Hackers are “deep sea fishing”, how should we respond?

Hackers are using a method I call “deep sea phishing” to improve their attack level, which is a combination of some of the techniques I will mention below to make themselves more aggressive. In order to keep pace, cyber security innovators have been working hard to develop tools, technologies, and resources to improve defense capabilities. But how can organizations respond to evolving threats that have not yet been initiated or even conceived?

For example, in February of this year, 10,000 Microsoft users became the target of a phishing campaign that sent emails purporting to be from FedEx, DHL Express, and other courier companies, which contained links to phishing pages hosted on legitimate domains, with the purpose Is to obtain the recipient’s work email credentials. The use of legal domain names can make e-mails evade security filtering, and people’s dependence on courier services and related information due to the epidemic has increased the success rate of phishing activities.

In May of this year, the attackers launched a large-scale and complex payment-themed phishing campaign. The phishing email urges users to open the attached “payment suggestion”-in fact, this is not an attachment at all, but an image containing a link to a malicious domain. After opening, the Java-based STRRAT malware is downloaded to the endpoint and connected to the command and control (C2) server to run backdoor functions, such as collecting passwords from the browser, running remote commands and PowerShell, and recording keystrokes and other criminal activities.

Phishing is no longer a small-scale online harassment that has been brewing underground. Today, nearly 70% of cyber attacks (as described above) are orchestrated by organized crime or actors associated with nation-states. With many recovery tabs reaching millions, organizations need a solution to protect them from attacks that have not yet been designed, the 0-day attacks that can cause the most damage.

But before we solve the defense problem, let’s first look at the objects we want to defend. The types of phishing strategies mentioned below are listed in ascending order of complexity.

Types of phishing

Not all phishing attacks cause the same damage, but all phishing attacks are designed to cause damage to the organization and may involve huge financial expenditures, remediation costs, loss of revenue, and reputational damage. Attacks range from typical phishing emails to sophisticated spear phishing schemes and “whaling.”

?Phishing emails

In a normal phishing campaign, phishers send emails to a large group of recipients, and they have good reasons to expect a small percentage of the recipients to click. Phishing emails are usually designed to look like official messages from a trusted company. However, when the recipient clicks on the seemingly harmless link embedded in the email, the malware may be downloaded directly to their device, or open a malicious webpage, download the malware, or ask for credentials, account number, or other valuable Data and other personal information.

? Spear phishing emails

Unlike widespread phishing, spear phishing emails are highly targeted and target specific individuals or organizations. Cybercriminals use social media and other public information to create personalized emails for specific individuals and pretend to be trusted senders.

For example, in April, the personal information of 500 million LinkedIn accounts was captured and leaked from social media platforms and sold as bait for spear phishing attacks. Because spear-phishing emails are personalized, recipients are more likely to click on malicious links or even enter credentials on the login page.

?whaling

Whaling is a form of spear phishing that targets prominent personalities such as CEOs and CFOs to obtain highly sensitive personal or business data. The “sender” may pretend to be a business partner, a customer, or someone who has a critical business problem that needs to be solved by the target individual. The main goal of whaling emails is to steal sensitive business information.

Spear phishing and whaling are different from general phishing attacks in that they use personal and professional data to establish higher legitimacy in the eyes of the recipient. They are a highly successful form of phishing that everyone needs to guard against.

The success of cybercriminals is mainly due to individuals

More sophisticated phishing attacks require more development time and effort, and the investment will pay off with greater expectations, especially when malware is layered. These methods are still effective for criminals: in fact, according to a global MSP survey, 67% of respondents said that phishing emails are the most common delivery channel for ransomware attacks.

Many companies require employees to receive regular anti-phishing training, but employee training is not enough to protect the organization, because people are the weakest link in the network security chain. Humans are easily deceived and habit-driven creatures. We can easily click on links that endanger the entire network of the organization.

Verizon’s 2021 Data Breach Investigation Report (DBIR)’s top findings point out that 85% of leaks involve human factors, 36% involve phishing (an increase of 11% from the previous year), and 10% involve ransomware – the previous one. Twice the year.

Ransomware-Phishing Link

Organizations of all sizes should consider how ransomware attacks (often beginning with phishing) will affect their performance, financial stability, and future. More importantly, they should evaluate their network security strategy and security architecture.

According to SonicWall, ransomware attacks have increased by 62% since 2019.

This impact includes small businesses. It is estimated that half of the cyber attacks are directed at this group, and they may not have the same phishing awareness training as large organizations. The resulting loss of revenue and remediation costs, downtime, reputation damage, and legal fees are a huge blow to small businesses.

Ransomware is constantly evolving…

New developments make ransomware more threatening. According to the FBI, Ryuk is currently the most ransomware software. Now, it also adds a worm-like function, which makes it no longer rely on human clicks to spread. This is a major worrying situation.

Think about it: the initial infection only occurs within a few seconds. Ransomware launched when a user clicks on a link in a phishing email will quickly begin to spread laterally across the network, encrypting PCs and servers to maximize damage-and bring cybercriminals targeted at your organization To maximize profit.

The ransomware then reads the infected file and searches for user credentials so that it can spread more quickly through remote desktop connections between network computers or mapped drives. Although backing up data on the cloud is a good practice, it may not be sufficient.

Sophisticated ransomware can target files on shared network drives and cloud backup services, thereby paralyzing your entire organization and leaving you at the mercy of cybercriminals.

The impact of ransomware may also extend far beyond the business itself. For example, the May ransomware attack on Colonial Pipeline, a company with 900 employees, resulted in the closure of 5,500 miles of pipelines that carry 45% of the fuel supply on the East Coast of the United States. Under pressure to restore services (including medical services, law enforcement agencies, fire departments, airports, and the general public) to tens of millions of people who rely on pipelines for fuel and organizations to restore services, the company had to pay a ransom of US$4.4 million.

Human behavior is hard to change

An email only needs to be hit at a vulnerable moment, and its decoy will lure the employee who receives it to download the infected file by clicking on the seemingly legitimate link in the phishing email. In the face of today’s 0day threats and advanced malware, a stronger defense is required than signature-based scanning technology and finding known malicious domains.

Organizations cannot rely on their users as the last line of defense against phishing. After all, user vulnerabilities are the reason phishing is so effective and widely used. Don’t blame your employees: cybercriminals are the most sophisticated experts in the research and exploitation of human behavior.

Defense option: remote browser isolation

For various reasons, a very different approach must be considered, which is to prevent exposure to malware and ransomware when the vulnerability exists. As phishing attacks become more and more multi-layered and multi-faceted, it is difficult to say what the next new method of cybercrime will be, so future-oriented concepts become important.

Remote Browser Isolation (RBI) provides organizations with defenses, even the most complex web-based attacks. When a user clicks a link in an email or opens a new browser tab, RBI executes the web content in a virtual browser located in a remote isolation container in the cloud. Only safe rendering data will be sent to the user’s regular endpoint browser, thereby providing a fully interactive regular browsing experience. No web content reaches the user’s device, and potentially risky sites can be opened in read-only mode to prevent the theft of credentials, so users can be 100% protected from malicious websites and malicious software attacks in URLs in phishing emails.

Phishing not only exists, it is becoming more advanced and dangerous every day. It is important to accept that humans are easy to make mistakes and easy to be manipulated. Therefore, organizations should not focus on training, but choose solutions that effectively protect the organization from cybercriminals. Using RBI to isolate users and “isolate” them from the dangers of malicious e-mail links and phishing sites is a good way for organizations to use this method to keep themselves away from phishing.