What will phishers do once push-based MFA becomes widely used?
As phishing continues to be the number one method for initiating a breach, investing in anti-phishing technologies or training – preferably both – should be a no-brainer for most companies.
As Aaron Higbee, co-founder and CTO of Cofense noted, there is no silver bullet, next-gen anti-phishing technology that will stop all attacks. So, when technology fails, human knowledge and intuition is all companies have left.
“CISOs need to consider what percentage of their spend should be devoted to technologies and processes to harness human intuition,” he told Help Net Security. “They must also decide how to invest in fast recovery from the phishing emails that make it past their defenses.”
Latest phishing tricks
Phishers are continually coming up with new tricks to get users to click on malicious links and share sensitive login information.
Enterprise phishing attacks predominantly take the form of simple credential phishing emails, i.e., attempts to trick an employee into entering a username/password on an attacker-controlled website.
Office 365 users are preferred targets. Successful attackers are using Microsoft’s hosted Office 365 infrastructure to pull off every phase of the attack. They send the phishing email from an Office 365 account and point the victims to a phishing page that is hosted on OneDrive or SharePoint.
“This makes it near-impossible for traditional anti-phishing technology to block the attack,” Higbee pointed out. It also makes it more likely that the user will trust the phishing page and enter their login credentials.
BEC scammers are another group that successfully leverage phishing. They manage to steal millions from all types of organizations and private individuals, usually by compromising legitimate email accounts.
Among their latest tactics, Higbee shared, are payroll diversion (they impersonate employees to trick payroll administrators into updating employees’ bank account information, to deliver salaries to a bank account they control) and impersonating CEOs to trick employees into sending iTunes gift cards.
No industry vertical can afford to be complacent about the threat of phishing, and especially not those industries that rely heavily on email for business to business communications.
One example of the latter is the legal services industry, which uses email all day to send documents and links to external entities. Companies in that vertical should, in theory, be more vulnerable to phishing, but according to Cofense’s data, legal services is one of their most resilient verticals.
The future of phishing
60% of real phishing attacks that enterprises face are simple credential phishing, and these attacks will continue to succeed until organizations can get near-total coverage on push-based multi-factor authentication, Higbee opined.
“Besides solving many email-borne phishing attacks, this same recommendation covers the overhyped ‘smishing’ claims (which aren’t the enterprise threat some vendors want you to believe).”
He predicts that once push-based MFA frustrates attackers, they will move to tricking employees into granting permissions to API-based SaaS applications (e.g., Slack, Github, Office365, Dropbox, etc.).
“IT administrators should carefully track and catalog their cloud-enabled services. If they are looking for a good place to start, they should carefully examine Slack authorizations their technology teams have enabled,” he advised.
In the meantime, though, successful cyber leaders are harnessing the power of a resilient workforce by using phishing simulations to ultimately minimize the threat. “They are conditioning their workforce to recognize and report phishing emails and have operationalized those reports into a real-time work flow to stop real attacks,” he concluded.