Speaking at Black Hat USA in a session titled 'Deconstructing the Phishing Campaigns that Target Gmail Users,' Elie Bursztein, security and anti-abuse research lead at Google and Daniela Oliveira, associate professor at the University of Florida, said that “phishing is 45-times more dangerous than having your data exposed.”
Bursztein said that phishing is an ever-evolving target, and every day Gmail blocks over 100 million phishing emails which it categorizes into three levels of sophistication. These are: spear phishing, which is determined to be an “extreme case of sophistication and highly targeted.” In the middle there is boutique phishing, which are crafted campaigns targeted at individuals in organizations. At the bottom there is bulk phishing, typically mass campaigns spread through botnets.
“Phishing is adversarial, the attacker is shifting and messages keep being changed,” Bursztein added, highlighting a series of phishing messages from the last decade which were all different and have refined colour, shape and appearance to better avoid detection.
“Of the 100 million phishing emails we blocked, 68% had never been seen before,” he said. “It doesn’t mean that they are radically different, it just means that the adversaries have tweaked them in way so they are not exactly the same.”
He said that every day, the system has to account for two-thirds of data that it has never seen before “and this is the difficulty with phishing, where the attacker keeps changing the content.”
The research also showed that a boutique email has a lifespan of around seven minutes from when it is first seen, while a bulk campaign’s life is 13 hours.
“A phishing campaign today is very different from what we will see tomorrow, so we have to take this context and keep investing in better detection techniques,” he said.
Burzstein also pointed out that phishing is targeted, and said that those people with a business email address are 4.8-times more likely to receive a phishing email. “Why? Because phishers are selective,” he said. “Remember, they are financially motivated, so for the highest target, business email compromise is the main problem.”
He added that in order to better educate users, a yellow banner has been implemented as a “soft warning” where it could not confirm if it was phishing, so the user makes the final decision.
Oliveira said that we are “all susceptible to phishing” as phishing tricks the brain in the way we make decisions, especially with deception and detection.
She argued that user awareness is critical to making a decision, and Burzstein concluded by saying that “there is no silver bullet when it comes to defending against phishing” but he recommended using two-factor authentication and user education to help protect users, and highlighted “an ever pressing need to work on improving detections and on classifiers to deal with the onslaught of attacks.”