Phishing is never going away, learn to fight it

/ ChocolateCoat

Background

Even today, in the wonderful world of 2022, phishing is still dominating the security landscape.

This is not a surprise to anyone working in InfoSec or IT. In fact, most people know what phishing is whether they work within an enterprise or not. I think everyone I have talked to has seen and/or clicked on a phishing email. For the sake of clarity, here is my personal definition of phishing and how I will refer to it throughout this post.

“Phishing is sending a message to someone with an embedded link, attachment or request for more information/access to a victim.”

Methods

While in most enterprise situations we tend to think of phishing being solely focused on email. However, phishing can come in many ways instant messages, social media posts, SMS, phone calls, etc. I know there’s a million words to describe the different methods such as “vishing” or “smsishing”. Personally, I think that is too confusing, they are all attempting the same thing just using different methods. So, phishing is phishing.

Below I’ve added a nice list of all methods for those of you that hate blocks of text like I do:

Phishing Methods without the weird specific words

  • Email
  • Phone call
  • SMS
  • Instant Message/DM
  • Social media posts
  • Forum posts
  • Document sharing invitations (Ex: Google Docs invitations)
  • Calendar invitations
  • Website listed on physical media (ex: website written on paper)
  • QR Codes

This is probably not a full list, and new methods will appear as time goes on.

What do they want from me?

Good question me, the answer is as annoying as an wire transfer request from a “foreign prince”, it depends.

Most often, these messages are sent in mass, something like hundreds of thousands of messages at once. For those type of phishing campaigns, the goal may be to just get whoever they can. You send 100,000 messages and only 1% clicks, that’s still 1000 people you are getting information from.

More targeted phishing campaigns may be directed at a specific organization or even select individuals. These are typically more well crafted and tougher to decipher. For these, you may have heard the term spear-phishing. Either way, the goals are not always the same, but there are few common traits. Below are some of the common goals I have observed with the various phishing messages I’ve come across.

Phishing goals

  • Gain access to the target’s computer
  • Deliver malware
  • Steal username(s) and password(s)
  • Obtain information about the victim
  • Obtain information about another potential victim
  • Obtain information about the victim’s equipment
  • Extortion (Ex: Asking for money or service via some type of threat)
  • Denial of Service (DOS)
  • Attempt to have the victim spread the message further
  • Impersonating a multifactor authentication request
  • Impersonating a legitimate request (Ex: Pretending to be tech support)

Again, this will change over time, but should give you an idea of why you would be targeted.

Protect yourself

For this section I’m going to break this up into two different categories, personal and enterprise. I think it’s obvious that I can’t exactly influence everything tied to my personal life the same way I can if I work as a cybersecurity professional for an organization. The personal protections would apply to yourself and even the folks you are trying to protect. I’ll try to be realistic as I can, but somethings require a cost although I try my best to suggest things that aren’t paid solutions.

Personal protections against phishing

  • Probably best to use more popular email services.
    • I am not exactly pro any organization but Gmail is going to have better built-in protections than FreeEmail[.]com
    • When choosing, consider the privacy side of the house as well, there will always be a trade-off of free features vs privacy concerns.
  • Use multiple emails
    • Have an email for multiple purposes (Ex: work, personal shopping, bills)
  • Expand the FROM field to show the actual email address.
    • Usually you can click on the From field or select the icon next to the display name to see the actual email address
    • Look for unusual spelling (@oni[.]com vs @0ni[.]com)
  • Be aware ofwhere you are putting out your email (Ex: LinkedIn, Twitter, Website profiles)
    • Ask yourself why you need to provide an email and if providing it is worth potentially more phishing emails
  • For links, sometimes you can hover or long-press to see and/or copy the actual web address
    • Be extra careful not to actually click, if you are not sure just don’t even interact with it
    • Just because you see linkedin.com, it does not mean that is where the link is going.
  • Ask the sender what it is, if you know them!
    • Especially if the link is too difficult to read
    • It may be awkward, but they are the ones who sent it
  • If you do not know the sender, ignore it
    • This can be tough for work but the same idea can be applied to which domain they are sending from (Ex: @oni[.]com vs @wejksldfas[.]com)
  • Confirm the message is legit by contacting the sender via another method
    • If they sent a weird Twitter DM, try calling them to confirm.. or just text nobody likes cold calls
  • If you think it is odd, report it
    • There are people who can look at it with extreme detail to get that answer, but they won’t know unless it’s reported
    • The more you report the more protections can be made to stop these types of things from reaching you in the first place
  • Do not blindly forward messages
    • No, you are not going to be attacked by a wendigo if you don’t forward the message to at least 3 people
  • There are website scanning tools and email protection apps, but generally I would not recommend them unless your place of work is providing it.
    • The cost and maintenance are just not worth the actual security you get for your personal accounts

