Avanan has caught a tremendous number of previously-unseen attacks this year, and as a result we have identified some distinct trends that give insight into what we can expect in 2018.
We are hosting a more comprehensive webinar to discuss cloud security in 2018, but in this blog, we'll focus specifically on phishing. These are the the five phishing methodologies that not only demonstrate a level of sophistication and professionalism that will be devastating to the unprepared, but also are rising in popularity amongst hackers heading into the new year.
1. The new innovations are in evasion.
Phishing attacks are no longer just about fooling the user. For that, the tricks are getting better and more realistic: fake login forms, malicious files, and personalized messages. But from a user’s point of view, the attacks from this year might not seem that much different.
Under the hood, however, 2017 brought a number of very sophisticated techniques that were specifically designed to evade the tools that email providers use to protect users. Attackers identify the email provider and deploy their attacks to target specific filter weaknesses.
For example, we saw a rise in attacks that targeted unique Office 365 email handling behaviors. We discussed a few of these in previous blogs:
- The Punycode and Unicode Attacks on Office 365 used character encoding to insert non-ASCII (special) characters into URLs. This made them indecipherable to Office 365’s email filters so they were perceived as legitimate links to safe websites.
- The Hexadecimal Escape Characters Attack inserted a javascript snippet into the email so that rather than linking to a forged login page and risking the link getting blocked or removed, the phishing page was rendered right within the user's own browser. Since no links were found on the page, Microsoft did not deem the emails suspicious.
While both of these attacks were easily identified by all the major security vendors, they were extremely effective in fooling Office 365 filters. In fact, we only saw them on our customers that were using Office 365. In short, the attackers:
- identified a unique vulnerability in Office 365’s email filters,
- rewrote their phishing attacks specifically to evade the filters, and
- only sent this type of attack to users of Office 365 email.
2. The new target is cloud providers' trust in their own applications.
In Office 365 and G Suite, email is delivered as just one part of an integrated group of applications. In previous articles, we’ve shown how a user’s trust in Microsoft's Safe Links can actually fool the user into opening malicious URLs. Unfortunately, sometimes the cloud application's trust in its own services can be a weakness as well.
A phishing attack in August hid malware behind a SharePoint link, which is automatically considered trustworthy by Microsoft as it is one of its native applications. The URL was never checked and the malware was more likely to be downloaded by the user. This was very similar to an earlier attack in which hackers took advantage of the preferential treatment Gmail’s email security gives to Google Drive links. The attack contained a Google Drive URL that bypassed Gmail's filters but triggered a malware download when clicked.
Another attack from September used Google redirects to send unsuspecting recipients to a phishing page. Ironically, this attack abused Google’s trust in its own services to hide an attack that was ultimately targeting Office 365 users. It phished Google’s security in order to phish Microsoft users.
3. The revolution in Business Email Compromise is data-driven automation.
Business Email Compromise (BEC) attacks are not new, but the level of sophistication and granularity used to conduct the attacks has reached unprecedented levels. Previously, attackers would utilize publicly available information from sites like LinkedIn and Facebook to gather the business and personal details of their targets. In 2017, however, the combination of large-scale data breaches, more intelligent database tools, and automated conversation tools have made it possible to design more authentic and believable phishing emails.
First, the recent database breaches reduces the amount of information the attackers need in order to compromise a company. If they already have 4 pieces of crucial information, they may only need one more to complete the security puzzle.
Second, by combining the multiple pieces of information from various sources, they have an incredible amount of detail from which to craft a message. Users are more likely to trust someone who seems to have insider information.
Third, automated 'chat' make it possible to carry on validation conversations until the victim is firmly on the hook. Some attacks have started with the simplest of messages:
5:07 PM PST: Hey Chris! Are you still in the office?
5:12 PM PST: Yeah.
5:14 PM PST: I would normally ask David this, but the NY office has already gone home. Do you have a second?
5:14 PM PST: No problem, what do you need?
