This article originally appeared in CPO Magazine on March 19, 2019.
As custodians of the world’s most commonly used computer operating systems and cloud-based office tools, Microsoft’s security team is uniquely positioned to analyze trends in cyber security threats. The company’s regular Security Intelligence Reports, published at least annually since 2006, serve as an excellent indicator of these trends. The most recent report indicates that phishing attacks are now by far the most frequent threat to the cyber landscape, increasing a massive 250% since the publication of the previous report.
Microsoft’s numbers are based on an internal scan of Office 365 email addresses, with over 470 billion messages analyzed. The company reports that not only are phishing attacks much more frequent, but they have also significantly increased in sophistication in a short amount of time.
The rise of the phisher kings
Until now, malware has typically been seen as the leading threat from cyber criminals looking for confidential information – particularly “zero-day” exploits that go active immediately after being discovered.
Phishing attacks have been trending upward for some time, but Microsoft’s data indicates that they are now becoming the preferred practice of criminals. The techniques employed are also quite diverse. Attackers are often able to convincingly impersonate users and domains, bait victims with fake cloud storage links, engage in social engineering and craft attachments that look similar to ones commonly used in the organization, among other attack types.
Attacks have also increased in sophistication by employing more complex phishing site infrastructures that can be made to look more legitimate to the target. This includes the use of well-known cloud hosting and document sharing services, which phishing targets often erroneously believe are secure simply due to name recognition.
Though phishing scams are more sophisticated, they are also more accessible to unsophisticated operators. Phishing kits, which clone popular websites and operate from temporary servers, can be purchased from underground dealers for relatively small prices by any aspiring cyber criminal with the cash. These “out of the box” solutions simply require attackers to forward a prefab email with malicious links already embedded to their desired targets.
Beyond phishing attacks
All of this has not been to suggest that malware is no longer a major threat. In fact, the purpose of phishing attacks is often to direct the target to a malware installation. Phishing is particularly appealing because of the human element, however. Malware and countermeasures are constantly developing in an arms race of sorts, but human vulnerabilities remain fairly consistent.
Machine learning improvements have done much to help automatically block phishing emails, but these can only go so far. When phishing is the primary means of cyber attack, it’s ultimately down to each specific individual with login credentials to make the right decisions when they receive an email.
Usman Rahim, Digital Threat Analyst at The Media Trust, provided the following comments on threat innovation and how organizations can keep pace with it:
“Malicious actors are always on the lookout for new ways to hack devices and machines. Phishing, whether through email, social media, malvertising, or any other channel, takes advantage of the fact that most consumers pay little attention to details and are likely to click on an email link, an ad, and enter sensitive information when prompted.
“What’s worrisome is that as threat actors innovate, they are finding new ways to escape detection by checking for known anti-malware solutions, persist despite a browser reboot, steal device information like IPs, and switch infection tactics when they’ve been discovered. The cat and mouse game between security providers and threat actors continues unabated.
“The best defense for organizations is to take a layered approach to security that involves employee training and collaboration with digital supply chain partners. The former addresses internal threats; the latter will address the risks that reside within the supply chain, most of which fall under the radar of most organizations.”
Supply chain attacks and phishing
Microsoft makes particular note of supply chain attacks as another new area of focus for cyber criminals. These attacks tend to be focused on malware delivery, particularly malware that installs cryptocurrency coin miners as of late. This new focus means that any outside vendor with access to an organization’s systems is a potential point of compromise, and should ideally be evaluated for ability to prevent phishing attacks.
Some of the biggest high-profile data breaches follow the pattern of email phishing attacks on a vendor leading to malware compromise of the targeted organization. This isn’t a new pattern, either. For example, the 2013 “whaling attack” on retail giant Target that exposed 70 million customer records began with the successful email phishing of an HVAC vendor. A late 2018 survey by the Ponemon Institute found that a little over half of the organizations surveyed experienced a data breach that originated with a vendor. Worryingly, only 35% of those companies maintained a full and current list of all the third parties they were sharing access to sensitive data with, and only 18% knew if their vendors were sharing account information with outside parties.
How do organizations manage the risks posed by third-party vendors over whom they may have little to no influence? The first step is in carefully reviewing each vendor’s security policies for adequacy. Language specifying security standards has begun appearing in vendor agreements and is likely to become quite common in the future. Organizations may opt to conduct their own audits on vendors, or to work only with vendors who undergo reputable third-party auditing at regular intervals. In-house, organizations can also review their access policies for vendors and ensure that these points of interface are secured properly and that a breach response plan encompassing them is in place.
Most attackers entering through the supply chain are headed straight for an organization’s point of sale (POS) system or their invoicing system looking for financial gain. Ideally, access to POS and invoicing systems should be limited strictly to relevant transactions. Regular reviews of invoices for irregularities can also provide an early indication of a successful phishing attempt.
Staying off the hook
When you look over the full list of phishing attacks in the Security Intelligence Report, it’s striking how simple diligence can defeat just about all of them.
For example, methods such as domain spoofing and impersonation can quickly be spotted by independently visiting the legitimate website in question rather than clicking through the contents of the email. Likewise, credential phishing is circumvented by never using login pages or entering form information directly through an email account. User impersonation ruses can also be detected by simply contacting the original source to verify.
Indeed, most of these phishing messages succeed simply through blind trust, impulsiveness and lack of awareness of how common it is. Proper organization-wide training in recognizing common phishing approaches and request response policies can do wonders to counter this. Of course, organizations must be just as diligent about verifying that their vendors are doing the same.