The Relentless Growth of Phishing Attacks

Phishing attacks are the oldest and most effective online threats. Cybercriminals use phishing to obtain sensitive information such as usernames, passwords, and financial details from unsuspecting individuals.

As phishing attacks become more sophisticated, organizations around the world are facing the heat. It takes just one employee to fall for the bait and that’s enough for attackers to steal intellectual property, login credentials, bank account information, and more.

Data published by Symantec shows a 49% growth of phishing attacks from January 2017 through May 2018.

original graph

According to Andrew Conway, General Manager for Microsoft 365 Security, about 80 to 90 percent of the data breaches that his team saw were attributed to phishing. While Microsoft and others are taking steps to detect these attacks before they ever hit a user’s inbox, algorithms can’t catch all of them — and then it’s up to the user to know what to do!

Here is a first-hand account from an IT administrator who bore the brunt of a phishing attack.

original reddit

In addition to financial loss and potential loss of reputation for the targeted company, phishing attacks can dramatically increase workloads for IT administrators.

So, what exactly is Phishing?

When a criminal sends an email pretending to be someone (for example, the CEO of an organization) or something he’s not representing (such as a brand), in order to extract sensitive information from the target, it’s called a phishing attack or a phishing scam.

What are the different types of Phishing Attacks?

A Phishing attack can come in different forms. We picked out 7 different types of phishing scams that account for most of these attacks. Here is a brief overview of different types of phishing attacks.

1. Business Domain Impersonation

Business Domain Impersonation happens when an impostor creates a fake brand/company website to conduct activities that can harm the target brand and its customers.

Here is an example of how an employee of Disney fell prey to a phishing scam and sent over $700,000 to someone she believed to be a Disney vendor.

domain (1)

2. Brand Impersonation

Brand Impersonation refers to a phishing scam where the attacker sends an email that appears to be from a trusted brand or directs a potential victim to a website that resembles a popular brand to gain access to confidential data. These emails or websites could resemble a well-known bank, credit card company, e-commerce portal, or even a government agency.

Here is an example: A lot of unsuspecting individuals received the Netflix Account Disable notification email. Upon clicking a button in the email, they were prompted to enter their credit card details. Of course, the email was a scam and if an unsuspecting victim entered the credit card information, the attacker had instant access to the credit card information.

original4

3. Suspicious Link

Scamsters sometimes hide the URL that’s embedded in their message. The URL visible to the victim will seem to point to a known domain such as a Google document; however, the actual URL points to a malicious domain.

The 2017 Anti-Phishing Working Group report says that people are often fooled by URL shorteners that hide the destination domain, or by brand names inserted in the URL.

Here is an example of a suspicious link:

original5

The display link seems to point to a Google Docs file, but the actual destination is a blacklisted page.

4. Name Impersonation

Name Impersonation is a type of phishing attack where a cybercriminal claims to be a known individual and gathers sensitive information from a targeted victim. For instance, imitating a C-suite employee (CFO or CEO) and attempting to steal employee or supplier information.

nme (1)

John Kahlbetzer, the founding member of a well-known Australian company, lost $1 million to a name impersonation phishing attack.

5. Content-Injection

Content-Injection is a type of phishing attack where the attackers use a set of macro codes to create an infected email attachment or a visual content. Clicking on this attachment will lead the victim to a phishing page or will result in the download of a malware from a remote server.

original7

6. Man-in-the-Middle Attack

Man-in-the-middle is a form of phishing attack where communication between two users are monitored and modified by an unauthorized party.

Here is an example of a phishing attack that came to light in Europe. The attackers used sophisticated techniques to intercept corporate email communications and made payment requests.

original8

7. Search Engine Attack

Hackers publish malicious pages and rank them on search engines or run paid ads to attract victims to their sites. Clicking on these search results or ads will take the user to a phishing page.

In the screen below, you will see how one attacker managed to place a legitimate ad on Google.

original9

As you can see from these examples, a phishing attack can strike your organization in many shapes and forms.

