WEBINAR | From Deal to Defense: Unifying Cybersecurity Post-M&A
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
March 15, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
It’s only May, and is it just me, or has this already been the longest decade ever?
Cyber-threat actors are as sneaky as ever, and they have been evolving and adapting their methods to cash in on your organization’s dime. Email phishing continues to be one of, if not the most popular attack vector that adversaries use to gain initial access to systems, eventually compromising your data, your infrastructure, and your reputation. As written in their yearly Internet Crimes Complaint Center (IC3) report from 2019, the FBI received over 110,000 complaints of phishing alone.
Based on data from 2019 and what we’ve observed in 2020, Digital Shadows (now ReliaQuest) has gathered three phishing trends that cybercriminals and advanced persistent threat (APT) groups are using to target your business:
Throughout the years, internet users and security researchers have been heavily involved in the frustrating cat-and-mouse game of phishing: Attackers have tested what works while we make an effort to foil their attempts. To increase the likelihood of a successful phishing campaign, criminals have turned to more “legitimate” solutions such as adding security certificates, embedding redirects inside of recognized links, and creating lookalike domain names that are near-indistinguishable to most users.
While many of these strategies are not new, they have become much more prevalent; attackers have improved their craft by (almost seamlessly) blending into our legitimate messages, making their thoughtfully designed techniques more difficult to detect.
Spoof domains have proven to be a significant obstacle when it comes to organizations’ security posture. As we have adopted various strategies to identify potential phishing sites, I’m sure many of us have had similar exchanges with a colleague or friend:
Bob: Hey, I’m not sure if this site is legitimate.
Alice: Does it have the padlock by the address bar?
Bob: Yeah, it does!
Alice: Awesome – you should be good then.
Bob: Cool, thanks!
What I’m referring to in this scenario is the presence of a Secure Sockets Layer (SSL) or Transport Layer Security (TLS) certificate. From a user standpoint, SSL/TLS certificates serve an array of imperative purposes, mainly that they encrypt internet traffic sent between the client (your device) and the webserver.
Unfortunately, looking for a padlock to identify secure websites is no longer (if it ever really was) a reliable strategy to circumvent malicious websites. As internet users are taught to lend trust to SSL/TLS protected sites, adversaries have responded by registering certificates of their own to improve the impact of their attacks, leading to data loss, unauthorized access, credential theft, and malware propagation. To add to this problem, attackers can also easily purchase websites with SSL included in criminal marketplaces.
To combat this, we have observed numerous attempts to dodge attackers’ ploys, including registrars cracking down on malicious website owners and the improvement and timeliness of browser alerts on malicious or suspicious websites. Contrarily, bulletproof hosting companies, which are more lenient in terms of what can be hosted on or distributed from their servers, inadvertently and figuratively throw a wrench into any intended refinements to website hosting.
While some recent improvements are a move in the right direction, they are not an end-all-be-all to malicious websites or successful phishing attacks.
As SSL and TLS certificates continue to be an essential piece of attackers’ methods to steal information, it is highly likely that users will continue to be targeted in future phishing attacks that masquerade as legitimate websites with “trusted” certificates.
Many of us have stumbled upon a fake login page that impersonates a legitimate service. It can be tough to spot these fakes, and attackers continue to exploit our comfort with familiarity. As adversaries tend to take the path of least resistance, such sites have become more common because they work (and will continue to work as long as cybercriminals can turn a profit).
While attackers may create these cloned sites from scratch, many website templates are available for sale, from email providers to financial institutions, on dark web marketplaces (we’ll discuss this later). Open redirects are used in a variety of attacks, with malware and credential harvesting being the most common.
