🎣 Spear Phishing, Can you spot the Phish? 🐟

As it exists today, all cyber security tools are only as strong as the most recent attack tactic. Flagging external emails, blocking spoofed domains, using retrofit email tools to monitor, and sending emails not to open or download malicious attachments are just failing. Miserably. 

Social engineering cyber attacks come in many forms and can be performed anywhere where human interaction is involved.  What makes social engineering especially dangerous is that it relies on human error, THE INSIDER THREAT, rather than vulnerabilities in software and operating systems. Traditional Cyber Security measures have always been deployed to protect these technology environments, however now, 98% of all cyber attacks rely on social engineering! (purplesec)

PREVENTION IS THE NEW DETECTION

" You can't do a job without using the right tools, but if your only tool is a hammer, every problem looks like a nail"

Phishing, Spear Phishing & Social Engineering attacks really can be stopped by using the right tools 

Hackers seeking to use social engineering will often try and find something in common with their victim in order to make them feel comfortable enough to share information or click a link, even download a malware file. Say a school affiliation. Or a country club. These are the exact connections you would trust. Even be borderline rude to not accept, right?

Picture this - even a long lost family member from 23 and Me or Ancestry.com reaches out. You are curious, yes? Speaking of please, people who do these genetic tests, please - we implore you - don’t share or let your spouse share on social.  We know it seems so fun right!? Figure out what your true identity is. Of course everyone will want to know you’re not the nationality you intitally thought you were. Its cool technology, right? Share it for the world to see. Well guess what- so do cyber stalkers - they think is super interesting - waiting for the perfect entrance as a long lost relative of yours... through you, right into your organization's secure data.... 

Lets backup- how does this work exactly? Believe it or not, in very few steps. 

1. Attacker targets Enterprise, Influencer, or organization. 
2. Attacker scrapes open source (linkedIn, CrunchBase, etc.) data for workers with target titles they know have access to specific systems or information they want to infiltrate. - ie. 400 TWITTER EMPLOYEES W/ ACCOUNT MANAGER IN TITLE
3. Attacker takes those uncovered public profiles, spins up unique open source information for each end recipetent. This is simply what you or family / friends share on social or LinkedIn about YOU. THE EMPLOYEE AT THE TARGETED ORGANIZATION.  ie. OUT OF 400 ATTEMPTS AT TWITTER, ATTACKERS GAINED ACCESS TO A BIG ENOUGH SAMPLE, SHARPENING THEIR SPEAR WITH JUST THE RIGHT MOST RECENT, RELEVANT INFORMATION. 
4. Attacker uses this shared information to be familiar to you, whether a restaurant you dined at, school you attended, school your kids attend, non profit you donate time to, even a specific purchase you made they can pinpoint. ie THINK OF ALL THE JUICY INFO YOUNGER GEN Z - GEN X SHARES ACROSS SOCIAL AND USER GENERATED CONTENT SITES? 
5. Attacker spoofs a profile or domain of the shared juicy PII information shared (country club, retail purchase, restaurant, daycare, waterpark your family visited, etc. to be relative and appear "real." GEE LOOK SIXFLAGSRESORTS.COM IS EMAILING ME (btw on sale currently from GoDaddy for $1 a month- hackers can stock up cheaply) 
6. Sends through inciting email or social request with a link to click or a file to download. ie. ATTACKERS DEPLOY THESE EMAIL OR MESSENGER / DM etc. TACTICS TO GET EMPLOYEES TO OPEN THEM 
7. BOOM they have entrance to your machine(s) and through those machines or phones, even when using a VPN or other traditional security measures for work related emails. You have compromised the security of the work device through your own personal use of social and or email, app downloads, etc.  THIS IS HOW THE HACKERS OVERTOOK THE TWITTER CONTROLS TO HIJACK THE PROFILES OF THE AUTHENTICATED (VERIFIED) TWITTER ACCOUNTS! LUCKY FOR TWITTER AND THESE HIGH PROFILE PERSONAL BRANDS, SO FAR - THAT WE KNOW- NO MALICIOUS VIRUS ETC WAS DEPLOYED THROUGH THEIR HUNDREDS OF MILLIONS COMBINED FOLLOWERS! 

This Infographic perfectly illustrates the cyclical way, these cyber espionage plans are laid. 

