This is an excerpt of a post originally written and posted by SlashNext on July 19, 2019.
The evolution of phishing attacks over the past couple of years has shown a growth in sophistication that is rendering traditional cybersecurity protocols insufficient. While traditional virus protection software still plays a role, it’s important to think holistically to defend against today’s threat actors. The Ponemon Institute shared research that showed 77 percent of phishing attacks are launched via file-less techniques that go undetected by standard endpoint security solutions. In other words, today’s phishing threat actors no longer solely rely on a simple email attachment to ensnare their victims.
Malicious browser extensions. Browser extensions by design have full access to most of the browser’s resources and information being entered and rendered within the browser. It was just a matter of time before cybercriminals realized that injecting malicious code inside browsers disguised as benign looking browser extensions would give them unlimited access to much of the data passing through the browser. To add further complications, these plugins run inside browser memory, so SSL encryption is not a problem for them. And in order to bypass Two Factor Authentication (2FA), these plugins usually wait for the authentication phase to be completed before snooping on the authenticated session and stealing data to mount further attacks.
Credential stealing. Perhaps the oldest form of phishing, credential stealing is designed to trick the user into giving up their login credentials via a spoof website or popup. The problem today is that many of these fake sites mirror legitimate trusted brands, tricking even the savviest professionals into falling victim.
Technical support scams and scareware. Typically, scareware starts with a pop-up that displays a “scary” message prompting user action that will ultimately infect their device. The threat of a computer virus prompts users to click links which will download malware and infect a user’s device. At this point, it’s possible that credit card data can be captured, credentials stolen, or a device or computer compromised. In some instances, clicking the link to fix a fake virus may uninstall legitimate antivirus software, leaving a computer, mobile device, or network vulnerable to attack.
Phishing callbacks, command-and-control (C2) attacks. They usually begin with a phishing attack that installs malicious code onto an unsuspecting employee’s device through a browser extension, weaponized document or rogue software. The attacks are often extremely targeted toward employees that control organizational personally identifiable information (PII) or financial data – typically in human resources or accounts payable departments. Once a machine is compromised, the hacker will ping the infected device for a callback to test the new connection and determine if the transmission will go undetected by the organization’s security. We often see these callback attempts in the form of zero-byte FTP file transfers or IRC communications. The majority of the time these test transmissions go undetected.
Weaponized documents. These are an example of attacks that can come from a web download, a shared drive or a file attached to a legitimate looking email. PDFs, Excel, Word or other Microsoft Office documents can all be compromised to contain code, links, or even videos that covertly release malware, trojans, ransomware or even remote access software onto a system or network. Even though weaponized documents start with an email, most traditional anti-phishing email products won’t identify the malicious phishing attack when its downloaded through all the other vectors (shared drives, PDFs, Excel, Word or other Microsoft Office documents).
Multi-stage phishing attacks. It starts with a link sent in email that is not malicious but leads to what appears to be a benign site. Once that website is opened, the user performs a task and a local HTML file is downloaded to their computer. When the user clicks on that file from their desktop, a local HTML page is launched with a link to continue which sends them to the final domain where the phishing content is delivered. The bad guys are forcing a rational human through multiple steps that security equipment would normally have trouble detecting. They don’t allow a phishing site to appear unless they can confirm that a human is interacting with the site. This means that even if the final phishing domain is on a blacklist, traditional anti-phishing security cannot protect users from it until someone or some technology follows the entire user process and reaches a point where the phishing site is baited.
These are just some of the many phishing attacks that do not rely on traditional email as the sole attack vector. When you factor in the speed and volume in which these phishing attacks unfold – tens of thousands of new phishing sites going live each day, most disappearing in 4 to 8 hours – and you can see the problem that organizations face in preventing these attacks.
Here at Bedrock, we approach these threats with a multi-pronged approach: educating our clients, customized firewalls, endpoint protection, and regularly scheduled maintenance updates.