Many large companies do not consider open redirects to be a security vulnerability, so not much can be done to avoid redirect campaigns in the future; however, some would argue that redirects propagate phishing campaigns. In recent months, phishing campaigns have commonly leveraged open redirects from well-known companies to improve the perceived legitimacy of their attack methods. If the links appear to belong to a legitimate company, users are more likely to trust them and click on them. For example, try to enter this into your URL address bar:
https://www.google.com/url?q=https://www.digitalshadows.com
Depending on the browser that you use, you probably observed a Redirect Notice. Did you continue? Either way, many phishing victims have continued with the belief that they were being redirected to a legitimate platform, only to have their credentials stolen or their system compromised.
As open redirects continue to be used for legitimate purposes, it is highly likely that cybercriminals will continue to abuse this feature for nefarious reasons.
If you saw this link, would you think that it’s legitimate?
https://www.ԁіɡіtаlѕһаdοwѕ.com
I don’t see much of a difference, but in reality, this domain translates to a completely different URL:
https://www.xn--tldw-z7b71sswab64aebb13k11a.com
Kinda spooky, huh?
This method, called a homograph attack (aka punycode, script spoofing), abuses the nuances of internationalized domain names (IDNs) by using non-Latin characters to masquerade as legitimate sites and has been around since the early 2000s. As it’s nearly impossible to distinguish the tiny differences when they’re embedded in a phishing email or website, cybercriminals have found that it’s reasonably simple to fool users. While most browser manufacturers and infrastructure-as-a-service (IaaS) providers have introduced defenses to thwart these attacks, it is possible that this method has been used in highly-targeted social engineering campaigns.
As a confession, while it wasn’t punycode, I registered a domain homograph a few years ago by replacing an “l” with an “i,” to play a trick on a few colleagues. My intent was not malicious; I just wanted to set up a clever Rickroll, and it worked wonderfully!
Unfortunately, attackers commonly set up fake domains with criminal intentions, and they may continue using this method in their future attacks. Defenses to homograph attacks depend on policies implemented by the Internet Corporation for Assigned Names and Numbers (ICANN); however, a solution to completely mitigate homograph attacks has not yet been deployed.
In recent years, spam campaigns have started to phase out, while targeted campaigns have increased significantly. Rather than throwing tens of thousands of phishing emails to the wind, adversaries have started to investigate their targets before deploying campaigns methodically. Business email compromise, spearphishing, and targeted ransomware attacks have gained a structure of personalization over time to lure victims into trusting malicious messages. While some phishing emails are easy to spot, others may seem undeniably believable while displaying various social engineering principles: Authority, intimidation, scarcity, urgency, familiarity, and trust.
For the fifth year running, BEC attacks, a specialized form of phishing, comprise the highest amount of reported financial loss, a whopping $1.8 billion in 2019. There are several different variants of BEC, but in one common method, the attacker can either impersonate an executive’s email address or use a compromised business email account to target an employee, customer, or supplier to move funds or confidential information to the phisher. While they are not nearly as widespread as other, more common phishing attack types, the profitability offered by a successful BEC attack (think millions of dollars) continues to attract cybercriminals.
Trends from 2019 revealed a significant increase in BEC attacks that explicitly targeted the diversion of payroll funds. It is highly likely that threat actors will continue to use this method for monetary gain in future attacks. Successful BEC attacks can result in hefty financial losses; organizations should ensure that staff members are trained on how to identify and report popular social engineering attempts that can result in BEC.
Spearphishing is a form of phishing that targets a specific individual or organization. Frequently, the emails are tailored to the recipient to make it more believable. Rather than throwing thousands of emails over the wall, criminals are becoming more selective to increase the likelihood of a successful attack.
Two common types of spearphishing include business email compromise, which we have already mentioned, and whale phishing (or whaling). Whaling is another form of BEC; however, high-level executives are the primary target. Attackers can use executive-related information found on public websites, including names, phone numbers, email addresses, or personal addresses when selecting their targets and designing social engineering campaigns. C-level data can be highly valuable to cybercriminals, especially for BEC campaigns, and we have often seen executive email lists sold and traded on criminal forums.
An attacker will often spend considerable time investigating their target, so they can tailor the email to them and make it as compelling as possible.
