspellings or use of a subdomain.

Website Forgery

JavaScript commands may be used to make a website URL look legitimate.

Covert Redirection

Recipients are directed to legitimate websites that are already compromised and display malicious pop-up dialogue boxes that, in turn, redirect users to a phishing website.

Infected Attachments

Executable (.exe) files, Microsoft Office files, and PDF documents (for example) host malicious components.

Beyond Employee Education

Over the years, IT and security organizations have developed numerous education programs to alert employees about phishing emails and spoofed websites… but people keep clicking on suspicious links.

In 2020, it’s time to look beyond these education programs and explore more technical solutions that can stop phishing before it reaches employees. “Employee education is a critical step in preventing successful phishing attacks. In addition to this, organizations can also adopt more technical safeguards, using a multi-layered approach with both technological and people-based strategies,” Guirakhoo said.

Try Anti-Spoofing Controls

Domain-based Message Authentication, Reporting & Conformance (DMARC), Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) methods can be used to make it harder for threat actors to reach employees; suppliers should be encouraged to adopt the same measures to mitigate supply chain attacks.

Network-Level Security

Malicious emails can also be filtered or blocked at the server level, with these filters and tools activated as the default for all users. The rules determining the blocking or filtering process should be adapted to the needs of the organization and may need revising on a scheduled basis.

Monitoring

Establish a security monitoring process, including the monitoring of system and network logs to identify suspicious activity—such as unusual connections to unknown IP addresses. Ensure the monitoring capability is kept up-to-date to remain effective.

Incident Response

Create an incident response plan for various scenarios, such as bulk customer password resets or the removal of malware from a company network.

Don’t Forget Mobile

Any discussion of phishing in 2020 is not complete without better protection around smartphones and other mobile devices, as attackers have adjusted their methods.

Mobile device users are at higher risk of phishing, and not often protected by enterprise network defenses. Thanks to hardware resource constraints, smartphones also lack the breadth of safe browsing protections available on standard desktop browsers, said Atif Mushtaq, CEO and founder at SlashNext, a security firm.

“Further complicating matters is the fact that even cyber-savvy users can struggle to identify phishing attacks on mobile, as smaller screen layouts hide important clues such as full URLs, senders’ details, and more,” Mushtaq tells Dice. “Phishing attacks are growing rapidly on SMS (SMiShing), social media, messaging apps, targeted ads, pop-ups and more. Email security systems don’t protect users in these other attack vectors.”