Phishing Mechanics

Phishing remains one of the most common methods cybercriminals use to compromise individuals and organizations to steal money or deliver malware because put simply, it's effective. According to Proofpoint's 2022 State of the Phish Report, 83% of the organizations surveyed experienced a successful email-based phishing attack in 2021. When considering the risk of a phishing attack against yourself or your organization, its likelihood must be almost certain.

This blog post will describe what phishing is, how a constellation of issues comes together to make it one of the most resilient threats organizations face, and some proactive mitigation strategies to minimize the impact of phishing campaigns.

Due to the prevalence of phishing being delivered via email (Verizon's Data Breach Investigation Report identified that 96% of phishing attacks arrive via email), we will predominantly discuss email-based phishing attacks.

What is Phishing?

Phishing is a type of social engineering attack that involves an attacker sending a message to their intended victims in an attempt to trick them into performing an action that may result in the compromise of sensitive information. These messages are sent via various communications channels, including email, SMS, voice call, and social media platforms.

The term "phishing" is believed to have been coined in the mid-90s by hackers who stole AOL users' passwords by masquerading as AOL administrators by using spoofed screen names when chatting with their intended victims. Essentially "fishing" for victims in the sea of users. As the internet grew, cyber-criminals adopted these techniques to elicit sensitive information and money from unsuspecting victims.

Through a well-crafted phishing email, an attacker may attempt to deceive their victims into clicking on a hyperlink or downloading an attachment that the victim believes is legitimate and non-malicious. If the attacker is successful, the victim will be taken to a malicious website, or malware may have been deployed on their workstation.

Continuing with the angling theme, a phishing attack can be summarized into the following stages:

• Lure:
• The method used to attract the victim towards the hook.
• The lure needs to be convincing. Through social engineering techniques, it needs to convince the victim to perform the action wanted by the attacker, aka "go for the hook".
• Hook:
• The action the attacker needs the victim to perform for the attack to succeed,
• The hook is usually a hyperlink to a malicious website or a malicious attachment to the email.
• Catch:
• The exploitation of the victim to gain access to sensitive information or to compromise a system.

How are phishing attacks still getting through

Suppose you are a business executive or manager. In that case, you may be asking yourself, "we spend all this money on firewalls, email gateways, and end-point protection. Why are we still being impacted by phishing?" good question.

Technical controls for blocking phishing attacks, like the ones mentioned above, are reactive controls and, unfortunately, result in a game of cat and mouse (sorry for the mixed metaphors). Attackers may use a phishing technique until the defenders have found an effective way to identify and block it. The attackers will then pivot to a new and undetected delivery technique, users continue receiving phishing emails, and the game goes on and on.

Currently, using legitimate cloud services and SaaS providers is a popular approach for delivering phishing emails that are difficult for technical security controls to identify and block.

Cloud infrastructure can be deployed (with new public IPs) and subsequently destroyed in a matter of minutes, making the traditional approach of deny-listing IP addresses known to be used for sending phishing emails now ineffective.

Purchasing domain names to "typosquat" (choosing a name that looks very similar to a legitimate name) has become cheaper and more accessible with the wide variety of Top Level Domains (TLDs) now available and the entire UTF-8 character space usable. Historically, organizations tried registering as many typosquatting domain names as possible (e.g., google.net, google.co, gooogle.com) to stop attackers from purchasing them and using them for malicious purposes. Nowadays, there are just too many options for this to be a legitimate approach to stop attackers masquerading as your organization through phishing emails.

URL shortening services have become popular legitimate web services in recent years. URL shorteners (such as bitly.com) allow users of the shortening service to provide more user-friendly URL that redirects to long, complex URLs. Attackers can hide their malicious websites behind URL shortening services, making it difficult for firewalls and email gateways to detect malicious content.

Various cloud service providers also allow users to create websites and services under a subdomain owned by the service provider (for example, Azure users can create domains within the *.onmicrosoft.com subdomain). Websites and services under these subdomains, while they may appear to be operated by the domain owner, are actually controlled by users and can be used by attackers within phishing attacks.

