What is Phish(ing)?
No, not the band, unless you’re really into jam bands. We’re talking about the email attack variety. Well, for starters, it continues to be a huge problem for organizations everywhere. It’s still showing up to drop ransomware and Trojans, harvest credentials, and spy on organizations like yours. We’ve even written about it before because it’s been a problem year after year.
But, never mind the dozens of other reports and white papers about phishing that come out every year from security industry leaders, let’s take a look at the 2021 Verizon DBIR. According to this year’s research—and this should be no surprise to the Verizon fans like us—it’s still the top method of attack for external threat actors. Going back a bit, it was also the top attack vector in 2020, 2019, 2018, 2017, 2016, and well, hopefully, you get the picture.
Why should I care about Phish?
The reason why phishing is still reigning supreme? It works. The social engineering aspect around phishing works because humans want to be helpful, informed, paid well, get stuff for free sometimes, and generally not end up on the wrong side of management. Unfortunately, aspects of really good social engineering prey on one or more of these human traits (or faults).
While Verizon even admits in the 2021 DBIR that they’re not entirely sure why email is still such a big thing, but it does serve its purposes. According to the study, phishing:
- Might confirm and collect working emails
- Helps drive the collection of internal information revealed in emails. This potentially leads to light reconnaissance of the inner workings of an organization.
- Drives collection of credentials, personal information, and anything else that can be monetized
- This leads to an account being compromised to send more spam and phishing emails (see also: business email compromise, or BEC)
What’s truly terrible about phishing is that it’s getting more targeted and better-produced, especially as kits and services proliferate. Costs also continue to drop, as we’ve highlighted in our previous research. And, again, it works; otherwise, adversaries would’ve given up on it years ago. The targeted phishing is going after folks in HR using fake but malicious resumes or payroll and accounts receivable teams to move legitimate payment accounts into attacker control. A compromised customer account might use business email compromise tactics to phish everyone in that customer’s circle. It could be a system administrator who has access to sensitive defense information and recently just met an attractive fitness influencer on social media (hello, Iran!).
In any case, phishing can lead to some big trouble for organizations. It continues to be an active part of just about every adversary out there, be it for criminal purposes or the nation-state variety.
What is the difference between spam and phishing?
Before we get too deep into phishing, let’s talk spam for just a moment. Something to remember is that not all spam is phishing, but some phishing is spam. That means that most spam that shows up isn’t really trying to do anything other than get you to respond, look at a product, or otherwise advertise a service.
Think of all the product offers you get after attending a webinar or conference. You may not be able to unsubscribe (as seen in the message above). It’s probably best not to respond if you’re not interested, because this may confirm an active email address and lead to more spam. Still, in any case, a simple spam message probably isn’t too harmful and is mostly just annoying.
Spam-level phishing is generally low-quality stuff and relatively obvious, as the sample of actual spam emails from my inbox shows below. Basically, it’s quantity over quality. There’s a chance of a link appearing in the email somewhere. However, I’ve already decided not to do business with JPM0rGeN-CHASEA& to refinance my home mortgage, as this is likely not the real deal. URLs within the email may also link to malware or might be connected to an ad-click scam. Either way, it’s safe to delete these or use your email inbox’s preferred method to report spam.
Some email providers have made it easier to unsubscribe in bulk to marketing stuff you no longer care about or to use specific inboxes for temporary uses, such as a member rewards program or if you’re just really into knowing when Patagonia’s sales are going on. There are people out there who have different email accounts purpose-built for work-only, shopping-only, or other purposes. Just know that the more you’re out there on the web with specific email accounts, there’s a pretty good chance you’re going to run across spam.
Keep in mind, though, that not all spam is phishing.
How do I defend against Phishing?
Evaluate the Message
Phishing emails appeal to users generally because of a tempting lure, which usually first shows up in the subject line or the sender line as you view it in Outlook, Gmail, or your email provider of choice. This could be something that adds urgency, i.e., “Please approve this invoice” or “Your account will be suspended.” In addition, the sender adds legitimacy to the request. Ask yourself a few questions: Is the email asking you to perform an action, or is it normal for a message like this to come from this sender? In the case of the figure below, we’ll focus on the “Account Limited” email from “PayPal Service.”
Check the Sender
It’s relatively easy to spoof the sender part, so an adversary may be doing their homework and the phishing email seems to be from your CEO or manager, or it’s generally spoofing a more legitimate service like your bank, Apple, Facebook, or PayPal. As we move from the inbox into the actual email itself, the first alarm bells or red flags that should be obvious is that PayPal will likely be using a variation of their own domain or a legitimate subdomain to send such an important email and not a Google Groups domain, as seen below. To make it tricky, attackers also use legitimate domains like the one below for various cloud providers. The domain “googlegroups.com” is legitimate and would not necessarily have a bad sender reputation, as with most Google URLs, since it’ll pass most domain checks baked into email tools. The same can be said for Microsoft products like Sharepoint or other Office365 services, which also can be used maliciously.
