The slow but steady evolution of phishing attacks — PART II

Alexandre Esser

Alexandre Esser

Phishing

Part 1 is available here

The Evolution of Phishing from 2011-2020

Mass attacks are becoming increasingly ineffective, giving way to spear phishing attacks, or even "whaling" (whale fishing). As the name suggests, a whaling attack is nothing more or less than a spear phishing attack where the victim is a big fish — meaning a VIP target (executive, decision-maker, etc.). The potential gain in the event of a successful attack becomes very significant.

This type of attack can lead to serious consequences for the victimized companies:

  • Facebook and Google were victims of a whaling attack between 2013 and 2015, with damages estimated at around 100 million dollars. The Lithuanian cybercriminal accomplished this feat by sending each company a series of fake invoices while posing as a major supplier.
  • In 2016, a Snapchat employee disclosed all the company employees' salaries to a cybercriminal. The employee had responded to an email that appeared to come from the CEO and had responded promptly. HR and payroll teams are frequently the target of whaling attacks because they have access to sensitive data.

The Development of Anti-Phishing Solutions

Although some anti-phishing solutions were born in the early 2000s, the majority of solutions developed in the following decade. Extensive research has been conducted in the field of phishing prevention and detection. The solutions range from software detection of phishing attacks to user training, awareness, and internal communication.

Software and hardware solutions have particularly evolved over the past 10 years:

  1. Detection of fake browser extensions
  2. Improved authentication methods thanks to MFA (Multi-Factor Authentication)
  3. Active email filtering by certain providers
  4. Real-time monitoring and detection of hostile websites by some browsers
  5. Automatic disabling of malicious scripts (Java, etc.)
  6. Adoption of new development methods (Privacy/Security by Design)
  7. etc.

Current anti-phishing solutions provide an additional layer of defense against phishing attacks. However, such devices are often expensive and sometimes ineffective depending on the diversity of phishing attacks.

In some respects, the main phishing methods have remained the same. The goal is always the same: to intrude through malware or to access a user's credentials. Even today, this is most often accomplished through corrupted links or malicious attachments.

What has primarily changed is the presentation. While there are still emails with obviously fake email addresses and riddled with spelling mistakes, a significant number of phishing emails have become difficult to spot.

For example, cybercriminals have recently launched "conversation hijacking" attacks, using previously compromised email accounts to respond to ongoing discussion threads. The attack then involves unearthing an old email by responding with malicious links or attachments, easily catching recipients off guard.

Some lead to websites offering identification procedures that are identical to the site they imitate, as in our article on bypassing multi-factor authentication.

We then understand that even with a keen eye, it is very difficult to spot sophisticated attacks, and real-life training and employee training against phishing become key to detecting the most refined attacks.

Phishing and Smartphones

In the span of a year, mobile phishing has increased by nearly 40%*. According to the same report, this represents a loss of 35 million dollars for a company with 10,000 mobile phones.

Cybercriminals are now using instant messaging applications like WhatsApp, Messenger, Instagram, or even SMS as phishing methods. These attacks are still too often downplayed or overlooked by cybersecurity professionals, yet they can endanger their organizations just as much as email attacks.

Among these attacks, the main risks are related to:

  • Mobile Applications: which lack security control, the friction during installation is almost non-existent, and many users don’t pay attention to the permissions they grant these applications.
  • Thefts: unlike computers where security policies require disk encryption or strong authentication, phones are sometimes poorly secured with only the owner's birth date as the unlock code. The data contained in your employees' phones certainly have more value than the phone itself.
  • SMiShing: SMS attacks are becoming increasingly popular due to their rarity and lack of upfront filtering; they often have a higher success rate when well-executed by cybercriminals.

This list is not exhaustive but helps to realize the diversity of attack vectors presented by your employees' mobile phones.

Smishing impersonating Revolut

Revolut SmiShing attack using an uppercase "i" instead of the lowercase "l"

For context, between 2011 and 2014, three Romanian citizens undertook successive smishing and vishing attacks on American citizens. Their total proceeds amounted to 21 million dollars, which is 7 million per year.

The geographical distance from the United States did not protect them, as they were caught by the FBI in 2017, extradited in 2018, and were sentenced to 8 years, 7 years, and 4 years in prison, respectively, after pleading guilty.

Detecting smishing attacks is a challenging technical feat. Malicious SMS messages are much harder to detect and block automatically than phishing emails, and companies are often helpless against these attacks. MDM (Mobile Device Management) solutions can make devices compliant with the company's security policy, but they do not block or prevent malicious SMS and websites.

However, at-risk companies can defend themselves by educating their employees through simulated SMiShing campaign drills. This experience, very close to real-life conditions, allows trapped employees to become aware of the danger and adopt the right reflexes in future simulation campaigns or real attacks.

The Future of Phishing

Predicting the future of phishing is no simple task; if it were, we wouldn't need to dwell on it. Indeed, phishing, like other forms of cybercrime, is a cat-and-mouse game: the one who outsmarts the other's advancements will win.

Brainstorming Research

However, we can make some predictions about the techniques that will develop in the coming years and those that will become increasingly rare. For instance, it's clear that less sophisticated mass attacks will never find their way into your email inbox in the future, as is already the case for many low-technicality attacks.

