Phishing is when a malicious individual, using email, impersonates a sender that an internal user would have familiarity with, sometimes targeted towards highly specific personnel (Spear Phishing), to execute their intent. Attackers can do this by spoofing their email address to make it appear as though it is coming from a trusted source.
Low level methods can accomplish this simply by creating domains that appear to be similar at first glance. For example, @risk3sixty.com could be portrayed as @rlsk3sixty.com. Or they could pose as any email and domain they wish by using any freely provided online SMTP server services.
The Goal of Phishing Attacks
1) Download and installation of Malware
This can take the form of embedding malicious payloads within email attachments (usually HTML attachments). An example is would be an email sent from a fake email and containing a zipped attachment as the malicious payload. Zipped attachments are often used as a means of bypassing some antivirus’s that are unable to unzip and examine compressed files. They may also contain Microsoft Word .doc files with malicious links and instructions.
Excel Macros and Document Based Executables
Macros with malicious payloads contained within Microsoft Word documents can be sent to users, generally under the pretense that time sensitive material or organizational financial data is enclosed. When the attachment is opened it contains instructions to “Enable Editing” to allow the macros to run, which installs the malicious software.
Malicious actors are also able to send simple URL’s contained within hyperlinks that will redirect users to websites that will attempt to download and install malicious files onto the users machine. These attacks tend to entice users through the promise of financial gain or promised access to sensitive data.
2) Provide malicious actors with sensitive information
More advanced attacks can spoof entire websites and send emails that mimic the format, look, and feel of the associated website. These emails may take the form of request from social media, banking, or internal company websites to get the user to provide their username and password by presenting a login screen, which is generally reused across many sites and applications.
Emails can be sent with simply the display name of the sender altered to impersonate a person of authority within the target organization and request information be sent directly to them. Information that may be requested could be PII (Payroll stubs, company rosters, financial data), direct money transfers from the organizations account into false “vendor” accounts, or an emerging trend of purchasing gift cards and sending the associated card numbers. An example of such an email is shown below wherein the display name shows Bill Gates although the associated email address is obviously false.
There are multiple actions your organization can take to mitigate the risk of phishing attacks targeted at your personnel from becoming successful. By properly layering these efforts the organization can apply a defense in depth model of protection, creating multiple hurdles attackers must navigate in their efforts. Here are a few steps that can be taken to dramatically improve anti-phishing protection:
1) Utilize a Properly Configured SPF Record
An SPF (Sender Policy Framework) record is used to validate that emails are only sent from domains which they claim to represent. SPF records are created by the owner of the domain and provides a public list of all approved senders within a TXT entry on the organizations DNS. The DNS TXT entry (SPF Record) will list all available IP’s and domains that are authorized to send mail as that domain.
2) Utilize Strong Spam Filters
Spam filters serve as the first line of defense for emails destined to the organization. Gateway Filters are responsible for filtering all mail coming into the organization and sorts or flags mail based on predetermined rule sets which are configured by administrators. These gateway filters can either be hosted by third parties or managed by internal members of the organization. Filters can adopt and use multiple metrics to determine the validity of inbound email such as the source, reputation of the sender, and the content contained within the body of the email. High level filters are also able to scan file attachments for malicious payloads.
3) Utilize DLP Methods
DLP (Data Loss Prevention) should be used within the organization for a variety of reasons, as it aids in mitigating the risk of unauthorized release of sensitive data such as PII, Intellectual Property, and other confidential data. DLP works by scanning outbound traffic at various levels of the infrastructure such as the network perimeter, data storage locations, and user endpoints. Preset filters often come with DLP solutions to scan for data relevant to regulated industries such as HIPPA, PCI DSS, GDPR, or PHI related data but can be customized to address organizational specific requirements. This will assist in preventing users from responding to phishing emails with request containing confidential data should they fall victim to the malicious sender’s intent.
As anyone working within or paying attention to the world of cyber security knows, malicious actors and those tasked with preventing them are in a constant arms race. While new technical and administrative controls are constantly developed and installed, malicious actors are constantly adjusting and developing new methods and exploits. That’s why user training is the last and arguably the most crucial line of defense in preventing a successful phishing attack on the organization.
Phishing awareness and training should become part of the annual requirements for organizations of all sizes and can take many forms. For larger organizations you may find that creating an internal solution works best; however, there are many third party hosted solutions such as KnowBe4, PhishingBox, SANs and many others available at various price points and features. These hosted solutions allow management to launch controlled phishing campaigns against selected users and report on their actions, catering training regimens to match the organizations susceptibility.