Other Message Clues
Another thing to note is that the email greets me as my email address, but in other phishing attempts, sometimes they address you only with your surname/last name, or the email user ID, or, really, anything other than your first or preferred name. These days, just about every service out there that you’ve signed up for in some way tries to personalize the user experience for you and will generally use your preferred name to seem more friendly and likable. A template used by an attacker won’t have that information, so they’ll use some other form details. It’s personalized but not personalized enough.
Finally, take a look at the look and feel of the email above. They’re using on-brand imagery and colors for PayPal, right down to the various buttons and fonts. Chances are, if you hover your cursor over that “login to PayPal” button, there’s a 50/50 chance it’s a well-spoofed domain or hidden redirect, as we wrote about in our domain research and previous blogs, or it could be a bunch of relative gibberish. They’re hoping that users will click a link blindly.
From there, there’s a pretty good chance a victim will arrive at a spoofed login portal for PayPal, enter their credentials, and likely receive another redirect, an error 404 (page not found), or some other error that prevents an actual login. Meanwhile, attackers on the backend just got themselves a brand new email address and password to do whatever they were planning to do with it, whether committing financial fraud, harvesting credentials, or setting them up for resale. Beware of images with embedded URLs or any links contained within the message. The text may say “https://paypal.com,” but the URL contained may instead point to badguy.com.
Finally, in general, look at the wording of the message itself. Is it normal for the email to have that many spelling errors and awkward language if it’s from your CEO? Would your CEO normally have you change his bank account information over email? Would your friend from the help desk have so many strange emojis or foreign language characters in an email to you? If it doesn’t seem right, it’s always best to err on the side of caution.
The Difference of Desktop Versus Mobile
One thing to consider is that it gets tricky to evaluate the sender if you’re checking email on a mobile device versus the desktop version, so adversaries are likely banking on people not checking sender domain information or otherwise being in a rush. Note in the image below the complete sender’s domain information isn’t shown and typically requires some extra steps to view, such as long-presses or options to select the view full or raw email data.
So, to reiterate, beware of the intentions of the subject line, check out the sender information, and pay attention to the body of the email itself. As we’ve discussed elsewhere, scammers have many different tools and methods to make emails seem very legitimate so take a moment to look at the clues. Be especially careful when checking emails on mobile devices also!
One part we didn’t show an example of here is attachments. Attackers have a variety of ways to try and get victims to open attachments. These may be in the form of fake payment invoices and package tracking slips, news articles, and other documents, which may themselves be boobytrapped to have additional malicious scripts. Commonly, these include file types such as ZIP or RAR archives, PDF documents, Office document files, and Excel or similar files. They may also be Visual Basic Script (.vbs), HyperText Markup Language (.html) files, or HTML Application (.hta) files that either perform or lead to some other malicious action, as seen in the image below:
When it comes to attachments, the download doesn’t become dangerous until you click to open it, so beware. If a file asks you to enable a script, download online content, or there’s some other secondary action, unless you trust the source and this was an expected email with attachments, be very careful opening files. The good news is that there are tools to fight malicious attachments, but more on that here in a minute.
Observe and Report
As a former blue teamer who dealt with enterprise phishing almost daily, the best advice for phishing is to simply “observe and report.” Investigate the email by checking out the sender, hovering over links, and taking attachments with a grain of salt; but unless you’re actually part of a security team or in a SOC and have virtual machines or sandboxes at your disposal, it’s best to use whatever reporting mechanism you have to send as phishing and let a professional handle it.
Too often, an errant click out of curiosity or pressure has sent people down the path to download malware or otherwise needlessly expose themselves and the company to danger. Also, if the tools don’t block your actions at the network or proxy levels or the action gets logged at the endpoint, there’s a good chance that clicking on a link too many times might even result in HR or security actions. At the very least, there’s likely to be a tough conversation at some level because dangerous, but (un)intentional actions like that can sometimes violate company acceptable use policies (AUP).
Outlook, Gmail, and Office 365 typically have the functionality to report messages inline as spam or phishing, or your security team may have a separate phishing email inbox where you can send messages. Just about any security team out there would rather see a false positive over the wrong click or an unreported event: If in doubt, point it out.
The situation changes at home though. Suppose you’re on your personal computer, using your personal email. In that case, providers such as Yahoo and Gmail have mechanisms to report spam. In addition, a lot of the larger financial service and service-oriented companies such as Apple or Microsoft often have their own security teams who work phishing cases. Typically it might be an abuse, fraud, or phishing team you can forward emails to, who can in turn work on taking down spoofed domains if needed, report abuse to domain registrars and hosting companies, or share threat intelligence within the security community. Often, a quick web search for “report phishing” or “report fraud”, along with the name of the company you’d like to send the report to, should get quick results.
