Definition & Overview of Phishing
Social engineering is the attempt to trick someone in order to obtain sensitive information (e.g. a password) or taking an action that can lead to the compromise of systems or networks. Phishing, a specific type of social engineering, entails the use of deceptive tactics by malicious actors to lure victims (which can be through a variety of communication methods including email, text messages, chat platforms, telephone calls, and more) into visiting malicious websites or deceive them into providing sensitive information such as login credentials.
There are many different types of phishing attack techniques, including spearphishing, vishing, pharming, evil twin attacks, website spoofing, and more. These tactics are commonly used to lure victims into either giving up sensitive information (such as login credentials, customer information, or business IP) or to trick a victim to click a link or download an attachment to execute malware and compromise host systems.
Example Techniques of Phishing Attacks
Phishing to Obtain Login Credentials
In phishing attacks used to obtain login credentials, malicious actors pose as trustworthy sources, such as work colleagues, acquaintances, or organisations, to lure victims into providing their login credentials. Malicious actors can use the compromised credentials (e.g. usernames and passwords) to gain access to enterprise networks (the hardware and software infrastructure that connects a company’s computers, servers, and other devices) or protected resources, such as email accounts.
How can you identify a phishing scam to obtain login credentials?
Example techniques to obtain login credentials which malicious actors commonly use are:
- Targeted emails can be sent by posing as managers, trusted colleagues, or IT personnel to trick employees into disclosing their login credentials.
- Use smartphones or tablets, along with short message system (SMS), to send text messages or messages in platforms such as Slack, Teams, Signal, WhatsApp, iMessage or Facebook Messenger to lure users into divulging their login credentials.
- Tip: Organisations operating in hybrid work environments have fewer face-to-face interactions and frequent virtual exchanges; thus, users in these environments are more likely to be deceived by social engineering techniques tailored towards platforms they frequently use.
- Use voice over internet protocol (VoIP) to easily spoof caller identification (ID) which takes advantage of public trust in the security of phone services, especially landline phones.
Malware-based Phishing
In malware-based phishing attacks, malicious actors pose as trustworthy sources (e.g. colleagues, acquaintances, or organisations) to trick a victim into interacting with a malicious hyperlink or opening an email attachment to execute malware on host systems.
How can you identify malware-based phishing?
To execute malware on host systems, example techniques malicious actors commonly use are:
- Send malicious links or attachments that cause a user to download malware, facilitating initial access, gather data through info-stealers, damage or disruption to systems or services, and/or the escalation of account privileges.
- Malicious actors may use free, publicly available tools (such as GoPhish or Zphisher) to facilitate spearphishing campaigns where individual users are targeted with specific and convincing lures.
- Malicious actors may send malicious attachments with macro scripts or messages with obfuscated or seemingly benign links that download malicious executables.
- Use smartphone or tablet apps, along with SMS, to send text messages or chats in collaboration platforms (i.e. Slack, Teams, Signal, WhatsApp, iMessage, and Facebook Messenger) to lure users into interacting with a malicious links or attachment that executes malware.
How Can Small and Medium Sized Businesses Protect Against Phishing Attacks?
Small and Medium Sized Businesses should implement the following to reduce the likelihood of successful login credential phishing attack and malware-based phishing:
Implement user training on social engineering and phishing attacks
Conduct training sessions for users to enhance their knowledge on social engineering and phishing attacks. These should focus on teaching users how to recognise suspicious emails and links, avoid interacting with them, and emphasise the significance of reporting any instances of opening suspicious emails, links, attachments, or other potential lures.
Enable DMARC for received emails
Domain-based Message Authentication, Reporting, and Conformance (DMARC), along with Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM), verify the sending server of received emails by checking published rules. Enable DMARC for received emails with your email provider. When a DMARC policy of reject is activated, these tools have the ability to detect and reject any incoming email that is using a spoofed domain, leading to the quarantine of such emails by the mail system and for them to be reported as malicious.
Tip: Also ensure DMARC is set to “reject” for sent emails. Implementing DMARC policies can reduce the likelihood of cyber attackers creating fraudulent emails that appear to originate from your organisation’s domain(s). This provides robust protection against other users receiving emails that impersonate a domain, as spoofed emails are rejected at the mail server prior to delivery.
Implement strong password policies
A password policy is a set of rules that help enhance data security by encouraging users to generate robust passwords and subsequently store and utilise them in a secure manner. These passwords must comply with a password strength policy that mandates a minimum character length, inclusion of numbers, special characters, and case sensitivity, while also prohibiting the reuse of previously used passwords.
Tip: Previous guidance often suggested organisations require passwords changes every 60, 90 or 120 days. However, users who have to change their password regularly tend to choose more memorable phrases or choosing new passwords that are only minor variations of the old, which are easier for hackers to crack. Instead, only change users passwords if there’s evidence of a compromise. You can do this by using a password management solution, which can alert you to compromise by scanning the dark web for credentials linked to your domain. You can also search for compromised credentials through tools like “Have I Been Pwned?”. You can also mitigate the risk of compromised accounts by using Multi-factor authentication (MFA), which will make a compromised password less useful to an attacker.
