Email has been the favorite tool of threat actors since the dawn of cybercrime. Cheap, accessible, and easy to use, email provides instant access to the inbox of millions of potential victims. The latest IC3 report from the FBI found phishing, along with variants like smishing and vishing, to be easily the most common type of cyber attack in 2020. More sophisticated, targeted Business Email Compromise (BEC) attacks were found to be the costliest, with reported incidents costing $1,866,642,107 globally over the last year.
Most phishing attacks use the same set of simple tricks that have been successfully deceiving consumers and workers for years, such as spoofing techniques that mask the sender address to appear as a trusted contact, and phishing sites disguised as genuine login portals. However, fraudsters have been able to increase both the volume and sophistication of their attacks in recent years thanks to the same cloud-based digital tools that have been supporting legitimate business.
Parasites on the digital boom
Even before the events of 2020 made a web presence mandatory for staying operational, digitalization has been increasingly essential for staying relevant and competitive. Advancing technology means that even the smallest firms can create functional and attractive websites with services like Wix and Weebly. Registering and designing a site can be achieved in a matter of hours.
Unfortunately, the same goes for cyber criminals. Website builders have proven to be ideal for crafting fake versions of real trusted websites, which can be used as part of phishing emails to harvest credentials. Domains like wix.com are also widely recognized, with a high level of traffic and engagement. This means most email security solutions will be unlikely to recognize links to these sites as threats.
How legitimate web services are exploited
In one example we came across, the criminal used Wix to create a fake Microsoft Outlook login page, and then sent out phishing emails warning the targets that they needed to authenticate their account to access emails that were waiting for them. The aim is that busy workers won’t stop to scrutinize the inconsistencies about this message and will quickly click the link and enter their details – neatly handing them over to the attacker.
Website builders have proven to be ideal for crafting fake versions of real trusted websites, which can be used as part of phishing emails to harvest credentials.
Other common approaches include using the website builder to simulate file sharing services like SharePoint and Google Docs, again with an urgent message about a waiting file to bait the target into clicking.
Criminals may also exploit vulnerabilities to hijack existing sites. WordPress, for example, recently suffered from an issue in the third party ProfilePress plugin which allowed threat actors to escalate their privileges and achieve administrator access. With that level of access to a system, an attacker could enact any number of malicious activities, such as redirecting visitors away to a duplicate phishing site or triggering malware downloads. Compromised sites are very effective when used in conjunction with email attacks as the link will appear legitimate to both automated defenses and human users.
Can raising user awareness combat the threat?
Criminals are adept at combining legitimate web services with subtle social engineering techniques that are more likely to slip by email defenses. This means businesses need to be prepared for the fact that malicious emails will certainly be reaching the inbox of their workforce. As such, it is important to prepare employees for these threats. One of the most common approaches is to use Security Awareness Training (SAT), which focuses on improving user knowledge. The aim is to educate staff about common attack tactics such as sender name changes, and the social engineering tricks used in dangerous BEC attacks. These sessions are commonly combined with phishing tests that send simulated malicious emails to staff to test awareness and response levels.
However, while increased user awareness is a good thing, SAT is not a solution by itself. It’s common to find training is provided in an infrequent, ad-hoc manner, which makes it unlikely the knowledge will sink in and influence daily habits. Similarly, phishing tests tend to only provide a point-in-time check that contributes little to improving ongoing defenses. There is also a tendency for SAT to be implemented in a way that frames the workforce as the problem, not the victims. Unless employees are properly engaged, they will be bored at best and insulted at worst.
So how can organizations get their workforces onboard for the fight against phishing?
Engaging personnel with crowdsourcing
With the right tools, workers can become an active and effective part of the company’s defenses against email threats. This means ensuring that all individuals have the capability to scan their own inboxes for threats whenever they need to. Rather than wasting time squinting at a potentially suspicious message while thinking back on some half-remembered training, they can quickly verify their concerns with the click of a button. Emails that contain traits consistent with a malicious message can be immediately forwarded to the IT security team for full investigation.
While increased user awareness is a good thing, Security Awareness Training is not a solution by itself.
The workforce is thus transformed from being a potential weak point blamed for email breaches, to an effective resource for threat data. This crowdsourcing approach makes employees feel like a part of the solution, not the problem. Reported emails can also be used to identify other attacks targeting the company, and the data helps to train machine learning tools to better spot the latest tactics and tools being used by attackers.
As web tools become even more accessible and easy to use, cyber criminals will continue to exploit them for deceptive email attacks. Making employees a part of a crowdsourced approach to email threat detection and analysis will establish a new line of defense that can help to keep pace with these rapidly evolving attacks.-30-