[BreachExchange] Deception will be the security watchword of 2018

Audrey McNeil audrey at riskbasedsecurity.com
Mon Jan 8 20:22:20 EST 2018


It’s easy to assume that the future of cyber security will be set by the
ability to discover and defend against advanced new malware. After all, one
of the defining features of 2017’s cyber landscape were the huge WannaCry
and NotPetya attacks, which racked up billions in costs after grinding
organisations around the world to a halt. The attacks both used the
EternalBlue SMB exploit from a stolen NSA cache of vulnerabilities, leading
to fears that we can expect an increase in attacks using advanced,
previously unknown exploits.

More important than any individual exploit discovery or malware development
however will be the increasing ability of attackers to deceive their
victims. Advanced social engineering techniques that were previously
limited to more sophisticated attackers are becoming more common, and
businesses will have to adapt to deal with several new deceptive tactics in
the next few years.

Using existing data for smarter targeted attacks

We have seen so many large-scale data breaches in recent years that the
chances are most people have had at least some of their data stolen. The
Equifax breach alone involved the theft of records for more than 145
million people, while the more recently reported breach of analytics firm
Alteryx saw data from 123 million households stolen.

With such a vast amounts of data now available to criminals, we will
inevitably see criminals begin to consolidate information from different
breaches to create even more powerful targeted attacks, and on a larger

For example, consider a breach where names and social security numbers were
compromised, and then a separate breach in which names, email addresses and
passwords were stolen. By combining these two data sources, the criminal
would be able to find some set of users for whom they would now know all
this information. By automatically searching for emails from banks in an
intended victim’s email box, the criminal would be able to identify and
contact the victim’s bank and, posing as the victim using name and social
security number, gain direct access to the bank account. The criminal can
then add himself as a co-signer and obtain an ATM card, then deposit one or
more forged checks and withdraw the corresponding amounts before the checks
eventually bounce. This would be the liability of the account owner, unless
picked up by the financial institution.

Deploying multifactor social engineering

Alongside using data to craft more believable targeted email attacks, I
also anticipate criminals improving their social engineering attacks by
taking advantage of multi-factor systems that are ironically intended to
provide more security. For example, attackers can exploit the traditional
password feature used by most services by sending a reset code to an
intended victim, then immediately following up with a deceptive email
request for that code. This approach enables criminals to harvest reset
codes on a significantly larger scale, granting direct access to user
accounts without setting off alarm bells.

Another approach could see phishers taking advantage of the standard email
spam folder. They could send a message warning that their spam filter needs
retraining, and that important warning emails have been placed in the spam
folder by mistake. The victim will then naturally check their spam folder
and move the apparent emails back into their main inbox -- and of course,
reading them, potentially falling for the deceptive attack.

We believe a growing number of criminals will start to integrate techniques
such as this into their strategies in an effort to sidestep improved
security measured and increase their success rates.

The end of “less-secure 2FA?”

Other multifactor security measures are also ripe for misuse by criminals,
particularly the SMS-based two-factor authentication (2FA) currently used
by many organisations. SMS has long been a favourite verification method
for many services, but new social engineering attacks, technical weaknesses
and the rarely discussed problem of friendly fraud have resulted in the
process being much less secure than most organisations will realise.

If an attacker gets hold of the “secret code” sent by a service provider,
he has full access to the associated account. In fact, traditional security
methods used to detect intrusions are notably absent when the account is
accessed using 2FA. There are currently few reliable fall-back plans for
security verification if 2FA-based access is compromised.

As a result, I believe we will see SMS-based 2FA starting to be abandoned
over the next year in favour of more secure measures. 2FA applications
which require some form of authentication to open the app, e.g., biometric
user authentication will take the place of SMS and become more prominent.
If a user needs to put her finger on the phone’s fingerprint reader to get
the unlock code, it will be far more difficult for criminals to exploit the
system and gain access.

Unmasking the deception

While there are many different deceptive techniques deployed by criminals
to reach their targets, they are all united by the use of what appears like
trusted identities and authorities. Phishing and business email compromise
(BEC) attacks impersonate a known identity – whether it’s a friend,
colleague, boss, consumer brand or governmental body – to trick their
victims into action. Likewise, more recent attacks taking advantage of
multifactor verification play on the user obeying messages that appear to
come from their email system itself. Once that trust has been gained, the
victim will lower her guard and is more likely to comply with the message,
even though requests like entering personal details or arranging payments
should be suspicious.

Relying on users to spot these attacks themselves has always been a risky
proposition, but will become even less tenable as attackers use contextual
data to craft more convincing social engineering attacks and take advantage
of trusted verification systems. To catch everything, a worker would need
to spend all her time scrutinising each and every email for tell-tale signs
– not the most productive use of her time. Many of these attacks are also
coupled with strategies designed to fool traditional email security
measures by avoiding malicious attachments and keywords.

To counter these threats, organisations will need to equip themselves with
the ability to identify fraudulent messages through other means, such as by
detecting mismatched display names and email addresses. By spotting these
signs, organisations can identify and stop even the most well-crafted
deceptive email before it ever reaches its intended target.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180108/ddf8c68f/attachment.html>

More information about the BreachExchange mailing list