🎣 Spear Phishing, Can you spot the Phish? 🐟
As it exists today, all cyber security tools are only as strong as the most recent attack tactic. Flagging external emails, blocking spoofed domains, using retrofit email tools to monitor, and sending emails not to open or download malicious attachments are just failing. Miserably.
Social engineering cyber attacks come in many forms and can be performed anywhere where human interaction is involved. What makes social engineering especially dangerous is that it relies on human error, THE INSIDER THREAT, rather than vulnerabilities in software and operating systems. Traditional Cyber Security measures have always been deployed to protect these technology environments, however now, 98% of all cyber attacks rely on social engineering! (purplesec)
PREVENTION IS THE NEW DETECTION
" You can't do a job without using the right tools, but if your only tool is a hammer, every problem looks like a nail"
Phishing, Spear Phishing & Social Engineering attacks really can be stopped by using the right tools
Hackers seeking to use social engineering will often try and find something in common with their victim in order to make them feel comfortable enough to share information or click a link, even download a malware file. Say a school affiliation. Or a country club. These are the exact connections you would trust. Even be borderline rude to not accept, right?
Picture this - even a long lost family member from 23 and Me or Ancestry.com reaches out. You are curious, yes? Speaking of please, people who do these genetic tests, please - we implore you - don’t share or let your spouse share on social. We know it seems so fun right!? Figure out what your true identity is. Of course everyone will want to know you’re not the nationality you intitally thought you were. Its cool technology, right? Share it for the world to see. Well guess what- so do cyber stalkers - they think is super interesting - waiting for the perfect entrance as a long lost relative of yours... through you, right into your organization's secure data....
Lets backup- how does this work exactly? Believe it or not, in very few steps.
This Infographic perfectly illustrates the cyclical way, these cyber espionage plans are laid.
How can entities large and small protect themselves? Especially in the COVID remote work environments. With mixed devices and home networks?
A couple folks still feel secure with two factor authentication. However it's fairly easy these days to get software that actually side steps this security token. To overcome 2FA, attackers need to have their phishing websites function as proxies, forwarding requests on victims' behalf to the legitimate websites and delivering back responses in real time. The final goal is not to obtain only usernames and passwords, but active session tokens known as session cookies that the real websites associate with logged-in accounts. These session cookies can be placed inside a browser to access the accounts they're associated with directly without the need to authenticate.This was presented at the 2019 Hack in the Box conference in Amsterdam and was released on GitHub after a few days. It has two components: A transparent reverse-proxy called Muraena and a Docker container for automating headless Chromium instances called NecroBrowser.
Proxy based phishing can’t defeat some 2FA implementations, however —those that use USB hardware tokens with support for the Universal 2nd Factor (U2F) standard. That's because those USB tokens establish a cryptographically verified connection to the legitimate website through the browser, which does not go through the attacker's reverse-proxy. (CSOonline)
Another technical solution can be a browser extension that checks if the user is inputting their credentials on the correct website. Google developed such an extension for Chrome called Password Alert that warns users if they attempt to enter their Google credentials on any website that does not belong to Google.
Training users to be vigilant and to make sure they are authenticating on the correct website with the correct domain name remains very important. The presence of an TLS/SSL indicator and a valid certificate are not enough to consider a website is legitimate because certificates can now be easily obtained for free, so most phishing sites will be HTTPS-enabled. (CISO Mag)
If you cant detect them. Educate & Train your Workforce Communities to Prevent them!
Top Types of Attacks
Want to know your C suites annualized income? Perhaps access sensitive data about stock intelligence? Who doesn’t, this tactic takes the most human trait- greed or jealously and leveraged that with a dangled carrot for the little informed snuggle bunny to take a chomp.
The most recognizable form of baiting uses physical media to disperse malware at a targeted organization. For example, attackers leave bait —typically malware-infected flash drives —in conspicuous areas where potential lurker loos are certain to see them (e.g., bathrooms, elevators, the parking lot of a targeted company). The bait has an authentic look to it, such as a label presenting it as the company’s payroll list. Attackers will not stop at flags drives though, so beware! If it seems to good to be true...well, it likely is. (wiki)
Ahem, pop up banners or spam emails much? Scareware involves victims being peppered with false alerts and fictitious threats. Users are deceived to think their system is infected with malware, prompting them to install software that is in fact, just malware itself. Scareware is also referred to as deception software, rogue scanner software and fraudware.
The scam is often initiated by a perpetrator pretending to need sensitive information from a victim so as to perform a critical task. Similar to Vishing (phishing via voice calls) PII such as social security numbers, personal addresses and phone numbers, phone records, mothers maiden name, staff vacation dates, bank records and even security information related to a physical enterprise location or production facility.
As one of the most popular social engineering attack types, phishing scams are email and text message campaigns aimed at creating a sense of urgency, curiosity or fear in victims. Great examples to test your knowledge & expertise as it relates to phishing tactics here - PLAY SPOT THE PHISH
This is a more targeted version of the phishing scam whereby an attacker chooses specific individuals or enterprises and uses that publicly available PII to specifically access key people within an organization. There are no tools out there currently that resolve this problem automatically since it requires change management of the end user and their extended networks to shore this up.
OUR TOOL HOWEVER, AUTOMATES RISK SCORING, PROVIDES REMEDIATION MEASURES WITH HYPERLINKS THAT SYNDICATES SENDS FOR TEAM IMPLEMENTATION, & MONITORS IT - ALMOST COMPLETELY AUTOMATICALLY!
HAVE OTHER WAYS TO MONITOR AND KEEP WORKFORCES SAFE FROM BEING TARGETS OF CYBER ATTACKS?
WE LOVE TO HEAR FROM OUR FELLOW SOC, CISO, CTO, SECURITY RED TEAMS, BLUE TEAMS, & PURPLE TEAMS!