Why You’re Still Getting Phished and What You Can Do About It
Increases in the rate and sophistication of phishing are among the many challenges that the pandemic has given rise to. It’s no surprise, really. An expanded work-from-home contingent that is getting used to a new normal has been a target ripe for the picking.
At its core, phishing is all about tricking users into clicking on something they shouldn’t, with the lure of something that on the surface might appear to look authentic. With the stress, anxiety and continued challenges of the work-at-home environment, we see phishing increasingly taking advantage of people as they navigate the change.
Phishing isn’t a new problem, and it certainly didn’t start in the pandemic. It’s a challenge that IT has been working to address for years. Yet, organizations of all sizes are still getting phished for various reasons. But it doesn’t have to be that way. There are proactive processes, controls and technology that can all help to reduce the risk.
Why Traditional Web Security Isn’t Effective Against Modern Phishing
We’ve seen phishing continuing to evolve in recent years. Enterprise security controls that used to be somewhat effective against phishing are no longer working well from an email security or web security standpoint.
In fact, our research has shown us that up to 90% of phishing kits now include built-in evasion techniques that render traditional web security ineffective. Phishing kits effectively provide phishing as a service for attackers, with an off-the-shelf capability to evade detection.
Traditional web security has long relied on the use of URL databases to identify and block access to malicious websites, including phishing sites. The way the malicious URL databases work is that vendors have used web crawlers to scan sites and then add the phishing sites to the database. The phishing kit operators know this, and they know how to evade the web crawler, so their malicious addresses never show up in the database.
Modern phishing attacks don’t often involve the use of malware either, which would trigger commonly deployed detection technologies. Today’s phishing is stealthy and employs many different obfuscation techniques to elude traditional web security scanning
Why It’s Hard to Catch Phish: The Many Forms of Phishing Attacks
Exactly how are phishing attacks able to avoid the security checks of traditional web-filtering databases? Here are a few examples:
Hiding Malicious Content Through Cloaking
Security web crawlers do not analyze live web traffic. Instead, they are sent to analyze a webpage from IP spaces known to be used by security vendors. Since adversaries know this, phishing kits are designed to cloak their malicious intent by sending benign content or a blank page in response to security vendor scanning. This tricks the URL database into classifying the phishing page as benign and allowing it through security checks. When the target accesses the phishing page, its true content is revealed, and it can then claim victims.
Multistep Attacks and CAPTCHA Challenges
Phishing attacks increasingly hide behind benign steps so that an initial security scan of the URL allows them through. For example, a phishing page can be placed behind a CAPTCHA challenge. This is particularly sneaky, as CAPTCHA challenges are specifically designed to keep automated bots (which includes web crawlers) from accessing the content behind them. When a web crawler scans the page, it only sees the CAPTCHA challenge, which in itself is harmless, and categorizes the phishing page behind it as benign.
Short-Lived and Single-Use Links
Adversaries are spinning up brand new, never-before-seen phishing URLs at volume because doing so now is cheaper and easier than ever before. A single phishing page may be used for just hours or even minutes and then burned and switched to a new URL so that security databases cannot track them quickly enough to block them. Single-use links are also commonly used for targeted attacks—used to accomplish a singular mission and never again.
Attacks Within Compromised Websites
Attackers know that legitimate websites are classified as benign within URL databases and allowed through without necessarily being rechecked. If an adversary is able to compromise a legitimate website, they can establish a phishing page within it, simply strolling through web security under disguise. These types of phishing pages are particularly successful as they also more easily fool end users who believe they are interacting with a known website.
Traditional Web Filtering, Email and Multi-Factor Authentication Alone Aren’t Enough
In the race to help protect against phishing attacks, some organizations have deployed email authentication and multi-factor authentication technologies.
The problem is that not all phishing comes via email. A phishing attack that comes from a malicious site that the user visits will not be impacted because the user’s organization has an email authentication system in place. Phishing links are also commonly placed within documents hosted in SaaS collaboration suites as part of advertisements on web pages and increasingly in SMS, completely circumventing any email-based controls.
How to Reduce the Risk of Phishing
So what can you do to reduce the risk of phishing in your organization? There are a few things that lower phishing risks:
A Phishing Security Stack That Goes Beyond Email
Recognizing that phishing isn’t just an email problem is key. It’s important to have a security stack that can address advanced phishing and invasive phishing attacks. Using a system based on URL databases and web crawlers isn’t going to work. What is needed are technologies like inline machine learning that actually analyze the page content as it’s delivered to the end user to ensure that there’s no phishing risk and patient zero is prevented.
Technology is important, but it shouldn’t be controversial at this point to have some kind of employee training program to learn about phishing risks. Social engineering-type phishing attacks are not about exploiting technology; they are about exploiting humans. Training can help increase security awareness and have employees be part of the solution to the problem.
A Full Security Lifecycle Approach
Reducing the risk of phishing isn’t just about deploying any one technology; it’s about having a full lifecycle approach. That means the organization needs to have both proactive capabilities and reactive capabilities. The reality is, no matter how much you deploy or how much you invest in security, you also have to plan for something getting through. What happens if an employee is phished and a credential is stolen? Does the organization have the ability to detect malicious access and then respond to it?
Executive management needs to be working with the organization’s teams to ensure that the technology, people and processes are in place to help prevent as many inbound phishing attacks as possible. Phishing is a multifaceted threat, and it requires a comprehensive strategy to defeat. Ultimately, overcoming the challenge of phishing involves having an integrated end-to-end process, ranging from the proactive to the reactive, because if you have one and not the other, then you’re not actually prepared to deal with the threat.