BEC, Credential Harvesting, Ransomware and More: Phishing is Alive, Well, and Malicious

By: Jane Wasson | @Area1Security | Area 1 Security

As the Bard himself said, “What’s in a name? A rose by any other name would smell as sweet.” In much the same way, a phish by any other name is still a phish — and just as dangerous.

The industry has moved towards a veritable word soup to describe all the various ways a breach happens. What’s lost is that the overwhelming majority of these are just forms of a phishing attack, whether referred to as BEC, ransomware, whaling, credential harvesting or others.

Today’s phishing attacks are weaponized fraud on a scale never before envisioned, thanks to social engineering and the cloud. Not only are the rates of attacks rising, the attacks themselves are growing in creativity and diversity. Cybercriminals are evolving their campaigns as ingeniously as honest companies develop their own new technologies.

Cybercriminals increasingly have deep insights into how organizations communicate; they’re skilled at mimicking the tone and language that an employee would expect to see on a document or web page. They learn and use familiar nicknames for people and processes to build credibility.

Our comfort with the Internet means that our guards are often down. People have a false sense of security, believing that their employers and cybersecurity defenses can guarantee their safety. To protect from cyber attacks, security teams need to understand the diversity of phishing campaign types hackers use and what’s required to defend against these attacks.

Phishing Attack Types

Notorious cyber attacks such as Business Email Compromise (BEC), spear phishing, credential harvesting, and watering holes use unique tactics to accomplish their malicious objectives — but all are forms of phishing. They attempt to lure users into opening emails, clicking on links, downloading files, transferring money or data, or entering information such as account IDs and passwords into websites.

And despite significant investment in cybersecurity tools, most organizations still experience phishing emails that evade defenses and land in employee inboxes, causing data breach, financial loss and brand damage. So what types of phishing campaigns are commonly used by threat actors? And what’s needed to defend you from this diversity of attacks?

Spear Phishing — Sharpened by Social Engineering

Spear phishing attacks use social engineering to aim at specific victims and establish trust. Not surprisingly, they have a high success rate in compromising systems and causing data and financial breaches. Because these attacks are targeted, are low in volume and don’t fit the conventional spam profile, they are often invisible to traditional security technologies, such as spam filters, which rely on threat intelligence derived from active, high- volume campaigns.

Effective spear phishing defense depends on early insight into phishing campaign infrastructure before an attack is launched, goes active, and does its damage. Setting up a phishing campaign infrastructure may take hackers months, although they then often launch the attack and take down the site within hours. Thus, a technology that proactively hunts for phishing campaigns and infrastructure while under construction has that critical early insight to detect an attack and prevent a spear phishing email from landing in user inboxes.

Business Email Compromise (BEC) or CEO Fraud

BEC attacks are targeted phishing campaigns that rely on impersonation to trick victims into providing confidential information or transferring funds. A simple fraudulent email purporting to originate from a CEO has the potential to damage a company more severely than a complex, sophisticated technological attack.

Targeting individuals in BEC attacks has been successful because fraudsters first do the research to gain deep knowledge and familiarity with the company, making their communications credible. Potentially lucrative results justify the extra effort.

With BEC, cybercriminals use spoofing techniques to make an email appear to have come from a trusted organization, executive or supplier. Because these threats are file-less, linkless and often sent by imposters from valid email accounts that pass email authentication checks, traditional defenses frequently miss the malicious nature of these emails.

Protecting against these attacks requires advanced email analysis techniques that can compare email display names with known executive names for similarity. Using sophisticated matching models, they can check that messages appearing to be from an executive actually originate from known sending domains and thus prevent delivery of imposter email to inboxes.

Credential Harvesting and Website Cloning

Stealing legitimate user IDs and passwords, credential-harvesting attacks often start with targeted phishing emails that request the victim to click on a link and log into their own account to change password or payment information. The link then directs the user to a spoofed site, allowing the hacker to harvest the valid credentials entered by the victim, and then use those to log into the victim’s actual account.

As stated earlier here, cybercriminals often launch phishing sites for a limited time only, taking them down quickly before threat researchers can amass the volume of threat activity data necessary to recognize the malicious nature of the site. Thus, newly launched credential harvesting sites go undetected by traditional security technologies.

An effective defense requires proactive web crawling, combined with innovative data analysis that can identify suspicious, branded web pages. They can then check associated infrastructure to detect imposter pages before credential-harvesting attacks launch. With early insight to malicious pages, emails containing links to credential-harvesting sites can be detected and blocked before reaching employee inboxes.

Malware-Infected Linked Documents and Email Attachments

Malware is malicious code that, when downloaded, compromises systems to achieve an attacker’s goal. This goal may be to collect data for criminal purposes, possibly to corrupt or encrypt a system for ransom, causing downtime, data and financial loss. The hackers might also try to send confidential information back to the attacker infrastructure, or gain entry to other systems and data on the network.

Threat actors use many techniques to slip malware-infected files past cyber defenses. They lure victims to click on a URL in an email or social post that downloads a malware-infected document. They also use URL shorteners and redirects to hide their malicious links and evade cyber defenses — or they might embed links to malware-infected documents in benign email file attachments. They can attach password-protected or archived malicious files to emails, hiding their activities with techniques that evade signature- and sandbox-based malware-detection technologies.

Defense against these attacks requires extraction of remote linked files and email attached files, along with the use of sophisticated machine learning (ML) algorithms that can quickly scan files and identify hidden malicious code. Advanced defenses can also open password-protected files, decompress archived files, and then analyze the contents to detect hidden malware.

Watering Hole, Malvertising and Scripting Attacks

Watering hole, malvertising and scripting attacks lure end users to visit phishing websites that surreptitiously download malware to compromise the victim’s system.

While traditional cybersecurity technologies can detect and protect from known phishing sites and downloads, they lack critical early awareness of newly established or previously unknown malicious sites and payloads.

Protecting you from modern phishing sites requires aggressive detection techniques, including proactive and real-time web crawling, to discover malicious locations. These strategies, used in combination with sophisticated ML models, can quickly detect malicious links.

Proactive web crawling uncovers phishing sites with active content, capable of downloading malware and making undetected changes to client systems. Early discovery of these sites and associated threat data is critical to power email analysis and ML models. These can detect newly established or previously unknown malicious sites missed by traditional reputation and signature-based security.

Gartner Recommends Technology to Battle Phishing Attacks

In a recent paper, How to Build an Effective Email Security Architecture, Gartner notes email as the main battlefield and critical channel for cybercrime; and the main target and entry point for hackers. Gartner emphasizes priority establishment of phishing technology controls to reduce cyber risk. The paper notes Verizon’s statistic that phishing and pretexting encompass 98 percent of social incidents and 93 percent of breaches. The report recommends designing an email security architecture that addresses the severity of modern email threats such as malware, malicious URLs, credential phishing and BEC.

To learn how Area 1 Security stops the phishing threats that traditional defenses miss, read our blog.