Under the Radar – Phishing Using QR Codes to Evade URL Analysis

Phishing attacks evolve over time, and attacker frustration with technical controls is a key driver in the evolution of phishing tactics.

In today’s modern enterprise, it’s not uncommon for our emails to run the gauntlet of security products that wrap or scan embedded URLs with the hope of finding that malicious link. Products like Proofpoint URL Defense, Microsoft Safe Links, and Mimecast URL Protect hope to prevent phishing attacks by wrapping or analyzing URLs.  These technologies can only be effective IF they can find the URLs in the first place.

Fast forward to this week where our Phishing Defense Center™ stopped a phishing campaign aimed at customers in Finance. The analysis below outlines the attacker’s use of a URL encoded in a QR code to evade the above-named technologies.  While you’ve probably seen QR codes in your everyday life, this might be the first time you are seeing QR codes used as a phishing tactic.

The Phish:

The email itself is relatively simple. It poses as a pseudo SharePoint email with the subject line: “Review Important Document”. The message body invites the victim to: “Scan Bar Code To View Document”. The only other visible content is a tantalizing QR code that a curious user may be tempted to scan.

Figure 1, Email Body

The message body in plain text consists of several basic HTML elements for styling and an embedded .gif image file of the QR code. Very basic, but very effective.

When the QR code is decoded we can see that that it contains a phishing URL: hxxps://digitizeyourart.whitmers[.]com/wp-content/plugins/wp-college/Sharepoint/sharepoint/index.php

Most smartphone QR code scanner apps will instantly redirect the user to the malicious website via the phone’s native browser. In this case the victim would be redirected to a SharePoint branded phishing site. The victim is then confronted with options to sign in with AOL, Microsoft, or “Other” account services. While this sounds like a simple phish, there is a more nefarious tactic in play: removing the user from the security of a corporate business network.

Figure 2, Phishing site

Standard Security Controls Circumvented:

By enticing the victim to pull out their smartphone and scan the QR code the attacker manages to evade standard corporate security controls. Secure email gateways, link protection services, sandboxes, and web content filters no longer matter because the user is now interacting with the phishing site in their own security space: their mobile phone. And yes, the phishing site is optimized for mobile viewing. Here’s a glance at what the site looks like on a smartphone:

Figure 3, Phishing page viewed on phone

Though the user may now be using their personal device to access the phish, they are still in the “corporate” mindset as the original email was received at their business email address. Therefore, it is highly likely that the victim would input their corporate account credentials to attempt to access this “document”. 

Gateway Evasion:

This attack was observed passing through an environment utilizing Symantec Messaging Gateway. When scanned, the message was deemed “Not spam” by the system as seen in Fig 4 below.

Figure 4, Email Header Snippet

Conclusion:

In the past QR codes were reserved for geeks on the bleeding edge of technology. Today we interact with QR codes more and more as we cut the cord on cable, setup home internet devices, transact crypto currencies, etc…  Will QR codes be a common phishing tactic of the future? Time will tell.  But THIS phishing attack that snuck past best in class phishing technologies was only stopped by an informed, in tune human, who reported it with Cofense Reporter ™ , so that their security teams could stop it.

Today over 90% of phishing threats observed by the Cofense Phishing Defense Center ™ bypassed secure email gateways. Condition users to be resilient to evolving phishing attacks with Cofense PhishMe ™ and remove the blind spot with Cofense Reporter.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Phishing Attacks on High Street Target Major Retailer

By Jake Longden

The Cofense Phishing Defense Center™ has observed a phishing campaign that purports to be from Argos, a major retailer in the UK and British High Street. During 2018, Argos was the subject of a large number of widely reported phishing scamsi; this threat specifically targets Argos customers for their personal information and looks like a continuation of what was seen last year.

With the goal of stealing your store credit card and login information, here’s how it works:

All third-party trademarks referenced by Cofense™ whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Fig 1. Email Body

Email Body:

The message itself follows a standard phishing template to inform the user that their account has been restricted and that user sign in is required for verification. The use of bad grammar and typos are a dead giveaway that this email communication is not genuine.

