Phishing: A Global Pandemic

Introduction

The global pandemic has generated several changes at all levels of society. Rights as fundamental and rooted in contemporary advanced societies as the right of freedom of movement have been diminished or, in some cases, eliminated to prioritize an even more fundamental right: the right to life. This new paradigm has brought substantial changes in the way we communicate among ourselves, fostering (even more) the use of the email.

According to the report by The Radicati Group[1], “the total number of business and consumer emails sent and received per day will exceed 306 billion in 2020 and is forecast to grow to over 361 billion by year-end 2024.” Hence, it is not surprising that cybercriminals see endless opportunities to carry out fraudulent actions, being phishing the most dangerous attack vector used by malicious Social Engineers[2].

A phishing attack is defined by a type of crime employing social engineering techniques, where the victim receives a malicious email that pretend to be from reputable sources, luring the victim to provide sensitive information. Phishing has been used to steal millions of dollars from endless individuals, government, corporations, banks, and even critical infrastructures. It aims to access the computer of the victim, gather credentials or steal information for further attacks.

To help security experts to educate and protect both employees and corporations’ digital assets, it is important to delve and understand the attacker’s perspective when using this attack vector.

The attacker’s perspective

It would be wrong to perceive the attacker as a nerd guy wearing a skull shirt, locked in his room during weeks and working on carrying out his/her malicious act. This topic has been shown for a decade in movies and books, but nothing could be further from the truth.

Attackers may have different profiles, from corporations aiming to breach security boundaries and perform malicious acts to gain a competitive advantage, national states targeting other governments or private entities, hacktivists who are politically motivated aiming at focusing specific individuals or organizations to achieve various ideological ends, to cyberterrorists that are characterised by the use of violence, frequently directing critical infrastructures and government groups.

Certainly, there are other different profiles, but the idea behind this list is to convey that attackers may have many resources, high-level sophistication, and very different goals. Although the perpetration of a phishing attack through social engineering techniques may not be especially expensive, the technology behind the malicious payload may be highly sophisticated.

The strategy pursued by the attackers may differ depending on the objective and the victim’s characteristics. However, by digging on every attack it is possible to perceive some common patterns[3].

The first step (and usually the one that takes most time) is the victim’s information gathering through OSINT (Open Source Intelligence) techniques, based on collecting information from public Internet sources[4] being social networks[5], search engines (for example Webmii, Whois, FOCA or Maltego among others), or using Google’s operators[6].

Based on all findings from the previous step, the attacker will create the scenario (the pretext) aiming at impersonating a reputable source to build credibility and launch the attack in a form of email. Its success (partially) depends on how credible the pretext is for the victim.

A well-known trick in the artwork of the attackers, is the use of email templates usually impersonating law enforcement agencies or banks, with the aim to trick the victim into believing that the email sent is from a reputable (and authoritative) source.

Even with the advancements of anti-phishing filters that implement ORC (Optical Character Recognition) or IWR (Intelligent Word Recognition) techniques, the use of images to hide text is commonly used in phishing attempts. However, as these filters together with end-point detection techniques can identify malicious attached payloads, the replacement of embedded files by embedded URL’s aimed at faking a reputable source, is nowadays increasing.

The defence’s perspective

Organization’s maturity towards cybersecurity has been consolidating over last years, handling and protecting the information assets behind complex architectures and layers of network devices. Implementation of policy frameworks such as the NIST Cybersecurity Framework or the ISO 27000  standard series is being widely implemented and not only perceived as an adequate way to protect the organization’s information systems, but as a way to convey trust and foster a high reputation level toward their customers. However, attackers have adapted their game as well, seeing humans as the weakest link to perpetrate their intrusion and being phishing the most common attack vector to gain access to the organization’s premises.

Corporations should incorporate lessons learned over last decade and work on the development of realistic policies focused on improving the understanding of their employees towards current threats. The implementation of training and education programs across all their levels, starting by the board of directors which is a common target of spear-phishing[7] campaigns are also considered a key step to harder their defences.

Conclusion

Cybersecurity has been evolving over last decade. Network architectures and devices aimed at ensuring the defence of digital assets have been improving and are becoming more robust and effective. In consequence, attackers who previously spent time and resources looking for configuration flaws, have seen in humans a more effective way to penetrate digital systems. They take advantage of our emotions, our circumstances, our needs, and our weaknesses to break the security chain.

Studies such as “The biology of trust: Integrating evidence from genetics, endocrinology, and functional brain imaging“, define how a neurotransmitter called dopamine and a hormone called oxytocin (released during moments of pleasure and happiness) contribute to the process that build trust. I recommend you take a look at the “episode Ep. 044 – Do You Trust Me?” where Dr. Paul Zak talks in detail about these processes.

Building trust is the main goal of all social engineering techniques, and our brain reward us when this process takes place. Therefore, it would be daring for me to think that I will never be the victim of a phishing attack. I would rather say that for the time being, I have never seen a pretext that my brain has not been able to filter.

But pretexts … they are (almost) infinite.

The author, Pablo López-Aguilar Beltrán is the Head of IT & Cybersecurity at APWG.eu. You can follow him on Twitter or connect with him on LinkedIn.

If you are interested in going deeper into the vast topic of phishing, remember to sign up for Pablo’s webinar on September 1st: https://register.gotowebinar.com/register/813188212862680587


Editor’s Note: The views expressed by the author are not necessarily those of the Global Cyber Alliance. 


[1] https://www.radicati.com/wp/wp-content/uploads/2019/12/Email-Statistics-Report-2020-2024-Executive-Summary.pdf

[2] SMiShing, Vishing, Phishing and Impersonation are the most common attack vectors using Social Engineering techniques.

[3] These common patterns are very well explained by Christopher Hadnagy in his book – “Social Engineering, The Science of Human Hacking” [p.11]

[4] The volume of information available in Internet (Indexed Web) in August 2020 is at least 6,3 billion pages. Source: https://www.worldwidewebsize.com/

[5] Social media user numbers have registered solid growth, increasing by more than 200 million since this time last year to reach almost 3.5 billion by the time of publication. Source: https://wearesocial.com/blog/2019/04/the-state-of-digital-in-april-2019-all-the-numbers-you-need-to-know

[6] All information concerning Google search operators is available in the following link: http://www.googleguide.com/advanced_operators_reference.html

[7] Spear-phishing is a phishing technique focused on a specific target.