Spear phishing attacks continue to plague businesses of all sizes, across all sectors. Detection of these messages remains an impossible feat. Spear phishing messages plague everyone and their intent ranges from delivering malware or ransomware, to stealing passwords and personal information, such as bank account information. All of these things have a high value in the online criminal world, hence why spear phishing is the most popular tool in the cyber attack arsenal today.
Webroot recently published a report highlighting the sheer volume of phishing sites that need to be detected every month to protect their customers. Webroot detected 2.3 million phishing sites in May 2017.
Even today, hackers typically create one new domain to use for an entire campaign. This makes it feasible to effectively block that domain by entering its name onto a block list. Today, it’s clear that putting together a list of bad URLs and blocking them will no longer work. No list, even if updated hourly, can hope to keep up with this volume of new phishing websites. Detection and reporting of phishing sites takes time.
To make this problem even harder to detect, we can observe hackers hosting phishing campaigns on insecure third-party websites as well. These websites are typically categorised, that is, almost always permitted for user access and is considered safe or trusted. This ensures the phishing campaign is even harder to block and employees continue to click on links or open attachments.
Shutting the barn door?
Employers and vendors have been trying to stop this attack vector, but this is not a simple problem to stop. Throughout my career I have witnessed the advances in detection and evasion on a monthly basis. I have observed the use of RBLs such as Spamcop and Spamhaus, anti-virus engines, reputation engines, anti-spam engines that even looked at the dots in images when we had an exciting time in 2007 with image spam. Sandboxes have been added to the stack of things to scan with since 2010; this made a difference on some attackers' campaigns and forced them to further evolve. Senders of email are now encouraged to SPF, DKIM and DMARC to authenticate and trust good emails, which we see in use by most large senders of email today; however, it’s still not enough to thwart attackers.
Employers have added cyber training to their list of things employees need to do; designed to remind employees not to click on emails and links from people they don’t know and not to give out their passwords via their browser or over the phone. Education is important, however, we observe that a well researched, socially engineered email to a targeted individual will bypass all detection layers and fool the recipient into clicking on the link or opening the attachment. There are numerous examples, such as the AP Whitehouse explosion fake tweet that took $90bn of the US stock market, or the Pagefair hack in 2015, through to the suspected Russian interference in the 2016 U.S. Presidential election that highlights some of the impact that can be delivered via well-written spear phishing campaigns.
There are some universally accepted cyber rules employers should be considering. Attackers will send emails to targets as long as they continue to get through. Technology will not stop them all. Humans will click on the links that are compelling to them (child at school, bank issue, iPhone backup issue, etc.), which ensures a high probability of their clicking or opening a malicious email. Detection technologies will not stop all these issues; neither will training be remembered all of the time. Employees still need to do their job whilst walking on the cyber eggshells under their feet every day.
Clearly, the spearphishing issue isn’t being addressed fully by the entire infosec industry.
Isolation provides the opportunity for organisations to link real-time awareness and training with real-time clicking of links and attachments, whilst protecting employees and businesses. Every customer wants to stop their employee from handing over their credentials or opening a ransomware-laden document in a manner that does not further complicate or hinder employee productivity at their workplace.