Getting Ahead of Phishing
Phishing attacks continue to be one of the most popular methods of illegitimately obtaining funds, identities, and credentials. Social engineering, at its best, can entice users to pay over large sums of money, and provide access to private and confidential data that is normally locked down. The activity has evolved significantly over the years, and today, complex and targeted phishing attacks can be difficult to detect by even the savviest IT professionals. Phishing is not just attractive for financially motivated cybercriminals, but also for state-sponsored threat actors. The Callisto Group, uncovered by F-Secure, is particularly adept at setting up sophisticated phishing infrastructure for cyber espionage purposes targeting high-profile groups, including military personnel, government officials, think tanks, and journalists.
Ordinary cybercriminals are employing similar techniques. In March 2016, a Lithuanian phisher was arrested after several months of investigation for having successfully tricked two US companies into sending him over $100 million. Using phishing techniques, the attacker had been impersonating a Chinese OEM the firms usually dealt with, requesting payments over the course of two years. The attacker had targeted the companies specifically, crafting an elaborate phishing campaign involving forged invoices and letters, corporate stamps and contracts, and a fake board of directors.
Business-targeted spear phishing campaigns have proven relatively successful, with a 45% success rate, as opposed to bulk phishing (5%-14% success rate). Phishers target employees in accounting, and impersonate executives demanding payments to specific accounts. Known as CEO fraud, or whaling, these types of scams surfaced in 2015, and have had devastating effects on companies. They target executives with authorization to make larger payments on behalf of the company. Often, the attackers spend time and resources to ensure they can impersonate the CEOs as accurately as possible. In a first phase, the executive is targeted with a spear phishing campaign, to steal credentials and other information that an attacker can use to build a profile. The second phase consists of duping other employees into executing on behalf of the scammer.
Such attacks unfortunately co-exist with thousands of other basic, badly written and seemingly obvious phishing attempts taking place every day. The popularization of phishing among the criminal underclass has driven evolution, leveraging machine learning and automation for analyzing data records to identify targets, drafting emails, recording click through rates, etc. The continued success propels their usage across many sectors, from consumers to business. Complex techniques are becoming more accessible to amateur phishers as well. The use of homograph attacks (successful in both Chrome and Firefox) coupled with the free obtention of SSL certificates through certification authorities like Let’s Encrypt (which has done away with pre-issuance checks), phishing websites can look convincingly legitimate.
At Black Hat USA 2016, two security researchers, John Seymour and Philip Tully presented on "Weaponizing data science for social engineering: Automated E2E spear phishing on Twitter". Using a recurrent neural network, the model learned to tweet phishing posts targeting specific users and had a success rate of 30%-60%.
Social engineering targets the human element and so anti-phishing solutions are primarily focused on educating this element, raising awareness about the threat, and training it to recognize and respond appropriately. However, with the increased sophistication of phishing techniques, anti-phishing solutions are increasingly making use of a combination of technology and education to minimize the risk, including machine learning and automation. A few firms are offering innovative ways to mitigate the risks associated with phishing attacks.
ReSec Technologies and Votiro for example use Content Disarm and Reconstruction technology to strip files of code that is not approved within a system’s security policies, creating a duplicate that the user can then open.
PhishMe provides a phishing-specific incident response platform that automates the prioritization, analysis and response to phishing threats.
IBM Trusteer automates the classification of phishing sites in a much shorter amount of time using machine learning and data analytics.
Ironscales on the other hand combines machine learning with human intelligence, providing both technology and the human element.
Phishing is not likely to subside anytime soon because the human element can be easily undermined with the right type of social engineering. The increasing amount of personal information available online and being stolen on a regular basis from large organizations provides ample fodder for spear phishers. Leveraging the latest technology tools, even bulk phishers can easily refine their techniques. However, these same tools can be used to combat phishing attempts. Most importantly, technology needs to complement human training and intelligence gathering to provide an effective counter.