Terrific Infographic from (Imperva)

How can entities large and small protect themselves? Especially in the COVID remote work environments. With mixed devices and home networks?  

A couple folks still feel secure with two factor authentication. However it's fairly easy these days to get software that actually side steps this security token. To overcome 2FA, attackers need to have their phishing websites function as proxies, forwarding requests on victims' behalf to the legitimate websites and delivering back responses in real time. The final goal is not to obtain only usernames and passwords, but active session tokens known as session cookies that the real websites associate with logged-in accounts. These session cookies can be placed inside a browser to access the accounts they're associated with directly without the need to authenticate.This was presented at the 2019 Hack in the Box conference in Amsterdam and was released on GitHub after a few days. It has two components: A transparent reverse-proxy called Muraena and a Docker container for automating headless Chromium instances called NecroBrowser.

Proxy based phishing can’t defeat some 2FA implementations, however —those that use USB hardware tokens with support for the Universal 2nd Factor (U2F) standard. That's because those USB tokens establish a cryptographically verified connection to the legitimate website through the browser, which does not go through the attacker's reverse-proxy. (CSOonline)

Another technical solution can be a browser extension that checks if the user is inputting their credentials on the correct website. Google developed such an extension for Chrome called Password Alert that warns users if they attempt to enter their Google credentials on any website that does not belong to Google.

Training users to be vigilant and to make sure they are authenticating on the correct website with the correct domain name remains very important. The presence of an TLS/SSL indicator and a valid certificate are not enough to consider a website is legitimate because certificates can now be easily obtained for free, so most phishing sites will be HTTPS-enabled. (CISO Mag)

If you cant detect them. Educate & Train your Workforce Communities to Prevent them!

Top Types of Attacks

Baiting

Want to know your C suites annualized income? Perhaps access sensitive data about stock intelligence? Who doesn’t, this tactic takes the most human trait- greed or jealously and leveraged that with a dangled carrot for the little informed snuggle bunny to take a chomp.

The most recognizable form of baiting uses physical media to disperse malware at a targeted organization. For example, attackers leave bait —typically malware-infected flash drives —in conspicuous areas where potential lurker loos  are certain to see them (e.g., bathrooms, elevators, the parking lot of a targeted company). The bait has an authentic look to it, such as a label presenting it as the company’s payroll list. Attackers will not stop at flags drives though, so beware! If it seems to good to be true...well, it likely is.  (wiki) 

Scareware

Ahem, pop up banners or spam emails much? Scareware involves victims being peppered with false alerts and fictitious threats. Users are deceived to think their system is infected with malware, prompting them to install software that is in fact, just malware itself. Scareware is also referred to as deception software, rogue scanner software and fraudware.

Pretexting

The scam is often initiated by a perpetrator pretending to need sensitive information from a victim so as to perform a critical task. Similar to Vishing (phishing via voice calls) PII such as social security numbers, personal addresses and phone numbers, phone records, mothers maiden name, staff vacation dates, bank records and even security information related to a physical enterprise location or production facility.

Phishing

As one of the most popular social engineering attack types, phishing scams are email and text message campaigns aimed at creating a sense of urgency, curiosity or fear in victims. Great examples to test your knowledge & expertise as it relates to phishing tactics here  - PLAY SPOT THE PHISH  

Spear phishing

This is a more targeted version of the phishing scam whereby an attacker chooses specific individuals or enterprises and uses that publicly available PII to specifically access key people within an organization. There are no tools out there currently that resolve this problem automatically since it requires change management of the end user and their extended networks to shore this up.

OUR TOOL HOWEVER, AUTOMATES RISK SCORING, PROVIDES REMEDIATION MEASURES WITH HYPERLINKS THAT SYNDICATES SENDS FOR TEAM IMPLEMENTATION, & MONITORS IT - ALMOST COMPLETELY AUTOMATICALLY! 

 HAVE OTHER WAYS TO MONITOR AND KEEP WORKFORCES SAFE FROM BEING TARGETS OF CYBER ATTACKS?

COMMENT BELOW! 

WE LOVE TO HEAR FROM OUR FELLOW SOC, CISO, CTO, SECURITY RED TEAMS, BLUE TEAMS, & PURPLE TEAMS!