While hackers are constantly exploiting new vulnerabilities in their victims’ network defense system, there is an “old favorite” in the data breach playbook that was first identified way back in 1987, and continues to be used today with a very effective degree of success: phishing.
What is Phishing?
Essentially, phishing is an attempt to obtain private or other sensitive data – e.g. login credentials, payment card information, etc. – from an unsuspecting victim. There are mass phishing attacks, in which hackers send out massive volumes of emails hoping that they’ll get some clicks. And then there are spear-phishing attacks, in which hackers target a specific organization and/or its employees. For example, the phony email contains familiar information, such as a name, job title or other recognizable content. Sometimes, spear phishing attacks can be augmented by voice (a.k.a. “phone phishing”). A campaign in 2013 involved hackers calling employees ahead of time, and telling them to process an invoice that they would soon receive in email.
Most Hacking Attempts Start with Phishing
After more than 30 years of phishing, people outside of the cyber security industry might reasonably expect that the lake has been completed phished-out. However, this is not the case. According to the Verizon Data Breach Investigations Report, up to 80 percent of all hacking attacks derive from phishing attempts. Research by WIRED says the risk is even greater, and pegs the number at 91 percent. Clearly, no matter how often hackers return to the lake with their phishing pole, they do not have to wait long to start filling their net -- i.e. their databases and ultimately, their bank accounts.
Why Phishing Won’t Go Away
The biggest reason that phishing will not go away is because it works! And if hackers have exhibited a singular, unwavering trait over the decades, it is that they will continue doing the same thing over, and over, and over again until it stops working.
However, the underlying reason that phishing works is rather troubling: end users repeatedly demonstrate that they are the weakest link in the network defense system. Regardless of how much training they receive on safe electronic communication policies, invariably one (though usually more than one) end user will click a link, download an attachment, or fill a form -- and basically raise the castle gates for the attacking horde to come in and start pillaging. Vanderbilt University’s Eric Johnson sheds some light on why training, while smart in theory, remains an ineffective in practice:
It seems like in groups of people, particularly inside a corporate firewall, who just click on everything, training doesn't seem to slow them down one iota. We certainly saw that in the research. We called them the "Clickers" and it didn't matter how much training you did, these people just kept clicking. There were other folks who were naturally, or maybe through their own learning, much more cautious and they weren't clicking. That group really doesn't benefit so much from the training because they are already not clicking. It's hard to really understand why; I think it is just human curiosity at play. It's very hard to get folks, particularly when the deception is pretty good, to really step back for thirty seconds and look at it and say, "Is this something I should be clicking on?"
Phishing Sites Avoid SSL
Whether delivered via email or text, many phishing attacks link to sites that ask victims to fill in sensitive information (e.g. passwords, SSN, credit card numbers). These sites look very authentic, and most users do not even bother to check if the sites are using an SSL certificate. Many of them do not even know what SSL is!
With this in mind, most hackers avoid SSL sites in the first place, because the process of getting a certificate involves verifying the applicant’s identity. Occasionally, hackers will find unscrupulous issuers beyond their borders, or they will create fraudulent papers. But this is typically the MO for a highly targeted spear phishing attack. Most phishing attacks do not live for more than 24 hours, and as such hackers do not think it is worth it. They can get more than enough victims without having to bother with the extra work and investment.
Google Chrome Declares War on Phishing
As noted by TechCrunch.com, Google is waging war on phishing by forcing websites to serve content over secure HTTPS connections. Websites that do not comply are getting wiped off the face of the search engine ranking landscape. Furthermore, when Chrome 56 launches in January 2017, all websites still using HTTP will be tagged as “Not Secure” in a window next to the address bar. And in the coming years, all HTTP pages that are not secure will be stamped with Chrome’s red triangle warning symbol, which it currently uses for irregularities in HTTPS.
Google’s move is a step in the right direction, and should help prevent some reckless “Clickers” from falling victim to phishing attacks. However, this is not a full-blown solution. Researchers at Carnegie Mellon University found that 20 percent of end users ignore browser warnings -- and that number is probably much higher among the “Clickers” group mentioned in the research above. That is more than enough to keep hackers interested in phishing, and unfortunately, unsuspecting victims taking the bait.
Google’s move to help put the brakes on phishing is a step in the right direction, but there are 4 key drawbacks that enterprises need to be aware of:
- Google does not enforce controls and block users from submitting information to phishing sites. Instead, it attempts to warn users that the site they are visiting is insecure.
- The focus is on passwords only. This is unrealistic, since hackers are interested in other kinds of confidential information, such as SSNs and payment card data, etc.
- Obviously, this anti-phishing mechanism only applies to Chrome, which may not be the dominant browser in the environment.
- Last but not least, Chrome’s expected update does not protect against phishing attacks leveraging browser vulnerabilities and zero-day exploits.
Preventing Phishing through Web Isolation
An effective way for organizations to stay out of the net -- and avoid a costly and embarrassing infection -- is through web isolation, which executes all content in a secure remote environment and eliminates web-based malware. In addition, web isolation blocks users from submitting corporate passwords to non-corporate websites, and prevents users from typing credentials and sharing sensitive information (e.g. credit cards numbers, SSNs) in phishing websites, or websites that are not white-listed.
For information on Symantec Web Isolation, we invite you to download our data sheet.