Data breaches caused by orchestrated phishing attacks have historically been a persistent problem for banking, high tech and e-commerce companies. But any company that does business through a website requiring a login could be at risk. Think about higher education websites where students pay for tuition, or healthcare centers with web portals where patients can see medical records or pay bills.
That’s why businesses must create a proactive, multipronged strategy to help protect customers’ data from inevitable attempts at stealing it. A robust, modern phishing detection and mitigation strategy should consider all facets of today’s sophisticated phishing schemes, with response tactics for each one.
Understanding how phishing attacks work is the first step to creating a detection and mitigation plan. Let’s review the stages of a typical phishing attack:
1. A spoof site is built. The hacker uses real code and images from a website to construct fraudulent domains. Spoofing doesn’t require a great deal of technical knowledge on the part of the hacker; in fact, there are software tools available that do the work within minutes. Cybercriminals build phony URLs based on known and trusted domains by design. They register lookalike domains with one small difference, such as the letter “m” being swapped out for the letters “r” and “n” to give the appearance of “m” at first glance. These spoof sites can fool even trained security professionals.
2. The email bait is sent. The hacker sends out malicious emails, attempting to target employees or customers. Many times, the hacker is guessing at email addresses based on conventional naming schemes, such as email@example.com. The emails use images that have been stolen from real websites and include a link to the spoof site, urging the email recipient to update their credentials.
3. The search is narrowed.If the emails are unsuccessful, the hacker keeps trying their hand at finding the right email addresses. In the case of the 2016 Democratic National Convention phishing attack, for example, Russian GRU hackers sent 29 emails to intended targets over two days before they got a bite.
4. The bait hooks a victim.Sooner or later, if a hacker is persistent and has created a convincing enough spoof site and email, the trap will ensnare an unsuspecting victim. If an attack goes on long enough without being detected, it can yield hundreds and thousands of victims who have given up their credentials to a cybercriminal.
5. Data is collected and used for nefarious purposes. Hackers can have many different motivations. Sometimes identity thieves are looking to steal financial assets, such as credit cards, bank accounts or even a tax return filed with the IRS. Others may want to gather as many credentials as possible to sell on the dark web to turn a hefty profit. Some adversaries wish to expose or humiliate by revealing confidential information to the public.
These are the basic steps that hackers employ to steal user credentials, but there are others. Sophisticated attacks can surpass a website’s multifactor authentication mechanisms, which was the case in the recent YouTube phishing scam that affected 23 million users of the site.
Measure For Countermeasure
A phishing detection and mitigation strategy should provide countermeasures for each step of an attack. However, most antiphishing strategies only address step two: the phishing email. They block or filter out malicious emails that hackers send to company employees. There are also security firms that train employees to spot the signs of a phishing email. Both of these strategies are a good start. But what happens when a blocking or filtering mechanism fails or if a phishing email is highly convincing?
An email-focused strategy fails to extend protection to an organization’s customers. All one needs to do is look at phishing attacks against British Airways or American Express to see that consumers are an extremely vulnerable group. An email-centric strategy can’t protect customers because they’re all using different email providers that a company cannot monitor, much less control. It’s also not possible for a large enterprise to train every one of its customers to recognize a phishing attack.
A more holistic antiphishing strategy includes countermeasures that better address step one: the spoof website. After all, the spoof URL is where everything begins. Improving the speed with which organizations detect and take down spoof sites is a crucial part of that strategy. That way, even if a phishing email does slip past a security filter, the link in the body of that email will no longer lead to trouble. By the time a customer clicks on it, the company has already been alerted to the spoof site, and the web hosting company or ISP has taken it down.
To prevent step one from succeeding, improving the detection of a spoof URL is crucial. But most domain monitoring tools take days or even weeks to detect them. One way to improve detection is to embed snippets of tracking code into your company’s real website. When a hacker attempts to copy that site, they replicate that code along with a website’s images and text. It’s invisible to the hacker but not to your security team.
Once a business is aware that a spoof site has launched, the next step is to alert customers to ensure they don’t visit the fake website and enter credentials. But organizations still need to provide a countermeasure in case customers aren’t notified in time. As deception technology matures, defenders have new ways to foil phishing, even if hackers have managed to gather victim credentials. One approach involves injecting the spoof site with decoy credentials. Decoys are highly convincing fake credentials that lessen the value of stolen credentials to the point where the attacker is unsure if they’ve taken anything they can use.
Having an intelligent strategy to protect customers from phishing attacks must be a top priority. With the right responses, once an attack has been launched, you can ensure that customers’ trust in your brand will not be violated.