[BreachExchange] Why a Phishing Attack Is Still Profitable — And How To Stop One

[Sophia Kingsbury]

https://securityintelligence.com/articles/phishing-attack-profitable-stop/

As the business world continues to grapple with an expanding definition of
new normal, the phishing attack remains a common tactic for attackers. Why
are phishing attacks still happening? How can we prevent them? We spoke to
a threat analyst who has the answers.

In May 2020, X-Force research uncovered a precision-targeting (or spear
phishing) attack on a German multinational corporation connected with a
German government-private sector task force in the race to procure personal
protective equipment (PPE).

Those threat actors targeted more than one hundred high-ranking executives
in management and procurement roles. They reached out within their target
group as well as to its third-party partners. Overall, X-Force observed
about 40 targets. It’s likely that other members of the task force could be
targets of interest in this malicious campaign as well. This shows the way
we need to be more vigilant about what angles attackers could use.

Phishing: Still Common After All These Years

The sophistication required for the PPE attack is certainly important.
However, most spear phishing attacks can be carried out with only a few
clicks. For cyber criminals, launching a phishing attack is easier than
ever. Therefore, it is critical for the enterprise to gain the awareness
needed to avoid becoming targets.

Prefabricated phishing kits on the dark web streamline the workflow for
threat actors. For example, look at the recently discovered package called
LogoKit. It automatically pulls the victim company’s logo from Google’s
photo search to display on the fake phishing login page.

“Unfortunately, the entry barriers are lower than ever with easy-to-use
kits being sold on cybercrime forums for as little as a couple of hundred
bucks,” says Brett Callow, threat analyst for Emsisoft. “These kits, which
are basically web-based apps, enable even low-level scammers to conduct
effective template-based phishing campaigns.”

According to Callow, the phishing sites are automatically created and
closely resemble the site they’ve been designed to mimic. Once they collect
the victim’s credentials, the phony site will sometimes redirect them to
the real site. The more real-looking the login page, the higher chance of
tricking the victim.

Yes, sometimes it is that easy for cyber criminals. Even as we publish this
in mid-2021, large companies are still falling for phishing attacks. Is it
possible to turn the tide?

The Uphill Phishing Attack Battle Only Gets Steeper

First, the bad news. Many bad actors running phishing scams are not of the
cliche lone-attacker-in-the-basement type. Cyber criminals might be
nation-state actors or part of gangs. In many cases, they organize well and
operate like a real company.

One example is Cosmic Lynx, a Russian group that behaves more brazenly than
most attacking groups. This new gang appears to be undeterred by the threat
of prosecution in western countries. In addition, it often works with
larger dollar amounts. The average sum most attackers will steal from a
target company is about $80,000 USD, but for Cosmic Lynx, it’s well above
that figure — a whopping $1.27 million.

The most common form of target phishing groups like Cosmic Lynx use is the
Business Email Compromise (BEC). This attack aims to disguise itself as a
C-suite executive’s email account. The attacker tweaks the account name and
address to look similar enough to fool users. Most target phishing scams
begin with a request for a financial employee to direct a seemingly normal
payment right into the attacking group’s bank account.

Some attackers took advantage of the pandemic to fuel BEC scams in 2020.
One attacker group sent a financial institution an email request for a $1
million transfer to address COVID-19 precautions. Fraudsters changed only
one letter of the company CEO’s email address in an attempt to fool the
victim.

What Helps Protect From Spear Phishing?

As cybersecurity people, it feels like we’re repeating ourselves far too
often about the importance of education, culture and awareness. With every
passing year, more companies are falling for these same scams.

“Phishing has been around for years, and one of the reasons for that
longevity is simply that it works,” Callow says. “The other reason is that
phishing is profitable, and underpins much of the cyber criminal economy
with stolen information being used for everything from BEC scams to
ransomware attacks.”

To best defend against these attacks, the winning strategy combines tech,
awareness and vigilance.

“Defending against phishing attacks is not easy, but by adhering to best
practices organizations can significantly limit the chance of becoming a
victim,” he says.

Spear Phishing Prevention

It’s key that all employees — even more so those in the C-suite — must
always default to ‘skeptical’ when on the receiving end of a request for
sensitive data or a financial transfer. No matter how honest the email may
appear, always follow up with a phone call or, better yet, an in-person
meeting to confirm. Instead of defaulting to trust, which is only human
nature, it’s critical to question everything regarding these emails.
Skepticism should be perceived as a positive employee trait, and more
importantly, a mark of fiscal responsibility.

Remember, a simple email to confirm is not going to cut it. If you simply
reply to it, and it’s a scam, the cyber criminal will obviously confirm
that all systems are go.

Vigilance is key here. If you receive a link to a website and aren’t sure
about it, do not click on it directly. Just type in the website by hand so
you can be sure you aren’t being scammed.

Staying Aware

“Awareness training is critical,” says Callow. “It’s also extremely
important to create a better-safe-than-sorry culture in which your team
feel completely comfortable reporting suspicious or confirmed spear
phishing emails. If they don’t have that level of comfort, they’re more
likely to make the decision themselves. Additionally, senior management
should attend awareness training sessions. While executives are sometimes
inclined to opt-out, the reality is that they’re the mostly likely targets
for personalized and hard-to-spot spear phishing campaigns.”

To augment awareness, technical solutions can be equally crucial. Callow
advises businesses to implement spam controls, URL blocking and two-factor
or multifactor authentication, as well as adding voice checks into
processes.

In the end, it still boils down to promoting a security-minded culture,
which takes time, and more importantly, practice.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210617/3db9843f/attachment.html>