Message body in plain text:

In reviewing the body of the email, we see the hyperlink for “Sign into your account” which directs the potential victim to: hxxps://www[.]argos[.]co[.]uk[.]theninja[.]gknu[.]com/www[.]argos[.]co[.]uk/account-login/

The attacker repeatedly used the string of the legitimate Argos site in the URL, both as part of the subdomains, and as a subdirectory. This was an attempt to mask the true source, and to lure the victim into trusting the legitimacy of the website.

Upon examination, we see that the link is wrapped by a URL filtering service.

href="hxxps://clicktime[.]symantec[.]com/3AuyExDNpRSjkQbgT2gXygH6H2?u=hxxps://www[.]argos[.]co[.]uk[.]theninja[.]gknu[.]com/www[.]argos[.]co[.]uk/account-login/" target="_blank" rel="noopener"><span class="ox-dad7652f0e-m_609589041267919212link-blue ox-dad7652f0e-m_609589041267919212MsoHyperlink ox-dad7652f0e-m_609589041267919212MsoHyperlinkFollowed">SIGN
INTO YOUR ACCOUNT

Fig 2. Email Body in Plain Text

 

Email Headers:

Analysis of the headers indicates that the “from” address is spoofed; the “reply to” field contains the address ‘no-reply[@]creativenepal[.]org’, which does not match ‘no-replays[@]multitravel.wisata-islam[.]com’.

Research on the ‘multitravel.wisata-islam’ domain failed to produce relevant data and reinforces the suspicion that the address is spoofed. At the time of analysis, we were unable to resolve an IP address, or load the domain.

From: <no-replays[@]multitravel[.]wisata-islam[.]com>
To: <xxxx.xxxxxx@xxxxxx.com>
Subject: [WARNING SUSPECTED SPAM]  [WARNING SUSPECTED SPAM]  Please make sure
 you complete the form correctly.
Thread-Topic: [WARNING SUSPECTED SPAM]  [WARNING SUSPECTED SPAM]  Please make
 sure you complete the form correctly.
Thread-Index: AQHVIXUk7CjiCOKjHEyntcvh4etMFg==
Date: Wed, 12 Jun 2019 23:18:17 +0000
Message-ID: <7d885f411da93272271ec8ad32e5064b@localhost.localdomain>
Reply-To: <“:no-reply”[@]creativenepal[.]org>

Fig 3. Email Headers

Phishing Page:

Once the user clicks on the “Sign into your account” hyperlink, they are redirected to a convincing imitation of the true Argos login page requesting the victims’ Username and Password.

This then leads the user to a second page, where the user is requested to supply details for their Argos store credit card account. This page follows the standard format for regular credit/debit cards with one key difference: the additional request for a ‘Card Amount’. This request is specific to the Argos Card as referenced in the copy: “The Argos Card lets you shop at Argos, with flexible payment plans that give you longer to pay” (see: https://www.argos.co.uk/help/argos-card/apply). This deviates from standard forms by asking the user for their credit limit.

 

 

Fig 4. Phishing Page

Gateway Evasion:

This campaign has been observed to pass through the ‘Symantec Messaging Gateway’.

We can see the influence of the Email gateway which injected ‘Warning Suspected Spam’ headers to the Subject Line and incorrectly presented this phish as a benign marketing email, and not a phishing attempt.

Conclusion:

To help protect against this type of credential phish, Cofense PhishMe™ offers a template called “Account Limitation.”

This credential phish eluded gateways and was actually mis-identified as harmless marketing spam. In fact 75% of threats reported to the Cofense Phishing Defense Center are Credential Phish. Protect the keys to your kingdom – condition end users to be resilient to Credential Harvesting attacks with Cofense PhishMe.