We have put together 15 actionable steps that you can immediately roll-out to dramatically improve the chances of shielding your company from phishing scams.

15 Easy Hacks to Prevent a Phishing Attack

1. Use spam filter for Gmail and Office 365/Outlook

Spam is an email with failed validation protocols like Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). The status of these protocols indicates whether or not the domain and the IP address are authorized to communicate with your domain or not.

All email applications provide IT administrators the option to configure spam filters; however, there is a fine line between stopping malicious emails or spam and blocking legitimate emails that could impact your organization’s business!

Here is how you can configure the spam filter settings for Gmail

  • Go to Gmail Admin Console
  • Choose G Suite from the Apps Tab
  • Select Settings for Gmail>Advance Settings>Spam Settings

new1

Gmail also provides users the option to report spam as well as phishing emails. The only catch is that as an IT administrator, your role goes beyond managing spam settings. You may also have to educate the employees in your network to report suspicious emails.

spoof

G Suite administrators can also access a report on spam detected in their network. By analyzing the spam report, an administrator can gain useful insights such as:

  • Unsafe browsing behavior: Any unusual spike in the spam graph can be a result of users visiting unauthorized websites.
  • Irrelevant subscriptions: Personal subscriptions using a business email address can trigger a jump in spam.
  • Pretexting attacks: A sudden growth in spam could indicate the possibility of attackers attempting to gather personal details of employees before launching a phishing attack.

Spam filtering in Office 365

Office 365 also has a comprehensive set of features to control spam. This feature is available for all subscription levels.

Go to Admin>Security and Compliance>Home>Mail filtering>Anti-spam settings

new3

The admin can choose standard settings or customize it.

new4

2. Use multi-factor authentication

When attackers manage to get an employee in your network to click on a malicious link sent via a phishing email, you could still save the day for your organization if you had implemented a multi-factor authentication system.

We recommend at least a 2-factor authentication system in place; however, for sensitive applications in your network, adding more levels of authentication is advisable.

Here is how you can piece together a multi-factor authentication system for your organization.

  • Password
    Make sure you have implemented a mandatory password policy. You can refer to this TechNet article in case you don’t have a password policy yet.
  • Google Authenticator
    Integrate Google Authenticator with your applications. It is an app that generates 2-Step verification codes on your mobile device. In addition to your password, you’ll also need a code generated by the Google Authenticator app on your phone to sign-in to an account. Refer to this Asaf article to enable Google Authenticator for your applications.

   A popular alternative for Google Authenticator is Duo Security.

  • Security Code
    Another way to prevent unauthorized access is by enabling the security code settings from your email account. All subscription plans of G Suite and Office 365 (except trial versions) enable users to get a security code on their mobile device to verify their identity. The administrator can also set the mode of communication for receiving the security code – as a text message or a call.
  • USB device as authenticator/signature device
    Critical applications or sensitive data stored in your network can be protected with the help of a USB device. USB authentication will require the employee to insert the USB device encrypted with the signature and enter a security code to access the application. Yubico is one such authentication device.

3. Configure email for secure data flow

DomainKeys is an email authentication mechanism that verifies the credibility of the emails generated from a domain. Emails with authenticated DomainKeys are termed as DomainKeys Identified Mail (DKIM)-Passed. Using this DKIM protocol, the administrator can whitelist various business domains to prevent phishing attacks from external domains.

Below is the image of Google Interface that allows the administrator to add DKIM for email authentication.

new6

Email service providers give a preview of the data sharing activities happening from your domain to an external domain.

new7

In the above images, you can notice an unusual sharing activity on 14th May 2018. Such unusual data transfer needs to be identified and questioned, as any confidential data shared with an external domain can put your organization at risk.

