Phishing has been a top cyber threat for decades. Relying as it does on duping employees into clicking links, opening attachments and/or sharing important information, it remains an evergreen tactic for threat actors.
One report from January 2024 found that 94% of cyber decision-makers had to deal with a phishing attack in 2023. In order to circumvent phishing filters and trick more savvy users, malicious actors are designing new sophisticated campaigns.
Phishing is a prime example of the arms race between defenders and attackers that characterizes the threat landscape. One side innovates and the other responds in kind.
The good news is that there are ways to mitigate the threat, if organizations focus on the basics of people, process and technology.
How Phishing Is Evolving
At its heart, phishing is a con trick. Attackers use classic social engineering tactics – such as impersonating trusted entities and brands coupled with creating a sense of urgency – to persuade the victim into doing their bidding.
The end goal is usually to install malware via a malicious link or attachment, or to trick the victim into entering personal/financial information or logins.
As such, phishing is a common method of initial compromise. Research has revealed it is the second-most popular ransomware attack vector after remote access compromise.
Tried-and-tested phishing tactics include hijacking sender email/social media accounts, spoofing sender domains or phone numbers, using official logos and lookalike websites, and conducting reconnaissance for highly targeted spear-phishing attempts.
Threat actors are innovating, according to Sophos X-Ops principal researcher, Andrew Brandt.
“The latest campaigns we’ve seen incorporate the design and styling of email from legitimate companies like Adobe or DocuSign – not just logos, but whole stylesheets mimicked. The phishing pages themselves are also increasingly difficult to identify as phishing sites,” he tells Infosecurity.
“For instance, the Tycoon Phishing-as-a-service (PhaaS) framework puts a real login dialog box inside of an iframe on a page the phisher controls. The dialog box looks identical to a Microsoft365 login screen because it is – but due to the way the phishing kit frames the dialog box, the attacker is able to immediately extract whatever text you enter into the login dialog box.”
Stay Ahead of Phishing Threats: Three Novel Campaigns
Blended vishing and phishing
An employee of a Swiss organization was called out of the blue by a threat actor posing as a delivery driver with an ‘urgent’ package.
Claiming no one was there to receive his delivery, he said the employee would have to read aloud a code the ‘shipping company’ would email.
A phishing email duly arrived while the employee was still on the phone, with the code apparently located in a PDF attachment.
It was not actually an attachment, but a graphic embedded in the email message body, designed to look like an Outlook message with an email attachment.
Clicking through triggered Outlook to visit a benign website hosting a webpage redirection script.
This in turn took the user to a site hosting malware which installed on their machine and allowed for remote control.
The web redirects and the absence of a malicious attachment helped to bypass phishing filters, while the phone call added legitimacy to the phishing backstory.
MFA Bypass
Phishing kits offer threat actors a simple way to launch large-scale, sophisticated attacks, capable of circumventing multifactor authentication (MFA) with so-called Adversary-in-The-Middle (AiTM) techniques.
The new Tycoon 2FA service has been behind multiple campaigns since December 2023. It works as follows:
- Victim clicks on malicious link in an email body/attachment. Often the email spoofs a tech company/service like Adobe or DocuSign
- Victim is redirected to a Cloudflare Turnstile challenge designed to filter out bot traffic
- In the background, JavaScript code extracts victim’s email to help customize the attack
- Victim is redirected to another web page on the same phishing domain
- They are presented with a fake Microsoft login page designed to steal credentials
- The victim is then presented with a fake MFA challenge. It captures this data and session cookies, allowing the threat actors to “replay” a session and bypass MFA
- The victim is redirected to a legitimate-looking page intended to assuage any fears they have been phished
QR phishing (quishing)
QR codes are increasingly used to disguise malicious links, win the confidence of users and nudge them into using personal devices (to scan the code) that are less well secured than PCs.
Malicious QR codes are normally directly embedded in emails. But one recent campaign hid it in a PDF attachment. It worked like this:
- Victim receives email designed with a “tax season” theme, creating urgency to open the PDF
- They click on the malicious QR code embedded in the attachment
- Victim is presented with a Cloudflare CAPTCHA landing page to bypass detection tools and add legitimacy
- User solves CAPTCHA challenge and is directed to phishing page designed to harvest credentials
How to Stay Safe from Phishing Attacks
Despite the growing complexity and sophistication of attacks, there is a way for CISOs to respond effectively, by blending advanced tools with improvements to their security awareness training.
Layered Security
“On the technology front, a layered security approach is key. Endpoint detection and response (EDR) solutions, behavioral analytics and machine learning can identify and block anomalous activities. Regular vulnerability scans, prompt patching, and reliable backup and recovery solutions are also essential components of a strong defence,” KnowBe4 lead security awareness advocate, Javvad Malik, tells Infosecurity.
“Robust incident response processes are equally important. Procedures for reporting, investigating, and mitigating unusual or zero-day threats should be established and regularly reviewed to keep pace with the changing threats,” he added.
Be Alert to MFA Bypass
Sophos X-Ops’s Brandt, added that organizations must also be alert to MFA bypass and interception.
“For your most sensitive accounts, a time-based on-time password (TOTP) MFA like an authenticator app is far safer than using your mobile phone number to get an SMS text message,” he told Infosecurity. “However, the safest form of MFA is known as a FIDO2 key, a small USB device that stores the sensitive cryptographic keys inside of itself, in a way that can’t be leaked unless the physical FIDO2 device is stolen.”
Training and Simulation
When it comes to training, simulated exercises that are regularly updated are vital to get staff familiar with the ever-changing nature of phishing scams, he adds. However, such programs are not a silver bullet, added Proofpoint EMEA cybersecurity strategist, Matt Cooke.
“Our data reveals that 96% of individuals knowingly engage in risky behavior, indicating a gap between knowledge and action. The real challenge lies in how we can effect behavioral change. It's not about making security easier, but about instilling the importance of choosing security over convenience,” he told Infosecurity.
“Reducing security friction is crucial to this. Overly complex or lengthy processes will cause user frustration and resistance, which isn’t going to benefit an organization’s security culture. It's important to identify where security controls create bottlenecks and work to alleviate them.”
Encouraging positive reinforcement for those who avoid risky actions and report suspicious emails can help to create the right culture, Cooke added.
“Going one step further and utilizing advocates or champions in promoting best practices and providing peer support shouldn’t be overlooked,” he said. “While this may sound like a basic step, designated advocates can foster trust, increase engagement, and contribute to a positive and collaborative security culture.”
Conclusion
Threat actors are nothing if not adaptable. As one avenue closes, they will work tirelessly to find new ways to achieve their goals.
When it comes to phishing, this might involve blending phone (vishing) with traditional email-based forms of social engineering. Or using QR codes to bypass traditional filters. Or new tools to circumvent MFA.
Although they have the element of surprise, and access to readymade phishing kits to launch advanced campaigns, there is hope. By building an effective security program and culture around people, process and technology, CISOs can stop scammers in their tracks, and empower employees to be a formidable last line of defense.