 

All third-party trademarks referenced by Cofense™ whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

i Google Search “Argos Data Breach 2018”

John Podesta’s Phish Foreshadows Doom for 2020

If you haven’t read the Mueller Report, spoiler alert: the phish that netted the Clinton campaign was not sophisticated. As you may know, neither was the campaign’s phishing defense (understatement). All of which spells probable doom for the 2020 presidential candidates, despite the news that campaigns have looked at offers, some free, from cyber-security firms.

SMBs: 5 Ways to Avoid Becoming a Small Phish in a Big Pond

In the fall of 2016, I watched a good friend get her business ready for opening in her first retail space. She had previously run everything from her home and now she was entering a whole new phase. I observed her interactions during a few visits and she knew when I gave her that “look,” there was something that needed improving.

“What Wi-Fi network do you have your register assigned to in the shared retail space? You should put a password on that register device you’re using, so when you’re across the store someone can’t open your register.”

The best part of helping her set that device password was watching her millennial daughters return to the store and try to guess the password – listening to their theories on creation was most amusing.

Following are 5 ways you can protect YOUR small business from phishing and other cyber threats.

  1. Train Your Employees!

A majority of small businesses have fewer than 50 employees. Ensure your staff are trained on the basics of cybersecurity for their roles. There are a number of free (YES really free!) resources available online to provide the basics: phishing, passwords, internet browsing and data protection.

The number one threat that will impact your business is phishing. Start with the simple actions. Teach employees to diligently check links – hover to see the real destination. If they did click on that link, do they have someone to tell? What if it took them to a website asking for their username and password?  If there’s an attachment, did it come from a trusted sender – if so, were they expecting to receive that invoice or resume file?

In June this year, the FBI issued a warning about the dramatic increase in business email compromise (BEC), which results in financial loss for the business targeted. The BEC scam is a simple email from a fraudster masquerading as a legitimate business executive asking for funds to be wired. These messages are typically targeted to individuals in the organization that process invoices or payments.

With a small staff, it’s not always easy to build your processes to include segregation of duties. But having controls in place related to handing out funds will not only save you on insider theft, it will also reduce the potential wire fraud from a random email spoofing your email address to your finance team. If your business does become a victim, the FBI encourages you to report the incident.

Remember the Target breach? The malicious actors started with sending a phishing email to the HVAC maintenance technician – a small business.

  1. Get Cyber Insurance.

You have an insurance policy on your car to protect you if you’re in an accident. You purchase liability insurance to cover your risk, should you encounter an unforeseen disruption in your business. In order to protect your business from a security incident that could result in a data breach or business disruption, you should invest in a cybersecurity insurance policy.

  1. Invest in IT/Cybersecurity Services

Enlisting the help of your teenage nephew is great for setting up your new phone or laptop, but that’s not the best solution to support your growing business. There are plenty of managed service providers to contract support for your technology and cybersecurity needs. Tap into your local small business networks or professional sharing networks for recommendations.

  1. Protect your Online Business Accounts

I put it in the cloud! The cloud service offerings today are far more readily available and robust than even five years ago. Entering your credit card info to purchase a piece of the cloud is easy, but make sure you know what you’re putting where. Keeping an inventory of these services, along with the type of data your storing, is important if the service experiences a breach or an outage.

While it might be easy to use that same username and password across all your accounts, it only takes one data breach to put all these services at risk. Get a password vault to manage these accounts.

  1. Protect your Social Media Accounts

As a small business owner, your number one “go to” place for your marketing campaign is social media. Managing these accounts is critical to protecting your online identity. Who has access to post on your behalf? Limit who has access to the account. Review your profile settings to ensure you have the highest level of security enabled. If the provider allows you to enable two-factor authentication – ENABLE IT!

Learn what two-factor authentication is and how to enable it at https://www.lockdownyourlogin.org/

YOU can do this – small steps can make a BIG difference!

Whether your family business was handed down to you through generations, or you’re a new start up, or  a nonprofit, small city, county, or community organization – you have intellectual property or personal data that you need to protect. And you have employees that need to take actions to support your business.

