Phishing is on the Rise: What CISOs Should Know

This blog was originally published by CXO REvolutionaries here.

Written by Heng Mok, CISO APJ, Zscaler.

The weakest link in a security architecture is often the people it protects. Although cloud-driven attacks like ransomware-as-a-service (RaaS) dominate headlines, social engineering remains a proven and effective way to gain a foothold on a network.

New research from ThreatLabZ, Zscaler’s embedded threat research team, drives home the importance of defending against phishing attacks as one of the cybercriminals’ preferred channels for gaining initial access into an organization. Using data from over 200 billion daily transactions and 150 million daily blocked attacks, ThreatLabZ helps identify threat trends.

They’ve seen phishing scale up in the past year – way up. ThreatLabZ estimates phishing increased a startling 29% from 2020 to 2021. The FBI’s Internet Crime Complaint Center suggests that more than a third of all data breaches in the US are derived from compromised credentials.

Consider the implications of these findings:

• Attackers often target popular companies and services because they are familiar enough to gain trust automatically. Top examples include Microsoft, Telegram, Amazon, OneDrive, and Paypal. Microsoft was the most imitated brand of the year, accounting for over 31% of attacks.
• Among the most frequently impersonated brands are productivity tools, illegal streaming sites, shopping sites, social media, finance, and logistical services.
• Among targeted countries, the leading victims are the United States, Singapore, Germany, Netherlands, and the United Kingdom. The Netherlands actually saw a decline of 38% in phishing attacks in 2021, potentially due to legislation passed in 2020 increasing penalties for online fraud.
• Retail and wholesale saw a 436% leap in phishing attacks in 2021, rising from the fifth-most phished industry to the first, ahead of 2020’s most phished industry, manufacturing. Healthcare dropped by 59%.
• Phishing is platform agnostic and present in email, SMS, and voicemail. This is largely because users are becoming wary of clicking links in email, but more accustomed to viewing SMS as a legitimate marketing platform. As trust shifts from email to texting, “smishing” has even been used to compromise the two-factor authentication process, as seen in a campaign against Indian banks. This has led to upstream telco providers in certain countries, like Australia, to block these attacks to protect consumers.
• Phishing is also increasingly themed to capture user interest and drive engagement. In 2021, the most popular themes include COVID-19 and cryptocurrency investment. It would not be surprising to find charitable outreach to Ukraine on the list next year.

The phishing threat continues to evolve

Phishing is the classic social engineering attack. By duping users into entering their credentials into decoy sites, embedding tracking pixels, or clicking on malicious links, attackers gain the entry point needed to begin reconnaissance, perform discovery, and determine their next steps.

As organizations continue to harden defenses against malware, social engineering remains a favored method of compromise. Cybercriminals also now seeking to compromise organizations along the software supply chain in order to maximize their efforts against potential targets.

Adversaries are also looking for optimal ROI, and have now employed as-a-service models and automation techniques to streamline operations. Whereas in the past phishing required some degree of technical skill to create and deploy realistic mirrors of legitimate sites, the process has been simplified and automated.

Using kits purchased online – along with freely available email and identity databases from past data breaches – almost any criminal with internet access can plan and execute a phishing attack. In addition to lowering the technical bar, these kits allow sophisticated cybercriminals to scale their efforts.

Phishing kits contain all components needed to wage the attack, including sample files for generating a phishing page, enabling attacker access, evading detection, exfiltrating data, and fingerprinting users. Free and open source phishing frameworks are also widely available online. Combined, these resources have substantially contributed to the rise in phishing.

To solve the problem, we must understand it

Given the daunting threat phishing poses, how can organizations best respond? There’s certainly no perfect defense, but it’s possible to mitigate both the risks of a breach and the consequences should one occur.

We recommend a strategy based on understanding the threat, offering user training, and deploying security solutions in accordance with best practices.

Security leaders can enhance their training and build a security culture with tactics like gamification, competitions, and business unit-specific training. This, combined with topical themes and targeted for simulation emails, goes a long way toward building awareness.

Phishing simulations should be combined with metrics to continually identify and evaluate users who may need additional tailored training. To be effective, the difficulty of these simulations should be dialed up or down in accordance with a target’s level of cyber-savvy, but also organizational context.

Added to training, multi-factor authentication (MFA) remains critical to defending against compromised credentials obtained via phishing. With MFA deployed, a password alone is not enough to access an account. Apps like Okta Verify or Google Authenticator are particularly effective at defending against man-in-the-middle tactics or phone porting that intercept SMS verification codes.

Unfortunately, some percentage of users will likely continue to click on phishing links. That’s why we recommend security teams apply people, process, and technology solutions to minimize both the odds and the consequences of successful attacks.

On the technical side, the controls and capabilities that you should consider include:

• Email scanning that recognizes and blocks phishing emails upon delivery
• Reporting mechanisms by which users can notify security teams of suspected phishing attempts
• Inspection of encrypted traffic for phishing content
• URL filtering to block access to risky sites, like those on newly registered domains
• Caution pages to warn of questionable web pages
• Playbooks and automation to detect and respond to compromised identity and credentials, measuring the mean time to respond
• Updated threat profiles outlining the tactics and procedures used by adversaries
• Continuous monitoring for brand abuse that can take down phishing sites quickly when they are impersonating your trusted brand
• Security patch application that’s comprehensive and timely for protecting apps and operating systems
• Zero trust architecture (ZTA) – using the principles of granular segmentation, least-privileged access, and continuously monitored traffic – to limit the scope of breach and minimize exposed resources and infrastructure

Read 2022 Zscaler ThreatLabz - State of Phishing Report 2022 for more details, data, code block examples, and information regarding trends organizations need to thwart the growing number of phishing attacks.