For these reasons and many others, we can see that just relying on reactive technical security controls is an uphill battle. The internet is just too vast, with too many vectors for attackers to use to perform a phishing attack.

We will go into some other more effective defensive strategies soon.

Exploitation

The "catch" phase. Exploitation can be achieved through a variety of attack techniques. These techniques can be broadly categorized into two categories, payload-less and payload based.

Payload-less Exploitation

As the name suggests, a payload-less phishing attack contains no malware for the victim to download or a compromised website for them to navigate. Instead, the phishing email uses social engineering to achieve the attacker's objective.

The most notable form of payload-less exploitation via a phishing attack is what is known as "business email compromise" (BEC). BEC is the targeting of an organization via phishing emails to try and scam them out of money or goods. From 2016 to 2019, over 160,000 incidents of BEC were reported to the FBI, with a combined loss of over $26 billion.

Payload-less phishing exploitation is commonly sent to business staff with some authority over information and money. Common scams include:

• Invoice fraud:
• Cybercriminals will send fraudulent invoices to an organization in the hope that they will pay the sum to the attacker's account without checking the validity of the invoice.
• More sophisticated cybercriminals will infiltrate the systems of a business's supplier and change the banking details on legitimate invoices to redirect funds to attacker controlled accounts.
• employee impersonation:
• Suppose an attacker can gain access to a legitimate email account within an organization. In that case, they may send fraudulent emails to other staff requesting changes to financial records such as bank accounts or invoices. Other employees may not suspect these internal emails as fraudulent and action the attacker's request without validating the request first.
• Attackers may also impersonate the personal email addresses of executive staff and request high-priority changes by authorized employees. For example, raising fraudulent invoices or requesting confidential information.
• Extortion:
• An attacker within a phishing email may include a threat that they have compromising information about an individual or organization. These threats are usually unfounded but include enough information about the victim to make it feel legitimate, such as a password found in a password dump that the victim has once used.
• The attacker will attempt to extort money or information from their victims. Attackers frequently demand payment in cryptocurrency or gift cards, which are difficult to trace.

Malicious Payloads

Malicious payload exploitation involves the victim being tricked into installing a malware payload onto their computer. The malware may perform various actions, including keylogging, screen capture, device access, or network access.

Scammers use several techniques to trick their victims into installing their malware. Two of the most common techniques are:

• Malicious attachments or downloads
• Infected PDF files, ZIP files, and Microsoft Office documents attached (or linked) to phishing emails are still the most prolific attack vectors used by cybercriminals to deliver malware to their victims.
• When a victim downloads and opens the infected file, their computer may become infected with the attacker's malware.
• Luckily, antivirus and secure email gateways successfully block most malicious files. However, the attackers constantly adapt and find new ways to circumvent these controls.
• Rogue software or Fake Virus Alerts
• Through a well-crafted phishing email, an attacker can convince their victim to install rogue software that may appear to perform a legitimate function but also includes malware.
• Phishing emails containing fake virus alerts are a common social engineering technique used by attackers to trick their victims into installing rogue antivirus software that ironically infects them with the attacker's malware rather than healing their computer.

The most prolific type of malware being delivered by phishing attacks is ransomware. Ransomware is designed to encrypt all the files on the infected device. Attackers will demand a ransom be paid in exchange for the decryption key.

Impact of Phishing attacks

Phishing is categorized as an "Initial Access" technique within the MITRE ATT&CK framework. Therefore, when considering the impact of a phishing attack, we are really considering what "Execution" or "Collection" techniques can be chained with a phishing attack to impact the individual or organization.