You built your business to live your dream; don’t let a malicious actor take that away from you! As you grow your business, make sure you grow your cybersecurity capabilities right along with it.

Hey! I know I’ve never talked to you before – but can you send some money – QUICK!

Business Email Compromise (BEC), also known as CEO Fraud, is a type of phishing email designed to impersonate an executive. In a BEC campaign, the “executive” urgently instructs an employee to wire money, sometimes lots of money, to a bank account. The FBI reports that BEC scams hit businesses to the tune of $12.5 billion annually.

What makes BEC campaigns different?

In a BEC attack, the weapon of choice is simple words. Instead of tricking people into clicking a malicious link or attachment, a BEC attack tries to lure recipients into taking action. The threat actor will spend time researching the organization, identifying execs whose high-priority messages would make employees respond ASAP.

Though this type of threat is fairly new in the phishing landscape, it is very successful. Actors have been able to make off with millions of dollars, using networks of mules to move the money back to the mothership.

In recent months, there has been a shift in the type of currency requested—gift cards. They’re easy to obtain and, if requested in smaller amounts, can go unnoticed but still add up. Researchers have also been doing their work, hunting these criminal groups with much success. Last summer the FBI announced the arrest of 74 fraudsters, all related to BEC. When an organization realizes it’s been hit with a BEC attack, it can reach out to the FBI, which will work with financial institutions to block the transfer of funds.

What can you do? A few tips.

I remember a few years back when this threat started to surface. I couldn’t help but think back to my days in finance and IT compliance, with a focus on Sarbanes-Oxley, and think about the controls breakdown BEC triggers. Here are some ways to KEEP control.

First and foremost, train your employees to be on the lookout for these types of messages. Secondly, implement controls within your payment process to require a secondary signature for release of funds. When I worked in the treasury department for a retail chain, there were many days I would have to walk to the Controller’s or CFO’s office to get a REAL signature on a check greater than $50,000 or a request for a direct wire. Also, look to the gateway controls and implement DMARC /DKIM as discussed in our previous blog post.

There is another control that is starting to become a best practice—tagging external messages in the subject line or message body and letting your employees know the message originated outside the organization. This tag is helpful in spotting BEC messages. Many times, executives or high value targets are reading their messages on mobile devices. The mail client on these devices doesn’t display the fully qualified email address, making it difficult to assess the validity of the message sender.

A BEC sample:

The importance of tagging for viewing on a mobile device – mail client vs mobile:

If your organization becomes the victim of a BEC scam, report it quickly to help the authorities stop the funds from going through. Reporting also provides law enforcement with more information about the threat actor, which further helps to fight these crimes.

Learn more about phishing threats and protection in the Cofense State of Phishing Defense report.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

When You Unsubscribe to these Emails, You ‘Subscribe’ to the Loda RAT

CISO Summary

It’s critical that anti-phishing programs reflect the latest threats. Cofense IntelligenceTM has recently observed a phishing campaign that illustrates why. It entices users to download a malicious document from a seemingly legitimate source, an insurance company whose roots go back to 1896. Through a complex chain of abuse, including the exploitation of a legit subdomain hosted by Microsoft, this threat is capable of tricking users unfamiliar with wrinkles like multiple links to the same source and malicious “unsubscribe” links. If successful, the attack activates the Loda Remote Access Trojan, underscoring the importance of educating users to stop phishing emails.

Full Details

Cofense Intelligence recently observed a campaign that used convincing emails to entice recipients into downloading a malicious document from a seemingly legitimate source. These attention-grabbing emails contained multiple links to the same source, which was hosted on a subdomain of the legitimate Microsoft-owned domain azurewebsites[.]net. This source URL downloaded a Microsoft Word document that abused an object relationship to then download and open an RTF document. The RTF document abused CVE-2017-11882 to download the multi-functional Loda Remote Access Trojan. By taking advantage of users’ assumption that unsubscribe links are legitimate, along with their trust in verification, threat actors were able to craft a campaign capable of fooling even users with basic security awareness training.

