Don’t Get Hooked by Phishing.

Pandemic hasn’t only brought the disease with itself but has also brought security risks for all the organizations. Because of COVID-19, companies are working from home, and attackers are enjoying the benefits.

According to Symantec, there was an increase in phishing attacks in 2020, of which one part of 4200 e-mails belongs to phishing e-mails. At the beginning of the phishing attack, 65% of attackers use spear-phishing to spread the malicious links.

According to CSO Online, 94% of malicious links are delivered via e-mails as well as this attack costs $17,700 every minute.

Throughout this post, we will discuss phishing attacks’ essential attributes and include some efficient ways to defend and mitigate organizations’ potential threats.

Phishing Attack

“Phishing attacks have the ability to skirt technology and target human emotion, making it imperative that organizations empower their employees to be part of the solution.”

-Aaron Higbee.

Phishing is the same as fishing. Imagine throwing fodder in water to catch the fish, in the same manner, hackers throw fodder in the big ocean of the internet in the form of URLs, messages, or e-mails to catch (attack) the user’s sensitive data such as Gmail password, Facebook Id and password or bank credentials, etc.

Phishing will continue to grow as new technologies evolve, and users are partly responsible for maintaining their information confidentiality. Several corporates are also seeking to mitigate phishing attacks, including Facebook, Gmail, Norton, and IBM, etc.

Source: Cloudflare.com

Types of the Phishing attack

There are several ways a phishing attack can occur, including,

• Clone phishing
• Whaling
• SMS phishing
• Spear phishing

Despite having multiple ways, few specific types that is use within organizations are,

Spear Phishing

“I can go into LinkedIn and search for network engineers and come up with a list of great spear-phishing targets because they usually have administrator rights over the network. Then I go onto Twitter or Facebook and trick them into doing something, and I have privileged access. “

—  Kevin Mitnick

In spear-phishing, attackers particularly target specific corporations or users. In comparison to mass phishing, spear-phishing attackers collect data about a user or organization and use that information about their victims to maximize their likelihood of attack effectiveness.

Whaling is a part of spear-phishing where the targets are specifically senior management or executives of the organization. E-mails containing product information or financial reports processed with executives may be a spoof.

Clone Phishing targets are mostly auditing firms. The attacker uses previously genuinely delivered e-mails to clone and resend them by stating it’s an updated version of the original mail.

What approaches can use to attack the organizations?

• Some methods of phishing use a manipulated links that seem to relate to the spoofed corporations. Such as fake subdomain URLs or misspelled links.

• Filter evasion is carried out using images or files instead of links in spoofed e-mails, making the attack more secure and harder to detect. In the given example, the sender is asking to download the malicious file to continue the services.

• The JavaScript commands use to alter the URL address of the website where the victim is redirected.
• Redirecting the victim to the legitimate website (which is already hack) and stealing the personal credentials is covert redirection. In the image, the view invoice button is redirecting towards the malicious link.

• Tab nabbing is also an approach where attackers take benefit of several open tabs. When a user has multiple tabs open and clicks on a malicious link, this will open the spoofed tab in the browser without the victim’s knowledge.

• Social engineering is one of the most common approaches to attacking. The attacker plays with the victim’s mind and makes them click on links, resulting in hacking.

Mitigation techniques

Low-level mitigation techniques

“Companies spend millions of dollars on firewalls, encryption, and secure access devices, and it’s money wasted; none of these measures address the weakest link in the security chain.”

– Kevin Mitnick.

Weak links in the organization?

“Your employees remain your organization’s weakest security link.”

-Dashlane

Training

• Employees should receive monthly training in safeguarding organizational assets.
• Employees and senior managers or executives should be involved in training as they also play an essential role in piracy.

Verify Links

• The URLs must be verified before clicking. Like Virus Total, many websites are available for such tasks to paste and ensure the link is safe enough to click.
• Misspelled links or unsolicited attachments must revise as companies never request sensitive information on e-mail.
• Domains or senders must verify whether the e-mail originates from a legitimate organization or not. Such as, example.youtobe.com has a fake domain name.

High-level mitigation techniques

• Trusted antivirus software like Avira, Bitdefender, or Avast must be implemented on the systems and updated weekly.
• A centralized mail system must be deployed for additional protection, such as Microsoft Defender for office 365. The defender verifies the link before redirecting the user to the given URL. If the link is malicious then, it blocks access to that website.

• Organizations should use two-factor authentication (2FA) or multi-factor authentication (MFA) to mitigate the risk at some point. A phishing attack can let hackers collect personal credentials but won’t allow them to hack fingerprints or security question’s answers. Multi-factor Authentication (MFA) is essential and might be the most potent solution for phishing e-mail threats.

• Safe browsing services must be implemented within the organization’s computer system. Safe Browsing is a Google feature that enables user apps to search URLs across Google’s frequently monitored list of risky web services. It notifies users before they click on links within the site that can lead to malicious pages.

• IT department should deploy concise and clear policy systems such as Identity and Access Management (IAM) across the organizational systems. IAM system works on four A’s.
  • Audit
  • Authorization
  • Authentication
  • Assessment

IAM provides access on a need-to-know basis. It shall authorize and approve by the IT department.

The organizations can keep their internal system and employees safe from phishing attacks by strictly implementing the security policies and using all the techniques mentioned above.

At the end of the day, the goals are simple: safety and security.

-Jodi Rell.