Phishing attacks continue to be one of the most prominent methods of cyber-attack to date. According to Symantec’s 2019 Threat Report, nearly 65% of all cyber-attacks utilized phishing as an initial vector of compromising a user or business. In 2019, phishing schemes accounted for 53% of attacks on Small to Medium Size Businesses (SMBs). These attacks, which range from simple requests to elaborate setups including links to malicious websites, are only likely to become more prevalent given the current need for more people to work remotely. While, we like to believe users are smart enough to know that they are being “phished”, attackers tend to know how to trick even the most knowledgeable users by intentionally appearing to be a legitimate entity.
What is Phishing, and Why Should I care as an SMB?
First, let’s discuss what a phishing attack is:
Phishing attacks are considered social engineering attacks. They are usually focused on targeting one or many people via email, social media, or direct messaging capability in order to obtain sensitive information such as system credentials, banking information, credit card details, and any other information that could be used to impersonate or compromise the user/organization. The attacks appear to come from legitimate users or trusted parties and will request specific personal or business details through links to sites that are created to look like a trusted site, or through direct messages. This attack method has proven to be very successful because it is easy to deploy, difficult to attribute, low in cost to implement, and hard to prevent as it requires the end user to understand the nature of a phishing attack. Even organizations with security training and knowledgeable users are not entirely protected. For SMBs, one email click could lead to significant financial losses over data breaches, fraudulent account access (leading to loss of money or sensitive data), and the potential of shutting down your doors for remediation. Cyber Lantern recently responded to a phishing attempt for a Small Business customer whose users are pretty security savvy. While the attack was simplistic in nature, it did a great job of disguising itself as a trusted source, leading the end-user to “take the bait.” Luckily, this customer had enlisted Cyber Lantern as their security provider, and quickly called us when they realized the email seemed… well… “phishy.” The following breakdown demonstrates just how easily a user could be tricked into sharing information, which could lead to further attacks.
Anatomy of the Phish:
Recently, one of our SMB customers had a user receive an urgent looking email from the CEO of their company, requesting their personal cell number. The address looked like a legitimate private address and contained the name of the CEO as part of the email address. If the CEO needs to ask you something and is using their personal email to reach out, it must be important, right? Needless to say, the employee quickly sent back their cell number – but quickly realized maybe this was a mistake.
The request was unusual, so the user was cautious enough to reach out to the CEO, and verify if the email had actually come from him. The CEO confirmed it had not – opening up a chance for our team to explore the phishing attempt further. Below is a copy of the email received by the customer.
Please note that we have received permission from our customer to share this information and removed any user names to protect the identity of our customers.
The attack began with a morning email, asking for the employee’s phone number. The email came from a legitimate-looking email account and had the CEO’s full name listed as an Outlook contact, leading the employee to believe it was genuine. This is an easy way for attackers to “spoof” or pretend to be someone important, adding urgency on the employee’s part to respond. Once the employee shared their number, they received a text from the fake CEO asking to confirm receipt of the message using the actual CEO’s full name as a continued method for the hackers to identify themselves as an important person. After further engagement, the hackers requested 3 eBay gift cards at $200 each. They also asked that the cards be activated, and that images of the cards sent to them.
By this point, the Cyber Lantern team had already received a call from the customer and the investigation was quickly underway!
A quick investigation of the email, including the header information, revealed the originating IP of the attacker.
Based on threat intelligence information, we identified that the IP in question was in fact reported for Spam activity as recently as June 10th, 2020.
While this was a pretty low-level phishing attempt (meaning it didn’t lead to any credential compromises), it still allowed the attackers to collect more information on the employee: it verified that the employee existed, and confirmed the employee’s phone number which could be used for further enumeration and attacks not only on the employee, but also the company. In fact, the Cyber Lantern team continued to monitor for further activity from this attacker and within minutes identified an additional three new attempts to hack the customer’s data share by the same hacker. In this case, none of the IPs they used were found on any threat intelligence sites, providing us with newly acquired threat ‘Indicators’ to proactively monitor. As an outcome, our team added the known ‘Indicators’ to our alerting and watch lists. This provides us with context on future hacking attempts coming from those IPs, and allows us to detect and prevent future attacks by this perpetrator on all our customer networks.
Prevention is the Best Cure: Stopping the Next Attempt
Education, combined with a culture of security, is your best first line of defense. The reason this phish failed is because the employee knew that an email like this could be a potential phish, and felt comfortable contacting the CEO to ask if it was truly him. This example of a built-in culture of security awareness is essential, especially while working remotely.
But what if easy, immediate access to your CEO isn’t feasible? In our case, the CEO happened to be available; but what if he was on a call, in a meeting, or otherwise inaccessible? You can mitigate the risk of a phish succeeding with these basic best practices:
· Flag all external emails as coming from an external source so that employees know not to immediately trust emails based on the sender alone.
· Apply multi-factor authentication across applications to avoid credential theft that can lead to impersonation of employees, but also help protect your business in the case that an employee does share their credentials. This way, the employee will be required to provide a secondary authentication method to verify they are the user.
· If your company has on-site servers/storage devices, use a firewall to whitelist/blacklist connections into your network.
· Ensure the use of strong passwords that are changed frequently.
· Educate employees: don’t click on suspicious links! (This is probably the most important!) When in doubt, ask the person directly through a different communication channel, such as Slack, text message, or a phone call.
You Don’t Have to Do This Alone.
Companies like yours don’t have to become overnight experts in cybersecurity to guard against phishing attempts. While it could potentially take your team several hours if not days to investigate and remediate these issues, it only took our team a few minutes to investigate and provide suggestions to not only block this attacker, but also prevent future incidents like this one. This means that your team can begin taking a more proactive stance on security, instead of reactively trying to fight off bad actors.
It is far more cost-effective and beneficial to work with a company like Cyber Lantern to be the experts on your behalf. We’ve seen it, we’re prepared for it, and our sole focus is on protecting your company – so that you can focus on running your business. If you’d like to talk further about ways that we can guide and protect your organization, please contact us at (650) 729-8228.