What a Deal…

The emails used in this campaign have several attributes that give the appearance of legitimacy. The first email, the top of which is shown in Figure 1, impersonates Fidelity Life and claims to offer a good deal on life insurance.

 Figure 1: Body of the email spoofing Fidelity

In this email, the only actual text present is the unsubscribe information at the bottom of the email shown in Figure 2.

Figure 2: Unsubscribe section of the email spoofing Fidelity

The top three paragraphs in Figure 2 are in fact an image, while the bottom paragraph (with a pointer hovering over it) is searchable text that appears to have been added by the threat actor. All of the image shown in Figure 1 is a clickable link leading to the same URL as the unsubscribe link, hxxps://onlinefinances[.]azurewebsites[.]net/mowgli/fidelity_insurance[.]docx.

Verification Passed

If users who have been trained to be suspicious of links were to first visit the website by typing the URL into an internet browser and looking at the webpage information, they would see the information shown in Figure 3.

If users are particularly security conscious, they might even look up the domain on a website with tools that check for legitimacy. However, this would likely give them the same information as what is shown in Figure 3, because most tools will check the root domain, in this case azurewebsites[.]net, which is a completely legitimate domain owned by Microsoft. The only easily recognized indicator of malicious content is the prompt when a file is downloaded from an unsubscribe link.

Double Interest

The second email, shown in Figure 4, pretends to be a relatively benign “news” email from the company Livenlonpro about a new Amazon policy.

Figure 4: Body of the email spoofing Livenlonpro

In this case all links and images download a file from hxxps://onlinefinances[.]azurewebsites[.]net/mowgli/Amazon_Cancelled_order[.]docx. With this approach, any user that attempts to unsubscribe from what appears to be a spam email will instead download malware. Although differently named, the downloaded file is the same for both emails.

Actual Goal

Once the file is downloaded and opened, it attempts to use an object relationship to download a document with CVE-2017-11882 which, in turn, downloads the multi-functional Loda malware. Loda is capable of acting stealthily to download additional malware or provide the threat actor with full remote access to the victim’s computer.

Direct Importance

Attacks such as this demonstrate threat actors ability to adapt to changing circumstances and training methods. Organizations often focus employee training on the philosophy “don’t click suspicious links or open attachments.” While usually effective, this method can fall prey to creative threat actors. Using a training method that encourages employees to think critically can help protect organizations by avoiding situations where employees make assumptions about the nature of a link and act accordingly.

To stay ahead of emerging phishing and malware trends, sign up for free Cofense™ Threat Alerts.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

DMARC Is NOT a Fail-Safe Defense against Phishing Attacks

DMARC, or Domain-based Authentication Reporting & Conformance, is an email authentication, policy and reporting protocol. It was conceived to prevent impersonation-based phishing attacks, but it doesn’t protect you 100%. Let’s examine why.

What DMARC Can Do

DMARC builds on the existing and widely deployed SPF and DKIM protocols. All mechanisms to protect the email infrastructure we so heavily rely upon should be gratefully received, but as with everything the benefits and limitations should be fully understood. It is this understanding that allows us to optimize our defenses against the perpetual menace of phishing attacks.

DMARC has most promise to help organisations defend against Business Email Compromise (BEC) type attacks, as successful impersonation can be an imperative for success. As a result, DMARC should be evaluated as a mitigating control for these types of attacks, protecting both outbound as well as inbound email.

DMARC aims to get email senders and receivers working together in a standardized, coordinated way to determine whether a given email is legitimately from the sender—and the actions to be taken if it isn’t.

Therefore, if alice@sender.com sends an email to bob@receiver.com, appropriate DMARC policies can help remove the guesswork and answer the question “Has this email really been sent by alice@sender.com?”. By protecting their messages with SPF and DKIM, and using DMARC, sender.com can tell receiver.com what to do if these authentication methods fail, for example, reject the message.