How to enable/disable email authentication and file sharing settings for Gmail:

For enabling email authentication:

  • Go to Admin console>Apps>G Suite>Gmail Suite>Settings for Gmail>Authenticate Email
  • Customize the outgoing email settings with DKIM authentication

For enabling secure sharing settings:

  • Go to Admin console>Apps>G Suite>Settings for Drive and Docs
  • Select the suitable option and apply for your domain

How to enable/disable sharing settings for Office 365:

In Office 365, email authentication is an inbuilt feature.
  • Go to Admin>Service Settings>Sites and Documents Sharing
  • Do one of the following accordingly:
    1. Turn on External Sharing
    2. Turn off External Sharing

new8

4. Monitor suspicious external sites

Fake external websites and links are easy baits for unwitting users. Hackers create fake websites that resemble some popular and credible sites. Even if the web page looks legitimate, you will notice that the URL of the page will be different from the original site.

new9

For example, if you happen to enter your credentials in this fake Amazon sign in page, the attacker can have access to your Amazon account.

How do you determine if an external site is genuine or fake?

The following factors should be assessed before classifying a website as safe/unsafe:

  • Search traffic
  • Engagement
  • Popularity
  • Unique visitors

The Alexa rank for a website can provide a pointer to the credibility of the website.

For example, the following image shows the Alexa rank for www.google.com.

new10

new11

If you were looking at a duplicate version of the Google website, the Alexa stats will be different.

It is recommended to use a third party tool like Syscloud Phishing Security to automate the flagging of suspicious websites that users in your network might have visited.

5. Perform real-time scan

IT administrators can use third-party tools to perform a real-time scan on the data stored within their organization.

SysCloud Phishing Security is one such real-time scanning application. This application allows the administrator to detect and remove threats from a domain. It covers G Suite as well as Office 365 applications.

To perform a real-time scan with SysCloud Phishing Security application:

Go to G Suite Marketplace and search for SysCloud Security and Backup. Install and launch the app.

Go to Admin console>Data Loss Prevention>Sharing Insights

99

Select the domain from the domain drop-down option and click on SCAN NOW to see the results

pi2

Real-time scan enables you to:

  • Look into the collaborators of a particular document
  • Detect data leaks
  • Receive details about the threats from scan results

pi3

Analyzing these reports at regular intervals will allow you to detect possible phishing attacks.

6. User and Entity Behavior Analytics

User and Entity Behavior Analytics (UEBA) refers to the tracking of user data and activities to detect anomalies. UEBA software can analyze domain data logs to identify the pattern of traffic caused by the employees/users, both normal and malicious. This helps IT administrators to monitor employee activities and, prevent them from accessing unauthorized data.

For example, if you are using Office 365 with the enterprise E5 subscription plan, there is an option called Audit log, where the administrator can define suspicious activities for their domain.

The below image shows the Security & Compliance page of Office 365, where the administrator can search for suspicious activities.

pi4

You can create a new alert policy by clicking on the +New alert policy option. Enter the details in the next page and click on Save option.

neeee (1)

If you are not using Office 365, you can also choose from third-party UEBA tools. Here is a list of UEBA vendors published by Gartner.

pi6

7. Implement solutions for malware and spyware

Malware and Spyware come in different shapes and forms such as Trojans, Worms, Virus, Ransomware, Spyware, to name a few. Every malware is unique and created with a specific objective.

Some of these objectives are to:

  • Steal confidential data
  • Use the victim’s IT Infrastructure as a host for a mass phishing attack
  • Demand a ransom by encrypting the files

In 2017, WannaCry ransomware made big headlines as it caused significant financial loss amounting to billions of dollars across hundreds of countries.

pi7

IT administrator should consider implementing Endpoint security solutions that can detect and block malicious malware attacks originating from both compromised as well as external domains. Endpoint solutions also provide IT administrators with the ability to rapidly respond to new threats and properly investigate and clean up the network after an attack.

Here is the 2017Gartner peerinsights report on the best endpoint solutions chosen by customers.

pi8

For a direct comparison of anti-malware security solutions refer to the comparison table from the PC Magazine.

8. Implement secure document sharing

IT administrators should implement processes to govern document-sharing within and outside the domain.

Internal to the domain:
For G Suite, enabling the Authorised Email gateways – SMTP option can whitelist all the channels (like gappssmtp) used for internal communication.

