Phast and Phurious: Phishing Exploits in 2016

We live in a world of constant cyber attacks. Every day I talk to IT security teams, CISOs, CIOs, analysts, reporters and more about the nuances of how to protect against attack and how to try to stay ahead of cyber criminals.

These discussions often focus on some pretty advanced attacks, which often have equally advanced solutions to fight them. We spend a lot of time on whiteboards drawing networks and highlighting vulnerabilities and we draw an inordinate amount of proxies and next gen firewalls and plain’ ol (last gen?) firewall. Companies spend a lot of money continuing to bolster the network perimeter against attack.

But many of the folks I talk to are starting to see the new trend in cyberthreats. Attackers know that we are spending more than ever on perimeter defenses. They know that trying to break through all those defenses is tough, and takes a lot of planning, a ton of skill and a fair bit of luck. It’s like a caper movie – criminals have to plan how to tunnel under the bank vault, cut through the steel, truck out the money and avoid the security cameras – all in the tiny window of time when the security guard stops watching the monitors to enjoy a French dip. It ain’t easy.

hacker

All that planning, all that drama – it makes a good movie. But it’s a lot of work.

It’s the same thing in cyber attacks. We like to think of the hoodie-wearing, basement black hat, with a bunch of monitors and cascading Tor connections, slicing his way through networks in real time, competing against some unseen IT force in a battle of skill and will…

But nope. It’s way less sexy.

Attackers these days know it’s hard to break through perimeter defenses – so they don’t. They walk right through the front door – they steal usernames and passwords, and just log right in. As if, in Oceans 11, Frank Sinatra and Dean Martin could just magically look, act and talk just like security guards – and walk right into the vault.

See – not a very exciting movie. But it sure is easy.

What’s this all got to do with phishing? Well, that’s the start of tons of recent successful cyberattacks. Attackers know tricking a human into giving away their password is way easier than breaking through a network. So they are pouring effort into better and better phishing scams.

I was just targeted with an email that looked like an automated office365 message. It looked awfully legit –because it was! It contained exactly the right text, images and layout, but didn’t come from Microsoft at all. Even the email address was spoofed pretty well. Apparently I was supposed to check on the status of a recovery job in webmail…   but I had never scheduled such a job. And when I moused over the link (lucky I was looking at it on my laptop and not mobile) I could see the link was phishy – headed to a close-but-not-quite domain.

I wasn’t fooled. And I’m glad. But this was an easy one. Other attacks – so called spear-phishing – are WAY harder to spot.

In this era of social networking in business, it’s pretty easy to find out a lot about a prospective target. I could, if I were some kind of ne’er-do-well, craft an email to an executive that would be pretty compelling…

Linkedin is a good place to start. Who are the execs at a juicy target? Then a quick google search of that company, and the industry trade shows they might participate will often net a couple of speaking engagements or even sponsorships for events.

Just using this info, I now know real names, real events and most importantly – real “initiatives” within that target company. I can email someone, pretend I am part of the show staff, and include an attachment that purports to detail a billing change, or a speaking session timing change, or a show floor map change… and that attachment will VERY likely get clicked.

If I have a rootkit in that attachment that preys on out-of-date browser plugins… I can compromise a computer. Then I can install software to take packet captures of network traffic, and look for clear text passwords. Or much, much worse…

passwords

And with those passwords, I am in. I now live in the corporate network, lying in the grass, collecting more and more passwords, to get more and more access to more and more machines and databases, and customer records. It’s real. It’s happening every day. Heck, it’s easy.

But we in the security space are spending our dollars on more firewalls…

It’s time to rethink our spend, and our attack surface. It’s time to just agree that the attackers are IN our networks now. It’s time to bolster our defenses where it matters and stop simple passwords from being all that’s between attackers and our sensitive data.

Let’s bring back the old days – when cybercriminals had to be smart. Let’s raise the bar by implementing MFA everywhere, and thwarting password-based attacks. Let’s limit privilege, and eliminate passwords with SAML and Oauth. When the attacks have to turn back into capers, the attackers have to get a lot more sophisticated. And that means fewer of them. And that should mean they are easier to spot, easier to stop and easier to catch.

The attackers are hell-bent on stealing our passwords, and we’ll never be able to stop them from tricking every employee. So let’s instead focus on making sure that stolen passwords don’t allow access to our systems – let’s also implement MFA.

Click here to learn how to implement MFA across your enterprise.