What DMARC CAN’T Do

It all sounds good, but what if the email comes from alice@sendr.com, or alice@sencler.com—does DMARC help then? Unfortunately, not. What about if the message is sent by alice@sendr.com, but the From: field has been modified to look like it comes from alice@sender.com—does DMARC keep Bob safe? No again.

While display-name abuse and adjacent-domain abuse are well recognized, there’s another growing phishing tactic that neutralizes DMARC completely. DMARC has capabilities to validate the sender’s authenticity, but it has no capability to validate the authenticity, of the email content.

Recently, the Cofense™ Phishing Defense Center has seen a significant rise in Man-in-the-Inbox style attacks. These attacks typically occur when user credentials have been compromised and are used to gain access to the compromised user’s mailbox and send malicious emails. These emails might be sent internally (no DMARC there…) or to a trusted third-party (DMARC might be configured, but as the message is coming from a legitimate user, SPF and DKIM check out, and the message is delivered…). The recent PDC zombie phish blog post discusses one style of Man-In-The-Inbox attack in more detail.

Given this, it’s important that emails teams don’t expect more from DMARC. It’s equally important that security teams ensure that end users are empowered to be “human sensors,” to identify and report emails that look suspicious. Users need to be alert to visual clues, such as adjacent sender domains, peculiar content, or unusual or unexpected emails, even if the emails come from internal senders or trusted third-parties.

We all need to remember that real phish are the real problem. This means knowing what real phish look like as they evolve day to day—and not expecting DMARC to do more than it really can.

Want to learn more about the DMARC protocol? Take a look at https://dmarc.org for the juicy details.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Uncomfortable Truth #5 about Phishing Defense

Last in a 5-part series. 

In this blog series we’ve explored the Uncomfortable Truths about phishing defense that relate to the problem of over-relying on technology to keep us safe. We’ve also seen how empowered users can give Security Operations teams desperately needed visibility into phishing threats. This leads us to our fifth and final Uncomfortable Truth:  

Most organizations are unable to effectively respond to phishing attacks.  

Before you get offended and say “Hey, that doesn’t apply to me, our SOC is awesome,” stick with me on this. The reasons for ineffective phishing incident response are many and varied, but in my experience, tend to fall into one of two buckets: 

  1. Not enough time 
  2. Not enough experience/understanding

Not enough time  

This is already well understood. SOC teams are perpetually spinning multiple plates, trying to make sense of the stream of data they are presented with from an abundance of tools. This problem can be compounded when users are empowered and enabled to report suspicious emails. The CofenseTM Phishing Defense Center (PDC) sees differing reporting volumes across the customers who use us for phishing email analysis. While reported mail volumes differ, they tend to fall within common low and high watermarks – equivalent to around 10% and 35% of users reporting at least one email per month.  

For every 1,000 users, that’s the SOC having to consume and analyze between 100 and 350 reported emails per month. The PDC also observes that 1 in 7 of the emails reported to us contain malicious content. Therefore, 6 out of 7 are false positives, or noise. The largely unstructured nature of these reported emails and the sheer volume of noise can make analysis a thankless task that gets de-focused in favour of other more immediate priorities.  

Not enough experience/understanding 

Effective phishing email analysis is much harder than many people imagine. One of the biggest issues that organizations face is the risk of false-negative results, post-analysis. These false negatives occur when a reported phishing email is considered to be benign, and is returned to the reporting user with a message that says, “Thanks for reporting, this email was found to be safe.” The subsequent click delivers a missed payload and compromise occurs.  

To remain razor sharp in your analysis skills, you have to maintain an understanding of the constantly evolving threat landscape and threat actor TTPs. All too often, I see organizations relying on an already overburdened service desk to perform initial, or complete, analysis of reported phishing emails. Without adequate skills, they rely on tools such as VirusTotal to tell them whether something is bad or not. However, as useful as these tools are for information and context, they should never be considered a source of absolute truth.   

Effective phishing analysis and response 

Simply sending a file or URL to a sandbox or checking online threat analysis tools and databases is not good enough. SOC teams and threat analysts must be able to consume reports of suspicious emails from users and turn them into actionable intelligence quickly.  