Conversely, spear-phishing attacks will continue to grow, sometimes requiring significant human and technical skills to execute. Cybercriminal gangs — whether hacktivists, politically motivated, or simply driven by the lure of profit — have these resources. Like Rock Phish, Avalanche, Fancy Bear, or Emotet, they will continue to make headlines in the coming years with ever more staggering amounts of stolen money.

Vishing

"Vishing" is a contraction of voice and phishing, meaning it's phishing through telephone calls.

Similar to email phishing, it involves impersonating an individual or organization to obtain private or financial information for the purpose of defrauding the victim.

This criminal practice of social engineering has existed since the telephone but has become widespread with the advent of VoIP technologies that have automated the calling process and drastically reduced communication costs.

Here are a few classic vishing scenarios targeting both individuals and businesses:

  • Offering an exclusive refund following a double-glazing window purchase, claiming it's a tax credit.
  • Asking for confidential information while impersonating a mobile operator.
  • Acquiring banking information by pretending to be a supplier for whom a payment hasn't gone through correctly.

Unfortunately, there's not much to be done to protect against cybercriminals enticing you to divulge information about your company. Sometimes the fault lies with company receptionists and secretaries who don't always follow proper identity verification procedures.

Things get complicated when voice cloning is combined with vishing, making it very dangerous for anyone targeted. We believe that this vishing/voice cloning alliance will intensify in the coming years, eventually becoming a traditional phishing method.

Voice Cloning

"Voice cloning" allows, as the name suggests, duplicating an individual's voice from their original voice to make them say whatever one wishes.

Today, voice cloning is increasingly in demand in the market due to its varied applications: conversational assistants, smart speakers, film dubbing, digital characters, video games, audiobooks, GPS systems, etc.

However, the downside is that, as often with new technologies, voice cloning can be misused.

How would you react if your boss's boss called you to ask for confidential information on a contract you're working on? The only difference from reality is that the person you're talking to isn't your superior but a fraudster in action.

It's these kinds of attacks we must prepare to face in the future. The fight is already underway, as we see new solutions emerging that allow for the detection of voice cloning. But as these technologies evolve and machine learning models get better trained, it will become increasingly difficult to discern truth from falsehood.

Voice Cloning Market

Voice cloning forecast 2019-2026

As of now, voice cloning is not just a concept but a reality in the world of phishing. Large-scale scams have already occurred, costing the CEO of a German company a modest sum of 220,000 euros: "criminals used an AI voice-generating software to impersonate the boss of a German parent company that owns a UK-based energy firm"**.

Raising awareness that this technology exists and how sophisticated it is constitutes the first step in defending against this new threat. While technical solutions will indeed help us defend ourselves, they will not be 100% infallible. Our ability to critically assess a situation and verify the source and truth of information will become increasingly important in the world of tomorrow.

Deepfakes

The term "deepfake" is a portmanteau of "deep learning" and "fake." It's an image synthesis technique based on artificial intelligence used to create disinformation and malicious hoaxes.

Deepfake content is created through deep learning by applying neural network simulation to massive data sets to create highly realistic forgeries.

Much like voice cloning, deepfakes add a new dimension to deception: the person speaking that you see on your screen isn’t real but a clone.

Deepfakes that have been successfully used in spear-phishing attacks prove that a new concept is emerging.

Nonetheless, deepfakes raise numerous questions. Perhaps this new technique will not work as well as more traditional methods? Maybe deepfakes will be the primary cyber-threat by 2030? Currently, creating deepfakes requires considerable effort, and simpler techniques still work.

However, cyber-criminals have proven that deepfakes can work just as well as traditional methods, so we should expect to see an increasing number of such attacks in the coming years.

Conclusion

All indicators suggest that the threat of phishing as a cybersecurity attack vector is here to stay. Indeed, phishing is rapidly evolving towards higher levels of sophistication by leveraging the powerful capabilities of artificial intelligence.

The panic surrounding COVID-19, the American elections, and other significant events will only exacerbate the threat, providing an ideal environment for insidious phishing campaigns to flourish, targeting both individuals and businesses.

Preparing Well for D-Day

The best defense against phishing remains your intuition, judgment, intelligence, common sense, and caution.

Unfortunately, in a constantly changing world where everyone's attention span is decreasing and, typical of the Millennial generation, there's no longer a willingness to wait for things, it's becoming increasingly difficult to exercise caution before clicking a link.

That's why anti-phishing software is gaining importance, helping us better judge the situations we face. Nonetheless, some common-sense advice can prevent you from becoming the next victim.

Pay attention to the sender of emails you receive: Always read the email addresses of senders in your inbox. The devil is in the details: small spelling mistakes, homoglyphs, punctuation, etc., are signs that something is amiss.

Be cautious before performing an action that you're asked to do: Phishing emails generally ask you to perform certain malicious actions like clicking on a link or providing confidential information, bank account numbers, etc. These emails should alert you; when in doubt, pick up your phone and ask for confirmation through a means other than email.

Suspicious attachments: Malicious attachments are also a common phishing tactic. If you aren't expecting attachments from someone, it's better to avoid downloading anything and ask for confirmation by phone.

Source: *Lookout 2020 Mobile Phishing Spotlight Report; **The Next Web

Don't miss an article

No spam, ever. We'll never share your email address and you can opt out at any time.

Next article

Cybersecurity and work from home

Cybersecurity and work from home

In this article, we will focus on cybersecurity at home, or how to secure your...

Cybersecurite