5:15 PM PST: Are you at your computer?
5:16 PM PST: Just a second....
Users, especially those that have high levels of access, must be adept at identifying suspicious emails, but as attacks become more sophisticated, only advanced AI/machine learning tools can effectively identify these new threats. Indicators such as impersonation detection, ransomware, and natural language processing are often missed by default security, but can be crucial in catching a well-crafted and targeted phishing email.
4. The new attacks are slow and patient.
With all the news about ransomware and other high-profile, headline-grabbing attacks, the greater threats came in the form of the patient hacker. These are attacks that may last months or years and never be discovered. In fact, the business-disruptive, large scale attack was often a coverup for the real infiltration.
The patient hacker gets access to your account through something innocuous—maybe a forged email asking you to reset your password. From there, they wait. Sometimes for months. They study your inbox from the inside and learn about your colleagues and their relationships within the organization. They know who reports to whom, which people are working on projects together, and which employee is the lead on that project.
As we describe in our blog post on one such attack, The Long-Term Phish, once the hacker intimately understands the ins and outs of your organization, they spread internally. A nearly undetectable phishing email from a compromised employee to another making a seemingly reasonable request can be a guise to get sensitive info or spread malware.
While it may seem impossible to protect against a compromised account long after the original breach, there are a number of recognizable methods that hackers use to spread their access throughout the organization. We describe one such tactic in a recent blog post on the Alternative Inbox Method. This is a strategy in which the hacker uses the trash folder or some other rarely checked corner of the compromised inbox as their own personal inbox to send and receive emails within the organization without the account’s rightful owner ever noticing a thing.
As users become more security savvy and get better at recognizing “smash and grab” phishing attacks, these long-term, more sophisticated attacks will become more common. Protecting yourself after an account is compromised is difficult, but not impossible. Behavior anomaly detection is vital, and it is important to monitor both outgoing and internal messages in order to identify the insider threat.
5. They are targeting all your SaaS.
The proliferation of cloud applications has resulted in a dispersion of sensitive data within organizations. Your banking info may be in your payroll application, your credit card info may be in your expense reporting application, and your social security number stored in your HR application. This has led to a new trend of hackers attacking these “periphery” applications to gain access to sensitive information.
For example, a recent attack targeted a SaaS-based HR application in order to redirect employee payroll checks into the attacker’s account. This had the potential to be financially profitible while requiring little sensitive information.
These attacks on SaaS-based business tools include the communication alternatives to email like Slack, Skype, and Teams. Users tend to rely on these tools for day-to-day internal communication and trust them with the most vital of confidential information. Over the last year, we have noticed that the first target after an internal breach is often access to a Slack account.
Traditional email security can act as a first line of defense for these types of attacks (as it often requires an initial phishing email), but it is not enough. Effective security needs to connect to your all of your cloud applications so it can block malicious behavior no matter where in your ecosystem it occurs. As more phishing attacks move past email, this omniscient style of cloud security will be essential for true defense-in-depth.
Conclusions
While these examples are not exhaustive, they are representative of the trends we are seeing as we enter the new year. We know that as security improves, attacks will increase in sophistication, but it is possible to get ahead of the curve.
Three lessons from these attacks predict next year's priorities:
- The first line of defense includes monitoring incoming, outgoing and internal messages. And remember that email is not your only messaging app.
- You may never see original breach. Multi-layer, defense-in-depth security is vital.
- You should be prepared for the worst. What to do after the breach.
We have built Avanan with these priorities. We gather the most comprehensive realtime and historical information about every message, file, and user event. We have partnered with the industry’s most advanced security companies to create the most complete defense-in-depth, multi-layer solution. We provide the single pane of glass within which to correlate policy and automatically respond to events.
No single security tool alone is the best at everything. Only the Avanan platform brings together the full resources of the security industry to address today’s threats. Only the Avanan platform is flexible enough to adapt to tomorrow’s attacks.