Enterprise Protections

I am not going to list out actual products and vendors, just the features and types of products I feel are beneficial. Keep in mind, some if not several of these require some kind of cost. I will also try to explain some details in the bullets, so you know what I am referring to, I know there is a lot of buzz words out there.

Enterprise Protections against phishing

  • Email Security Appliance
    • This system will look at all emails to determine if there is anything within them that would indicate they are suspicious or malicious
    • Some may be an add-on to your email system, while others can be an entirely separate product
    • This can be a cloud-based appliance or a physical/virtualized appliance within the environment
    • Different appliances have different levels of inspections. Some may look simply at the body and text, while others may look at the actual headers and extract metadata
    • Make sure you are inspecting all three levels of email
      • External to internal
      • Internal to external
      • Internal to internal
  • Phishing Exercises
    • I am always careful to recommend this to organizations. Lately it seems this has become more of a checkbox than an actual attempt to educate
    • Being too harsh on users that may click, can just make them upset, remember they are human beings just trying to do their job
    • Be realistic about the phishing campaigns, the goal is not too fool them
    • Even if they do click, the organization should still take steps to protect themselves and the user
  • Turn on the ability to hover over a link and see the domain and any other details
    • Typically, this can be enabled for most email systems, but may be at the application level of something like Outlook or Chrome
  • Turn on banners to indicate an email is external
  • Turn off execution of attachments upon opening messages
    • This is more commonly not allowed, but worth a check
  • Include an easy way to report phishing emails
    • This needs to be EASY like a button in the client or the ability to right click and report
    • If a user cannot easily report it in a click or two, then they probably will not
  • Update your firewall rules to block unusual traffic
    • Folks will click links, you cannot solely rely on them not to do so
  • Utilize DNS security to protect users if they do click
    • This also helps with investigations since you can track which users attempted specific domains in case phishing attempts were not reported
  • Automate blocking known malicious sites with threat intelligence
    • This can be often built into Firewalls, DNS and even Email security appliance automatically
  • Block uncommon attachments
    • Get an understanding of what is typically sent via email and block everything else
    • There’s typically no reason someone should be able to send a .exe via email
  • Ensure your analysts have an EASY way to review suspect emails
    • Provide guidelines and escalations so someone does not just let something through
    • Understand how much you are asking them to review
    • Find ways to automate the simple checks, such as grouping similar messages
  • Ensure your analysts can perform basic email header analysis
  • Forward email related logs to a SIEM to identify trends and identify sources more easily.
    • Email Security Appliance logs
    • Email System (Exchange) event logs
    • DNS Logs
    • Firewall Logs

Conclusion

Phishing is lame. By lame, I mean it’s not a super technical technique and it’s not a super technical investigation. It is, however, incredibly important and something you will always see. If you were compromised, you can usually count on phishing being involved at some point. So, if you need somewhere to start improving your security posture, start with dealing with phishing. You and everyone you work with should see some meaningful results right away.

As far as our personal stuff goes, be cautious you are only going to see more phishing take place as time moves forward. There are things you can do to help combat it, but it is just going to keep coming so try your best. If you need help ask for help, whether it’s the tech person you know, someone within your workplace or that twitter fellow that writes blogs about random topics.

At the end of the day phishing sucks, it’s annoying, and it’s not even that impressive (talking to you adversaries out there). Hope this helps, any questions please reach out.

ChocolateCoat

@CyberCoat

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s