These impacts can include:

• Credential theft
• Installation of ransomware
• Theft of money through social engineering
• Exfiltration of intellectual property
• Business email compromise

Defending against Phishing Attacks

No silver bullet, magic pill, or network device can mitigate all phishing attacks. As with many security risks, the best defense is a layer of controls that implement reactive defenses, proactive defenses, technical controls, procedural controls, and user awareness. Through layered controls, organizations can reduce the likelihood of a phishing attack being successfully executed within their organization and reduce the impact of compromises through effective incident response.

Reactive Defenses

Reactive security controls to defend against phishing attacks include:

• secure email gateways
• Secure email gateways inspect all email traffic entering and leaving an organization of unwanted, fraudulent, or malicious content.
• These systems rely heavily on rulesets created by a vendor to identify suspect emails. Unfortunately, cybercriminals are constantly testing their attacks against these services to identify malicious content that will not cause an alert.
• antivirus software
• Antivirus software identifies malicious applications and files on a user's device and blocks their execution.
• Antivirus also heavily relies upon rulesets to identify malicious files. Like secure email gateways, attackers constantly test and identify ways to evade antivirus software.
• Additionally, antivirus software will generally not identify phishing emails that use payload-less exploitation as these attacks do not rely on malicious files.
• legal requests and takedowns
• Phishing attacks (both payload and payload-less) rely heavily on cloud service providers to host their malicious files or typosquatting domains. Once these assets have been identified, legal requests can be made to the cloud service providers to take down the malicious content.
• Most large cloud service providers have reasonably efficient processes to perform these takedowns once the requests have been validated. Unfortunately, attackers can quickly pivot their infrastructure to new accounts and/or services when these takedowns occur.

As previously discussed, phishing is a game of cat and mouse, and reactive controls, while effective, need to be constantly updated to remain effective.

The primary benefits of these reactive defenses are they can be automated and are generally invisible to the end users. According to Valimail over 3.4 billion fake emails are sent daily. Without these high bandwidth, automated and unnoticeable controls, the volume of phishing emails arriving in a user's mailbox would be unmanageable.

Get Proactive

We need to also implement proactive controls to protect users against the phishing emails that make it through the reactive controls. While the above reactive controls are predominantly technology based, proactive controls are primarily based on human factors for identifying phishing attacks. These include:

• User awareness training
• User awareness training provides individuals with the skill to identify and respond to suspected phishing attacks.
• Users are trained to identify phishing emails through various factors, including:
• The email's domain
• Content spelling and grammar
• suspicious links
• creation of a sense of urgency
• By reviewing these factors, users can learn to identify suspected phishing emails and report them to the required authority.
• Simulated phishing campaigns
• Simulated phishing campaigns exercise the skills learned during user awareness training by randomly sending users simulated phishing emails for them to identify and report.
• Simulated phishing exercises are effective as they regularly reinforce the training outcomes while also providing the organization with information on their employees' abilities in identifying and reporting phishing attacks.
• Secure business practices
• To limit the impact of a successful payload-less phishing attack, businesses can implement secure practices requiring additional validation on sensitive actions.
• Employees should be empowered through secure business practices to deny and escalate any requests they suspect are fraudulent.

Conclusion

Phishing attacks are prolific, and the ease at which an attack can perform a phishing campaign has only increased in recent years. On top of this, phishing attacks are highly effective as they focus on the weaknesses in human psychology rather than complex technical system vulnerabilities.  

As security professionals and business leaders, it is our responsibility to ensure that we are protecting our staff from phishing attacks through multiple reactive and proactive layers of security controls. By doing this, we can reduce the risk of compromise to our organization from phishing attacks to an acceptable level.

Brief

• How Phishing Emails Get Through (Using Legitimate Services 1 2 3/ Allow-listed Vendor Domain/Internal Domain User Compromised)
• Payloads and how they work (Droppers, LOLBINS/GTFOBINS/etc, Beacons)
• Explain how this constellation of issues come together to make one of the most resilient threats organizations face. Organizations should recognize that some % of phishing campaign e-mails will make it to a user that clicks on the link or file. From there, the attack surface becomes huge.
• Explain this to business readers.