Ten years is an eternity when it comes to technology. Back in 2008, the Motorola Razor was the most popular cellphone on the market and Blu-Ray was set to be the future of home entertainment. The dark side of technology is no different. Although phishing attacks have always been a threat, they have evolved at a much faster rate than most of the technologies designed to combat them. The managed gateways and other security measures designed to protect email were what worked for emails 10 years ago, but the rate at which phishing emails evade these tools makes it clear they are not designed for the phishing emails of today.
1. Large nets have been replaced with accurate spears
Then: Ten years ago hackers were much more likely to implement a spray and pray method when sending out phishing emails. This involved sending a generic email asking for credentials (passwords, credit card numbers, etc.) and sending it to as many people as possible. The idea was, that even if 99.995% of recipients were savvy enough to recognize the email as a spoof, the 0.005% that fell for the attack would make the effort worthwhile for the hacker.
Now: The default email security from Gmail and O365 is already blocking the most blatant phishing sprays, so the hackers had to change their behavior. Instead, hackers use much more targeted phishing emails that are personalized specifically to their intended recipient. Less phishing emails, but with higher success rates. Hackers trial and error until they learn how to stay under the radar of the default security, so the old method is now much less likely to catch them. Since they are targeting far less people, hackers work even harder to ensure success for the small number of recipients whom they are targeting. Social engineering strategies such as researching their coworkers and interests in order to craft the perfect email are relatively recent developments in their prevalence within phishing attacks.
How has security technology kept up?: The old method of mass phishing emails was hardly differentiated from spam emails and security tools treated them the same. However, the targeted phishing emails of today have little in common with the spammy email pushing off-brand pharmaceuticals and eager singles in your area, yet default security tools like Microsoft still group them together. In fact, Microsoft's anti-phishing filter is contained within its spam filter and if a hacker can design an email that does not register as spam (which isn't very difficult) it will make it pass this filter into the recipient's inbox.
Legacy email security vendors also appear to fall behind as apparently they still heavily rely on mass sending and SPF checks to flag-out phishing attacks. Newer methods that involve machine learning and natural language analysis, trained specifically to detect impersonation attempts (of brands or people), as well as URL analysis, have started to take front stage as the leading solutions for sophisticated phishing attempts.
2. They are indistinguishable from legitimate emails
Then: Email receivers were less trained and less suspicious of the emails they received. As a result, the hackers spent less time and effort to disguise their identity and a savvy recipient used to be able to differentiate a phishing email from a legitimate email. Even non-savvy users could see the signs with proper employee training. Things like typos, blurry logos, and poor formatting were dead giveaways. Even if they had done a decent job with the email body, the sender's email address itself would usually reveal whether an email was legitimate or not.
Now: Without digging into the email headers and HTML code, the modern phishing email can be indistinguishable from the legitimate email it is spoofing. Even the sender-field of the email can be spoofed so it looks like exactly like the legitimate sender, as happened in the recent Mailsploit Phishing Attacks.
Would you be able to tell this email is spoofed?
How has security technology kept up?: As we will discuss further in #3, it has been a cat and mouse game with security tools and advanced email spoofing tactics. Each time hackers come out with a method to bypass Microsoft or Gmail security scans, the email providers will apply a fix. An example would be the BaseStriker attacks, which bypassed Microsoft security at first but once revealed, Microsoft released a fix for the vulnerability. This obviously is not adequate since the hackers will always be one step ahead of reactionary security technology and it will be up to the end user to decipher which emails are legitimate and which are phishing (a nearly impossible task for a human).
But more dynamic scanning technologies such as Avanan's anti-phishing solution, sit behind default security scans and look for the suspicious signs they miss. These email technologies self-adjust by leveraging machine learning algorithms so they can catch attacks before Microsoft releases a patch. In some cases, the attacker's method is used as an indicator of a suspicious email, essentially training the algorithm to learn specifically the things Office 365 will let through.
3. Fooling security is as important as fooling the recipient
Then: The goal of a phishing email was to fool the recipient - get you to click the malicious link or provide the confidential information. Whether they were posing as a Nigerian Prince who needed a bank routing number to which to send his money or if it was a free giveaway and you needed to click a link to claim your prize. As long as the email was intriguing enough to get what the sender was after it was a success.
Now: With default security built into the email service, hackers need to test that their email will get to its target recipient. This has lead to the rapid development of strategies to bypass email security filters. Hackers now test their emails are bypassing Office 365 and Gmail before sending them and are using trial-and-error until they find the crack. In case they are targeting a specific organization, they will check if the customer is using an MTA from one of the legacy security providers, provision their own cloud version, and then perform a test in their own environment.
Below are some examples of phishing attacks Avanan caught that were designed to bypass Microsoft security:
- Punycode Phishing Attack
- Zerofont Phishing Attack
- Hexadecimal Phishing Attack
- Unicode Phishing Attack
How has security technology kept up?: API based security solutions such as Avanan can not be uncovered by checking MX records since they do not effect them. These tools are hidden from the attackers - they just don't know what you use, so reverse engineering their scanning method in order to bypass them is much harder. Bespoke multi-layered security solutions are proving to be the future of combatting advanced phishing attacks since they are not only impossible to reverse engineer but also do not rely on a single security scan. If a phishing email is designed to bypass a certain scanning method one of the other layers will catch it since there is no way for a hacker to know how many and which specific layers are in place.
4. They are after your SaaS credentials
Then: The goals of phishing attacks are constantly evolving as they search for monitization or other benefits. While at one point they were used a vessels for viruses that would download onto your computer, later the trend turned to macros, and then to gain banking information. Even more recently ransomware was all the trend, a combination of hardware and network virus. The issue is that these are, for the most part, detectable attachments to the email itself (with the exception of phishing emails asking for banking information).
Now: SaaS applications provide much deeper access into your organization than was ever possible before. As a result, SaaS credentials have become the holy grail for hackers looking to get as much out of a phishing attack as possible. Each SaaS application is so interconnected to every facet of your organization that just having access to one of them can provide a large bounty for a malicious actor. For example, Avanan discovered a recent trend of hackers attempting to gain access to HR applications in order to reroute salaries to their own bank account (See: Phishing Your HR Platform). Once they are in your SaaS applications the damage they can inflict is immeasurable. This development has marked a clear transition from email security only needing to secure your email to the need for a universal security tool.
How has security technology kept up?: For the most part, email security tools are just concerned with email security. Blocking malicious emails from coming in has always been their modus operandi.
Newer technologies rely on API and are able to go beyond just email and analyze suspicious activities in the account to flag out compromised accounts. For example, a login from an unfamiliar location, a configuration change in a user account like email forwarding, etc. This birds-eye view, while necessary to combat SaaS phishing is not yet widely adopted by security vendors as application security and email security are still considered separate disciplines. The separation of these types of security leaves major information gaps that make it easy for threats to go undetected since the onus is on the user to connect the dots.
Hackers, like all predators, adapt to their prey's defenses. In this analogy the prey is your inbox and your email provider is your defense. However, hackers now have the time and funding to adapt faster. Luckily, this is changing. With machine learning based methodologies, security solutions can automatically learn the patterns of your organization, and advanced security solutions can block attack strategies as they are created rather than years after they have become popular.