Check Out Some Tools
Short of wearing a biohazard suit and staying entirely off the internet or never touching a computer again, there are some excellent ways to remain safe from phishing. No solution is ever 100% foolproof, but the goal is to reduce the number of ways an attacker could become successful. To set you up for success, let’s talk about some ways to shore up defenses against phishing.
Ah yes, the dreaded cybersecurity training. For many employers, this typically falls into an annual requirement, and sometimes more often than that. We’ve all been there: panicked emails from leaders to get this training done before the deadline, which usually consists of clicking through slides, interactive scenarios, or watching videos before you can get credit for the activity. In some cases, the training might involve seeing some training phishes in your inbox, or it may be an ongoing test from your security team throughout the year.
Go to any security survey or research into phishing, and you’ll see that most experts out there recommend training of some sort. We’re not in a position to recommend the best platforms, but probably the best training against phishing not only tells you what not to do but also informs you on what steps you should take and how to recognize phishing. The best training includes some of the points we’ve mentioned so far and probably has some real-world or excellent training examples. Anti-phishing training can go a long way because not everyone is an IT or security expert at your company. However, everyone is still potentially a target for phishing.
Again, we’re not in a position to recommend the best tools out there. It may be one solution or a combination of defensive layers that end up being the best answer for your organization. A quick web search will bring you to a lot of different vendors and a host of top 10 lists for best tools, but we’ll borrow a list from Toolbox that lists some of the best features for anti-phishing tools:
- Spam filters to automatically block obviously suspicious emails, bulk campaigns, and unsolicited marketing materials
- Customizable filtering rules so that users and IT administrators can define their own policies for blocking emails
- Malicious file identification, including macros and ZIP files to prevent unintentional downloads
- Integration with multiple email clients such as G Suite and Office 365
- Options to report possible phishing attacks from with the email client without having to forward the email to other users on the network
- Malicious URL detection and auto-blocking of links
- In a perfect world, tools with machine learning or artificial intelligence capability to learn new signatures
The article includes other points, such as integrations with SIEM and additional ticketing or automation tools that can layer into existing processes. For security teams, tools may also mean having access to a sandbox or similar virtual environment to visit URLs or open suspicious attachments, in addition to the email tooling, which can help with incident response.
Tools that perform endpoint detection and response are also the new hotness right now, meaning another integration or another layer for security teams to deal with potentially. Just keep in mind not every solution will work for every organization. Again, a combination of processes and tools may become the best solution for your organization.
This is the part where we have to come to terms with the fact that there’s always a click. Whether through ignorance, a hasty decision, or some intent, someone somewhere is going to click on that phish.
For SOC and security teams, this means developing a workflow or a playbook to respond to unsuccessful attempts, as well as incidents of a suspected successful attempt. Depending on the size or profile of the organization, this may be a daily task, so for those organizations who don’t see phishing as much, the process should still be familiar for the times phishing does appear in the network. This comes down to understanding what each step looks like for both the practitioner and users and ensuring it’s repeatable, scalable, and that the measures taken are done safely while also reducing the risk at every turn.
For the company as a whole, this might mean developing criteria around an acceptable use policy for web access. Some companies may lock down their environment completely, while others may be more libertine with their access. Either way, there should be policies about how often training should occur and what it entails, use of web proxies and firewalls, what happens if HR or management needs to step in after a certain number of occurrences or severity of an incident, and how users are to use their laptops on company time. While a company Outlook account may be 99.9% secure, using personal email or social media on a company asset may not have that same stringent security in place, so there’s potentially a gap in the defenses.
Finally, users need to understand what those policies are, whether reading through slides or a company handbook to understand them, signing a memo, watching a video, or having an online repository to refresh on those policies. Users should know what’s acceptable on company time, how to report phishing, what to do if they accidentally click a link or enter credentials, and potentially what consequences there are if they are found to be an unsafe or malicious user.
Phish(ers) Are a Menace
Circling back to the Verizon DBIR, every year since at least 2015 has seen an increase in the number of phishing attacks; meanwhile, there’s a large number of users who remain ignorant to the threat. How do we know this? Because phishing still works. As we’ve seen with criminal groups and APTs, phishing is still the most cost-effective and easy way to get in because all it takes is one click, and the hard pill to swallow is that not every solution is foolproof. It takes a combination of tools, training, and policies, and likely the more complicated investment of time and money to ensure it works while also preparing for the instance when it doesn’t.
Threat intelligence isn’t always the silver bullet here. Still, it can add more firepower to your defenses with more context to aid in both incident response and the fight against phishing. With Searchlight, you can understand what actors are using phishing, the types of malware associated with phishing attacks, and other helpful information around domains and your assets that can help give defenders the intelligence they need.