By Salvatore Stolfo on Oct 17, 2019, 2:19:55 PM
The continued attempted hacks against computers used by the staff for political parties and citizen groups at the core of our deliberative political system is increasingly disturbing. Phishing attacks, traditionally associated with the banking and financial industry, were at the very center of the attack on our election in 2016. It demonstrated how phishing attacks are rapidly spreading to any company with a website requiring customers to login and share their personally identifiable information.
Phishing is one of the most popular attack vectors for stealing user credentials, allowing cybercriminals to gain access to a user’s system and help themselves to sensitive data. The 2019 Verizon Data Breach Investigations Report reveals that phishing remains the number one cause of data breaches. It’s been around for decades, because it’s one of the most reliable ways to overtake a target’s accounts.
A post-mortem of the phishing campaign that compromised the emails of the Democratic National Convention revealed that Russian GRU hackers sent almost 30 phishing emails to various targets at the DNC before they succeeded. That’s the advantage of being a hacker: they only have to be successful once. But a defender has to be successful every time.
And yet, even with the benefit of hindsight and post-mortem forensics, the U.S. just experienced a case of “Déjà Vu” when reports broke that nation-state hackers targeted staffers for the Trump re-election campaign. Microsoft disclosed that during the months of August and September, Iranian hackers launched 2,700 attempts to identify specific target email accounts, including those belonging to current and former U.S. government officials, journalists, and Iranians living outside Iran. They ultimately attacked 241 of those and successfully compromised four—none of which were associated with the U.S. presidential candidate or government officials. This group is also reportedly targeting cybersecurity researchers using the same tactics.
Such successful attacks haven’t gone unnoticed, and in recent years, businesses and security vendors have focused on detecting phishing emails and training employees to spot signs of phishing campaigns. Blocking suspicious emails and building employee awareness are a good start, but this approach doesn’t extend to the most vulnerable target: a company’s customers. Customers use a wide variety of email systems that aren’t under a company’s control, and they rarely undertake any formal security training, making them soft targets.
Worse yet, these phishing attacks are relatively easy for a hacker to execute. The first step typically involves copying a website containing a login page used by target customers, then tweaking that page to steal the credentials. Free, easy-to-use applications make this a snap. The hacker then hosts the website on a server, usually employing a URL that looks authentic but is subtly incorrect (such as “bankofcmerica.com”). The hacker sends phishing emails with links pointing to the spoof site, and then harvests credentials from the deceived customers.
Pitfalls of Legacy Phishing Detection Tools
To detect these attacks, most organizations take the approach of trying to find the spoof sites--searching for brand images and relevant content that has been copied from the original site. Domain registration monitoring (e.g. looking for domains with slight misspellings) can be helpful as well. But these approaches have substantial limitations, such as:
- Incomplete detection. Spoof sites can be hosted somewhere with an obscure URL. For well-hidden sites, periodic searches may never detect them.
- Speed of detection. Even when periodic searches for spoof domains do work, they typically only detect the spoofed site hours or days after it’s been launched. IBM research indicates 70% of credentials are stolen within the first hour of the attack.
- Lack of visibility into attack scope. With most anti-phishing solutions, what’s missing is an indication of whether any customers were victims--or even how many victims there were.
- The attacker remains at large. Most phishing prevention solutions offer little or no intelligence on the hackers. While they may have been stopped by your phishing detection software, the adversary is free to strike again. Furthermore, with the “search-and-hope” approach, organizations typically have no opportunity to deter the hacker from trying the attack again. They’re long gone with the stolen credentials.
A more sensible approach is to focus on early detection and a smarter mitigation strategy that is painful to the attacker and provides actionable data for targeted organizations. Using patented beacon technology, Allure detects a spoof website as soon as it’s viewed by the first visitor during a phishing attack. This helps security teams initiate the takedown process immediately while simultaneously collecting information about the victims and striking back at the hacker. The Allure SaaS solution goes beyond current approaches to phishing detection and helps organizations in the following ways:
- Knowing how many customers have been impacted, and who they are.
- Collecting valuable intel on the hacker--when and from where they launched the attack.
- Gathering information useful to initiate the takedown.
- Responding quickly by injecting decoy credentials into the spoof site, thus poisoning the collection of stolen credentials while the takedown is underway.
Modern Phishing Attacks Require a Modern Approach
It’s time to get proactive about a pervasive security problem that is only increasing as more transactions between businesses and customers move online. To find out more about how the Allure SaaS solution can significantly improve your business’s response time to potential phishing attacks, protect customer data and preserve brand reputation, contact us today.