This means they must be able to prioritize what is being reported to cut through the noise of false-positives, such as legitimate marketing or internal emails, and automatically be able to understand risk based on: the attributes of the email content and any attachments; the status of the user reporting the email (are they high-risk employees with access to sensitive information or processes); the reputation of the user (have they demonstrated an ability to identify and report suspicious emails in the past – essential to help prioritize zero-day threats); and use information from third-party threat analysis tools to help build a fuller picture  

Once a threat is analyzed and understood, SOC teams need to be able to quickly hunt for the threat within all user mailboxes and quarantine it when found. In addition, they must be able to communicate IOCs to other teams, such as those responsible for proxies, mail gateways, and endpoint security tools, to take further defensive or mitigating actions. Finally, they must close the loop by providing timely feedback to users to encourage further reporting behavior, thus supporting awareness activities. 

The Cofense Phishing Defense Center can help.  

For organizations who still struggle to devote the time to phishing email analysis, but who recognize the need to regain visibility of threats that bypass perimeter controls, the Cofense Phishing Defense Center can help. Operating 24×7, the PDC is staffed by experienced phishing threat analysts to handle all elements of analysis of reported emails.   

Supported by Cofense Research and Intelligence teams, the PDC is able to utilize as needed an array of proprietary, open source, and commercial threat analysis tools. Benefitting from a global perspective of threats across all PDC customers, our analysts are able to maintain the most up to date understanding of evolving phishing threat actor tactics, along with techniques for capturing all IOCs, even when automated approaches fail.  

Once threats have been identified, actionable intelligence is passed to customer teams. By utilizing the PDC, organizations can focus their resource-constrained SOC teams on mitigation and proactive protection, versus phishing email analysis. Learn more about the Cofense Phishing Defense Center here. 

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.  

Uncomfortable Truth #4 about Phishing Defense

Part 4 of a 5-part series.  

I’m not going to beat around the bush here. Uncomfortable Truth #4 is quite simple: 

Users are NOT the problem. 

There. I said it. If this statement seems at odds with your current thinking, don’t close this browser window just yet. Stick with me, and the effectiveness of your phishing defense programs could be changed for the better. 

Let’s illustrate with a story from Malcolm Gladwell.  

In his book ‘Blink’, Malcolm Gladwell tells of the Getty Museum in New York buying an ancient Greek Kouros statue—a tale of man triumphing over machine, as it turned out 

To cut a long story short, the museum was offered what they considered to be one of the finest examples of a Greek Kouros statue the world had seen. They were understandably excited, but cautious – the asking price was $10m – a lot of money now, but a more considerable amount in 1982.   

The statue was borrowed, and tests were organised to verify authenticity. The stone was analysed, providing its age and an assertion to where it came from. Scientists confirmed that the calcification on the stone was merely the result of being in the ground for hundreds of years. The accompanying paperwork checked out, and the museum agreed to the purchase.  

But despite the museum’s checks, upon viewing the statue, many art historians and specialists had the same reaction. An ‘intuitive repulsion’ in the first few seconds of seeing it that led them to react –  “it’s a fake. None of the doubters could quite put their finger on what specifically it was about the statue that made them react so quickly the way they did, other than it just didn’t look right.  

What does a story about a Greek statue have to do with phishing defense?  

The museum relied on technology and science to confirm authenticity. However, subsequent analysis based on human intuition found that (1) the calcification of the stone could be replicated with potato mould, and (2) addresses on the supplied paperwork just didn’t exist when the documents were claimed to have been created. Despite all the available technology and science, gut reaction yielded a better conclusion 

Harnessing this intuition can be transformational to phishing defense. Rather than try to cut our users out of the loop and rely upon technology to keep us safe from phishing threats, we must exploit this natural intuition or gut feel. We have to recruit our users into a network of human sensors to provide visibility to phishing attacks that have made it to the inbox. Afterall, if the user doesn’t tell us, nothing will.  