As phishing campaigns become more targeted, personalized, and sophisticated, it is highly likely that spearphishing will continue to be used as a vessel for credential theft and malware spread in the coming months to years.
Ransomware attacks have evolved over the years to be impressively sophisticated and targeted. As ransomware was once primarily a threat to consumers (coined the “spray and pray” method), threat actors have switched gears to methodically target businesses, likely due to the sheer profitability and monetary value of employee data and organizations’ proprietary information.
While 2019 was a big year for ransomware, which included the fall of GandCrab, the rise of Sodinokibi, and persistent attacks against a variety of sectors with variants like Ryuk, 2020 has proven to be even more of a volatile epoch for organizations facing ransomware threats.
An emerging trend of the “pay or get breached” model of ransomware attacks, popularized by threat groups such as Maze, aims to steal organizations’ data before encryption and publicize the names or the data of targeted companies that refuse to meet ransom demands. Alternatively, more sophisticated variants of ransomware, such as SamSam, do not rely on spearphishing; instead, they use vulnerability exploitation or brute-force tactics against weak Remote Desktop Protocol (RDP) passwords to gain access and infect systems.
As criminals shift to target businesses and deploy enterprise-crippling ransomware, it is highly likely that organizations will have to strategically consider the reality of potentially falling victim to future ransomware attacks. With the introduction and continuous trend of the pay-or-get-breached model of ransomware, organizations will also have to begin processing ransomware attacks as data breaches. In the coming months and years, it is highly probable that ransomware operators will continue to use multiple attack vectors, including vulnerability exploitation, spearphishing, and brute-force techniques as a method of compromise for monetary gain and sensitive data collection.
You don’t need to be a skilled threat actor or have a detailed understanding of your target to conduct an effective phishing attack as long as you have the means to buy a template. Commonly, templates offered on criminal forums and marketplaces contain how-to guides and are intended to masquerade as legitimate company emails. The most persuasive of these templates are aimed at being indistinguishable from a legitimate email.
Phishing-as-a-service (PHaaS) and phishing kits are an alternative to phishing templates, which can allow an attacker to rent the infrastructure required for conducting phishing attacks. Procuring and setting up backend infrastructure, especially without the necessary technical skills, can be time-consuming, costly, and complicated. Phishing capabilities are available to those who would not otherwise have them, simply by outsourcing the work. PHaaS offerings are monetized in familiar ways, offering various monthly subscription rates, each with various feature tiers, and gradually mirroring as-a-service offerings like that of those in real life.
As the business for phishing templates and PHaaS flourishes, it is highly likely that phishing will become even more prevalent. Additionally, as PHaaS products offer more complex features, it is possible that campaign attribution will become even more challenging in the coming months. If you’re interested in learning more about phishing services on criminal forums and marketplaces, check out our in-depth overview of the phishing ecosystem: The Ecosystem of Phishing.
All of the methods that we have outlined in this blog commonly begin with the first phishing email. The alternative pathways are abundant, whether it’s a misspelled, poorly written message or a well-designed and thoroughly customized impersonation email. For this reason, phishing remains one of the most common techniques of attack.
As we continue to brave what 2020 has to offer (good and bad), planning for social engineering attacks and their perceived threats is an ideal solution. As described in this blog, the phishing methods employed by the most advanced opponents are virtually identical to those explored in criminal forums by enthusiastic learners. With templates, instructions, cloning sites services, and phishing tools scattered throughout the cybercriminal landscape, a continued wave of sophisticated attacks are on the horizon.
While solutions for avoiding or deterring phishing campaigns seem to disappear day by day, companies are still able to employ a wide variety of approaches that can help them remain generally safe from phishing attacks. These include a few phishing mitigation strategies that can benefit your company:
If you want to learn more about how Digital Shadows (now ReliaQuest) can help your organization, check out our Phishing Protection page or request a demo below.
Thanks for sticking around, Readers. Until next time!