To enable this option, go to Admin Account > Apps > G Suite > Settings for Gmail.

pi11

This will prevent emails with unauthorized SMTP addresses from being accessed by employees.

For example, in the image below, syscloud.com is spoofed through the smtpservice.net portal and a phishing link is sent to the employees. Administrators can prevent this from happening by whitelisting all the channels for internal communication.

pi9

External to the domain:
Communication with an unauthorized external domain may put your organizational data at risk. Often cyber attackers use spoofing to steal sensitive data. For example, abc@businessdomain.com and abc@businessdomain.co look similar but are two different domains.

pi10

A general best practice will be to always whitelist alias domains and encourage users to report suspicious emails from external domains as spam/phishing.

Private among few users of the same domain:
IT administrators can create multiple internal groups within their domain. This makes communication among a group easier; however, groups can also make it easy for attackers to carry out name impersonation phishing attacks. A single email can reach a number of potential victims in your organization. For example, management@acme.com can give the attacker the opportunity to target all key members of the group using a single email.

Administrators should always consider disabling group email addresses for all external communications. It’s also not advisable to add local administrators to manage email groups.

9. Prevent phishing on your G Suite domain

G Suite provides different options to prevent phishing attack in your business domain. To enable these options follow the steps below,

  • Go to Admin Account > Apps > G Suite > Security.

0

  • 2-step verification: Multi-factor authentication needs to be enabled throughout the domain.

00

  • Access permission for only trusted apps: Enabling this option will prevent suspicious apps from accessing your data.

qi

To enable the following options, go to Admin Account > Apps > G Suite > Settings for Gmail.

  • Avoid unsafe attachments: Enabling this option prevents the user from receiving attachments from suspicious emails.

qi4

  • Links and external links: Enabling this option helps the admin to block unsafe links and images and will remain inaccessible for the user.

qi5

  • Spoofing and authentication: Enabling this option will stop name impersonation/spear phishing attacks.

qi6

10. Enable Office 365 phishing protection

ATP anti-phishing protection, part of Office 365 Advanced Threat Protection, is available for Office 365 Enterprise E5 subscription plan.

To protect your organization from phishing attacks, you can set up an ATP anti-phishing policy:

  • Go to https://protection.office.com and sign in with your work or school account
  • Choose Office 365 Security & Compliance Center
  • In the left navigation pane, choose Threat management>Policy>ATP anti-phishing.

qi7

  • To add a new policy, click on Create option
  • To edit an existing policy, click on the specific policy name and choose Edit policy.

qi8

  • Specify the name, description, and settings for your policy.
  • Click on Create this policy or Save as appropriate.

qi9

11. Enable Secure Browsing with Virtual Desktop Infrastructure

Deploying a Virtual desktop infrastructure (VDI) could provide IT administrators better control over potential threats such as a phishing attack.

VDR

How does VDI prevent phishing?

Using VDI, the administrator has greater control and visibility on what the users are doing. For example, you can view a log of all the websites and links attributed to all the users in the network. Administrators get instant access to a detailed activity report, with the location, IP address, and, user details to identify data leak and potential threats to the server data.

Because the data does not reside on the user’s computers or mobile devices, there is added security against hackers who might have launched a phishing attack to access data stored in the victim’s computing device.

VDI has now evolved into Desktop as a Service (DaaS) and provides out-of-the-box security features like firewall, antivirus and malware protection and pre-built security policy templates to name a few. Citrix, Amazon, Microsoft, and VMware are the major DaaS vendors in the market.

12. Deploy password alert extension for G Suite

Password Alert is a Chrome extension that gives additional login protection for G Suite users. This extension scans each website visited by the user for page impersonation.

Password alert extension notifies the administrator if a user enters their G Suite credentials anywhere other than the Google sign-in page. It also gives an option for the administrator to enforce deployment of the Password Alert Chrome extension on the user’s laptops and mobile devices.