Your users can and should help detect real attacks. 

Phishing simulation is an essential element of an overall phishing defense strategy, but it should never be used to ‘test’ our users – phish testing is the antithesis of phishing defense. Phishing simulation must be used to keep the threat of phishing front and center in users’ minds and keep them conditioned to constantly evolving threat actor tactics and techniques – particularly those specific tactics and techniques that we see being used against our organisations.  

The primary outcome of phishing simulation should be ensuring that users understand the role they play in protecting the organisation by providing visibility of phishing attacks. Like most users, I occasionally receive emails that don’t look right. I could just delete them. However, that action protects me as an individual, but it doesn’t protect the organisation as a whole. To do this, I must sound the alarm, and help our security teams get visibility of an attack, so they can take the actions to disrupt it.  

I can do this because I’ve been enabled to recognize something as suspicious, and it’s been made easy for me to report it. A single click of a button within the email client ensures that there is no process to forget, and if I really do catch one, I get timely feedback thanking me. I pat myself on the back, and am motivated and more inclined to report in the future as I know I’m making a difference. 

Next and last in this series, we’ll look at Uncomfortable Truth #5 – Most organizations are unable to effectively respond to phishing attacks. Until then, learn more about anti-phishing trends in our State of Phishing Defense 2019 report.  

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Uncomfortable Truth #3 about Phishing Defense

Part 3 of a 5-part series.

In part 1 and part 2, we discussed the Uncomfortable Truths that no matter how good your perimeter controls, malicious emails still reach the inbox, and that security teams cannot defend against attacks they cannot see. While some still hold next-gen technologies in almost exalted status, many organizations are beginning to accept that phishing threats still reach user inboxes and that these users will be tempted to click.

To address this risk, significant investments are made in awareness activities, including phishing simulation. Commonly, the primary goal or success metric of these activities is a reduction in susceptibility, or click rate. However, before we commit to a low click-rate as an indicator of improved security posture, and thus an ability to better defend against phishing threats, let’s consider…

Uncomfortable Truth #3 – The best security awareness program in the world will NEVER deliver a zero click rate.

As the pioneers of phishing simulation used to educate employees, we at Cofense™ know quite a bit about it. Effective phishing simulation (i.e. a phishing simulation program that actually conditions the desired behavior in a REAL attack situation) is more than just sending a few spoofed emails to users to see who clicks and who doesn’t.

While lower overall susceptibility, or click rate, is a desirable benefit, it should not be the primary objective. When reviewing data based on >2000 enterprise customers using the Cofense PhishMeTM phishing simulation platform over the last few years, we’ve seen average susceptibility flatten at about 11.5%. Here’s how the math works out:

Imagine a phishing attack that targets 1000 employees in the same organization (attacks like this are common). With an average susceptibility rate of 11.5%, this attack could easily net the threat actor 115 sets of credentials, or 115 endpoints compromised with malware. Even an industry-leading susceptibility rate of 3% in simulations results in a compromise of 30 individuals – more than enough to cause significant disruption and damage, such as Man in The Inbox attacks directed at business partners and customers. And if security teams are not aware of the attack, how can they stop it?

When investing time, effort and resources in phishing simulation activities, it’s critical to remember that REAL phish are the REAL problem. While the CISO, security awareness, and security operations stakeholders might have differing day to day responsibilities, they all have the overarching responsibility to improve organizational security posture. By breaking down silos and working more closely together, they can challenge current thinking and ask, “How can we ensure our phishing simulation activities are truly representative of the actual threats we receive?”

When you approach your program this way, you can encourage the right user behavior. Click rate alone becomes less important, and you begin to wrestle back an element of control in how users respond to real attacks.

In part 4, we’ll take a look at perhaps the most contentious uncomfortable truth of all: Users are NOT the Problem. We will attempt to bust the myth that the problem exists between the keyboard and chair.

Until then, learn more about anti-phishing trends in our State of Phishing Defense 2018 report.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.