Enable Strong forms of Multi-factor authentication (MFA)
Activating a strong Multi-factor authentication (MFA) is the best way that small businesses can protect their internet facing business accounts from phishing related threats. The implementation of MFA is a layered approach to safeguard your online accounts and the sensitive information they hold. Upon activating MFA in online services (such as email), you are required to provide a combination of two or more authenticators to authenticate your identity before the service grants you access. Using MFA protects accounts more than just using a username and password.
Multi-factor authentication (MFA) can reduce the ability of malicious actors using compromised credentials for initial access. Despite this, there are strong forms of MFA and weak forms of MFA. These include:
Strong forms of MFA
Time-based One-time Password (TOTP): When you set up TOTP, you establish a “shared secret” with the service that you intend to use. The shared secret is secured inside of the authenticator app’s data, and is sometimes protected by a password. A time-limited code is then derived from the shared secret and the current time. As the code is only valid for a short time, without access to the shared secret, malicious actor cannot generate new codes.
Tip: If you have a hardware security key with TOTP support (such as a YubiKey with Yubico Authenticator), store your “shared secrets” on the hardware. Hardware such as the YubiKey was developed to enhance the security of the “shared secret” by making it difficult to extract and copy. Unlike a phone with a TOTP app, a YubiKey is not connected to the Internet.
FIDO2 and WebAuthn: FIDO2 (Fast IDentity Online) and WebAuthn is the most secure form of MFA. The key does not print out a one-time password and validate with a third-party server. Instead, it uses public key cryptography for authentication and the service will require you to “sign” some data with your private key. The benefit of this is that no password data is ever stored by the service, so there is nothing for an adversary to steal. WebAuthn also does not use any public ID, so the key is not identifiable across different websites. Communication is completed between the key and the website you are logging into, without the involvement of any third-party cloud server for authentication.
Tip: Backup! You should always have backups for your MFA method. Hardware security keys can get lost, stolen or simply stop working over time. It is recommended that you have a pair of hardware security keys with the same access to your accounts, rather than relying on just one. When using TOTP with an authenticator app, be sure to back up your recovery keys, the app itself, or copy the “shared secrets” to an alternate instance of the app on a separate device or an encrypted container.
Tip: Prioritise phishing-resistant MFA like FIDO and WebAuthn for administrator and privileged user accounts, such as those with access to e-discovery tools or broad access to customer or financial data.
Weak forms of MFA
Push-notification MFA without number matching: Malicious actors can send numerous “push requests” for approval or denial until a user either accepts the request, often by accident or in frustration. Consequently, if number matching is not enabled, malicious actors may authenticate with the compromised user’s credentials.
SMS or voice MFA: Malicious actors can convince cellular carrier representatives to transfer control of a user’s phone number to receive any SMS or call-based MFA codes. This is often referred to as SIM swapping attacks. Users can also be tricked by malicious actors who send emails with links to fake websites that imitate a company’s genuine login portal. In this scenario, the user unknowingly provides their username, password, and a 6-digit MFA code, which the malicious actors exploit to gain access to the legitimate login portal as the user.
But any MFA is better than no MFA. If you can’t currently implement phishing-resistant MFA such as FIDO2 and WebAuthn MFA, consider using the Time-based One-time Password (TOTP) MFA to block mobile push bombardment and SMS-based attacks.
Implement protective DNS resolvers
To prevent cyber threat actors from redirecting users to malicious websites to steal their credentials, implement a protective DNS resolver. Every time a user enters a web address into a browser, the computer uses Domain Name System (DNS) to translate the domain name of the site. A DNS resolver is a service that provides an IP address on request for a domain name. A protective DNS resolver prevents malicious domains being visited by devices within your network. A protective DNS resolver with stronger security features, such as Quad9, use threat intelligence to give a real-time perspective on what websites are safe and what websites are known to include malware or other threats.
Incorporate denylists at the email gateway and enable firewall rules
Use denylists to block access to known malicious domains, URLs, and IP addresses, along with file extensions like .scr, .exe, .pif, and .cpl and mislabelled file extensions (e.g., a .exe file that is labelled as a .doc file.). Most business email providers should allow you to setup denylists and enable firewall rules.
Implement file restriction policies
Implement file restriction policies on OS and web browsers that prevent malicious high risk file extensions( e.g. .exe or .scr) from being downloaded and executed. These types of files are unnecessary for daily operations and should be heavily restricted on standard business accounts.
Restrict users from having administrative rights
Users with administrative rights for operating systems and software applications are able to make significant changes to their configuration and operation, bypass critical security settings and access sensitive data. Restricting users who do not require or frequently require administrative rights makes it harder for malicious actors to gain access to administrator or privileged accounts, should those user accounts be compromised. User privileges should be re-evaluated on a recurring basis to validate continued need for their given set of permissions. If you’re currently offering admin privileges to all users or some users within your organisation, go review the status of these rights as soon as possible.
Ensure that software applications are set to automatically update
Configure software applications to update automatically, thereby ensuring that the network software is always upgraded to the most recent version. This measure plays a crucial role in protecting an organisation’s network software from potential exploitation by malicious actors, mitigating any vulnerabilities that may arise.