To access this option, go to Device management > App Management > Password Alert.
Select Force installation under User Settings and Public session settings.

ei1

13. Communicate latest attacks

In spite of the security measures taken by IT administrators, some malicious emails may still find their way to inboxes undetected.

To prevent such events, it is necessary to create awareness among the employees about the latest threats and how new techniques are being used for phishing.

Here are some of the successful scams that target employees:

  • Dropbox Scam – An email that’s designed to look like a Dropbox notification can easily infect the network with malware.

mi2

  • DHL parcel scam – Here, users are asked to verify their personal details for parcel delivery.

mi3

  • FedEx Scam – This is a package delivery scam. In the below image, clicking on the here will download malware into the system.

mi4

How can Administrators stay informed about the latest phishing threats?

Administrators can use Google Alerts to stay updated about the latest phishing attacks.

Here is an example of an automated update from Google Alerts.

alert1 (1)

Here is how you can set up Google alerts:

alert2 (1)

The administrator can forward these emails to the employees by adding a filter.

To add a filter,

  • Go to the Google Alert email in your inbox.
  • Click on More>Filter messages like these>Don’t include chats>Continue.
  • From the What happens when the message arrives option, click on Forward to: option to add the respected group of people.
  • Click on Create filter.

hth

14. Use third-party tools

SaaS providers like SysCloud help users to spot suspicious emails and provides IT administrators with real-time data to take proactive actions and implement policies. While vendors like SysCoud provide coverage for cloud applications like G Suite and Office 365, other vendors may provide a wider coverage.

B&S1

Here is how third-party tools like SysCloud help in protecting your network from a phishing attack.

Create a phishing policy:

  • Create an account with SysCloud
  • Go to Compliance tab >Policies

142

  • Click on Create new policy.

242

  • A new policy will be created with the standard name Phishing policy_MM/DD/YYYY HH:MM:SS. Enable policy for the entire domain or individuals or business units accordingly.

342

  • Define the cloud applications that will be covered by the phishing policy. The administrator can select G Suite, Office 365, or both.

442

  • Set the protection level accordingly.

542

  • The administrator can define real-time actions against phishing attacks:
    a. Audit only – this will still keep the infected email in the inbox but report it in the admin console
    b. Add banners and labels to email – this will add caution banners and quarantine labels to the flagged email
    c. Move to trash – this will move the email to the spam folder

642

  • Exception management is an add-on feature for users. Here users can raise an exception query if they feel that the email received is safe.

742

  • Click Finish & Active button to enforce the policy.

442

15. Use a phishing simulator

Phishing simulators can be used to check the state of awareness among employees about suspicious emails. Specifically, simulators are meant to help employees understand key aspects of a phishing attack. This includes:

      • What is phishing?
      • What does it look like?
      • The dangers of opening emails with enticing subjects
      • Perils of emails prompting you to take action immediately
      • Brand impersonation and domain impersonation

Anti-phishing vendors offer phishing simulators either as a free tool or as a part of their service offering. Here are some of the options IT administrators can evaluate:

      • SecurityIQ PhishSim
      • Gophish
      • LUCY
      • Simple Phishing Toolkit (sptoolkit)
      • Phishing Frenzy
      • King Phisher
      • SpeedPhish Framework (SPF)
      • SpearPhisher BETA

If you have implemented Office 365, and have Enterprise E5 subscription plan (which is the highest subscription level), you can simulate phishing attacks.

An Office 365 administrator has three attack options to choose from for a selected set of employees. The three phishing attack options available include:

  1. Spear Phishing Attack
  2. Brute-force Password Attack
  3. Password-spray Attack

LA1

XA

For configuring a spear phishing attack, the administrator can configure the email by editing the HTML code to make it more believable. For password-spray attacks and brute-force attacks, the simulator provides an option for the IT administrator to choose the password to be used on a group of employees or a targeted individual respectively.

After the simulation is completed, administrators can access data on how successful the attacks were. Remedial actions such as training sessions, multi-factor authentication solutions or any other recommended approach can be implemented based on the results of the simulation.

 

If you have follow-up questions or want to learn more about SysCloud, please contact us.