Education and awareness are key to countering evolving phishing threats

Now most email users have become accustomed to traditional phishing scams, the methods used by scammers are beginning to evolve. To trick us into providing them with personal information or access to our networks, cybercriminals are using increasingly sophisticated tactics.

Since techniques such as the use of spoofed cloud applications, are making attacks much harder to detect, companies must adjust their security preparedness if they want to protect themselves.

From mundane threat to real danger

Traditional phishing was rather simplistic in execution and relied on the user’s lack of knowledge. For example, social engineering driven by phone calls and emails in which malicious actors would pose as government agents or corporate customer service representatives.

Unfortunately, many targets of these attacks would readily provide personal information to avoid the threat of legal action, penalties or account shutdowns.

There are two key reasons why traditional attacks have become less effective: advances in detection, and increasing awareness by the average user. On the detection front, major email providers have become much better at alerting users when a message is deemed suspicious or the source domain is not as it seems. On the user side, people are much more aware of what to look for in a traditional phishing attack, including bad spelling, grammatical mistakes and strange email addresses.

Unprompted password reset emails, while once effective, no longer drive the same volume of user action and are often detected by spam filters. This has forced phishers to think outside the box and create far more sophisticated phishing techniques.

One example can be found with the recent cloning of the Australian Government’s myGov website. While purporting to be Medicare, scammers used the spoofed website to send phishing emails requesting that users update their banking details.

Parallel with this evolutionary trend, the end goal of phishing attacks has also shifted. While hackers were originally primarily focused on trying to steal financial or personal information, they are now more focused on tricking users into disclosing valid credentials or surrendering access to their accounts.

Anatomy of a modern phishing attack

The widely publicised Gmail phishing scam in 2017 is an example of a modern phishing attack that affected users on a large scale. In this case, users were sent an email that appeared legitimate and directed them to an actual Google page.

While most phishing scams rely on sending users to a malicious domain, this attack simply asked unsuspecting individuals to grant access permissions (via Google) to a malicious application. Hackers could then use this permission to see victims’ contacts, read their emails, have insight into their locations, and see the files they created in G Suite.

The attack took advantage of the OAuth protocol, which Google uses to streamline authentication. Hackers knew that with OAuth in place the user could grant them access to personal information without requiring the use of credentials.

The existence of such protocols makes it easier for users to allow access to third party applications, but also makes it easier for hackers to access personal information without the use of usernames and passwords. Obviously, this is a departure from traditional phishing schemes wherein users are sent to a spoofed website and asked to enter login information.

The Gmail phishing attack shows us just how advanced these techniques have become – it was difficult for users to detect and difficult for Google to prevent. A critical takeaway is that the attack was able to clear the psychological trust hurdle. Users were tricked into giving permissions to a third party application because they trusted it. They believed the application to be a Google-approved service. A very small change in how the application domain was disguised successfully convinced users that the application was trustworthy.

The future of phishing

Since the days of basic phishing schemes have more or less passed, phishing techniques now rely on advanced forms of infiltration that better disguise malicious intent. They are very well targeted and aim to grant malicious individuals broad permissions over user data, user devices, and online services.

For example, in the Gmail attack, professionals were willing to grant permissions to a third-party application even though they were likely well aware of what traditional phishing emails look like. Stated simply, more people are vulnerable to attacks that obfuscate the criminal’s intention.

This is the future of phishing. Hackers will continue to play on trust by creating malicious applications that masquerade as known apps in order to trick individuals into surrendering access to their personal accounts and data. Unfortunately, this ability to spoof cloud apps while masking the sender’s identity is a particularly alarming trend given the rapid increase in cloud adoption around the world.

Preventing the next attack

Cloud service providers have already implemented a number of security features to identify phishing attacks proactively. Machine learning, improved email filtering, and malicious URL detection are capabilities that keep users safe on the web. Some providers even warn users when they are replying to email addresses that are outside of their corporate domains, helping to decrease the likelihood of unauthorised sharing and data leakage.

Education on new attack vectors needs to be made available across every enterprise in order to avoid costly and damaging data breaches. While large scale threats such as the Gmail attacks can be recognised by cloud providers who will advise customers on how to stay safe, many individuals and enterprises will still become victims of these kinds of attacks.

Organisations should take a proactive approach when it comes to identifying new phishing threats. By doing so, new forms of attack can be identified and remediated before they have the opportunity to do any damage.