How phishing is evolving and becoming more difficult to stop
We shouldn’t have to tell you that hackers are constantly inventing new ways to get their hands on personal information or cause havoc in a digital environment.
The case is no different for phishing. The email attack that uses a mixture of cunning techniques and strategically selected targets to gather personal information has increasingly become more successful for criminals as they’ve elevated their tactics over the past few years.
Instead of a poorly spelled email asking you to download an attachment, it might be a user on social media that frequents the same hashtag you follow who shares a link. It could be a message from a C-suite executive who wants you to send a sum of money to a different bank account than usual.
Phishing is evolving, and it’s becoming more difficult to stop with each passing day. Artificial intelligence (AI) and the Internet of Things (IoT) have given hackers the ability to build, scale and operate massive campaigns that have high success rates attached to them.
Employee awareness training will play a critical role in preparing enterprise workers to identify phishing attempts before they have a chance to do any damage.
How is AI improving phishing?
Phishing is a time-intensive task. Each campaign has various components that need to be carefully crafted to mimic authenticity, whether it’s making an email look like it came from a service provider or spoofing a website design to capture login details.
Speeding up the developmental process and the actions that follow can enable threat groups to try a greater variety of strategies as they seek to secure credentials from their targets. Behind this expected improvement in efficiency is AI; the same technology that powers next-generation cyber security platforms.
Machine learning is slated to – and in some ways, already does – revolutionise phishing tactics much in the same way it has transformed analytics: By helping hackers deal with the volume, variety, velocity and veracity of big data to accomplish more in less time.
Case in point: SNAP_R is an AI program that was taught by data scientists to study the habits of social network users, and develop its own spear-phishing campaign based on those insights. It was then pit against a Forbes writer in a test to see who could convert the most victims in a potential attack, Gizmodo reported.
SNAP_R was able to average just under seven tweets per minute, sending a total of 800 and generating 275 victims for a 34 percent success rate. In contrast, the Forbes writer was only able to send a little over one tweet per minute to a total of 129 people, netting 49 victims for a 38 percent success rate.
The simulation serves as a testament to how hackers could use AI in the near future to scale their efforts while maintaining a consistent conversion rate. But it’s not the only way it’s being leveraged.
AI is also being used to help criminals map the digital infrastructure of a business before and after infiltrating it. By using data analytics, they can narrow down exactly who they’re targeting and which path they should take if they need to gain a greater amount of access.
How is IoT improving phishing?
The IoT has been a boon for businesses all over the world, enabling them to connect previously isolated devices to generate more data and gain better granular insight than ever before.
But smart technology is also vulnerable technology. Default credentials and unpatched vulnerabilities can make it easy for hackers to gain access, and from there they can accomplish a couple of things:
- Gather information that could support phishing efforts.
- Incorporate the device into a botnet – a network of connect digital machines controlled by one attacker or a group – to support large-scale campaigns.
In essence, businesses that fail to secure IoT devices could be contributing to the phishing efforts that they’re the target of. These campaigns can grow to a massive size considering the estimated 7 billion IoT devices currently in use, according to IOT Analytics.
One example of the potential impact of unsecured machines on a large scale is the Necurs botnet. In August 2018 it was leveraged in a phishing attack against over 3,500 banks across the world, Cofense Research reported.
The campaign only lasted one day, showing the extent to which IoT can be used to escalate a malicious operation. There was a wide range of targets within the financial institution, and manually sending out the emails would have significantly reduced the hacker’s attack surface.
How your business can improve its phishing security
Criminals are using AI and IoT to create more intelligent and agile phishing and spear-phishing cyber-attacks, but that doesn’t mean they’re becoming impossible to stop. Detection and prevention hinges on both the security technology in place and the effectiveness of employee awareness training.
The former is as straightforward as binary code. While the technical aspect of cyber security can at times seem daunting, it’s certainly fixable. People, on the other hand, are a challenge. There’s no silver bullet; only a consistent focus on education will help the business avoid a data breach.
Technological necessities haven’t changed all that much over the past few years, they’ve only grown more important. Key solutions that can help detect phishing and prevent infiltration or exfiltration include:
- Intrusion Detection and Prevention Systems (IDS and IPS)
- Anti-virus program
- Email security/anti-spam software
- Security Information and Event Management (SIEM) platform
- Data Loss Prevention (DLP) tool
- Database Activity Monitoring (DAM)
While these solutions all play a role in improving an organisation’s cyber security posture, they can’t be the only line of defence. Employees at all levels of the business can be an effective “human firewall” against phishing and spear-phishing attempts when given the right resources.
Working with a Cyber Risk and Assurance (CRA) team can help your company:
- Develop a comprehensive strategy that intertwines technology with the human element of cyber security.
- Build an employee awareness training program
- Identify a framework that fits the enterprises unique risks and requirements (NIST, CIS Top 20, COBIT, ISO 27001, etc.).
- Map the digital environment to understand what sensitive data should be a priority to protect and how to control access to it.
As phishers’ tactics evolve, so should your business’ ability to detect and defend against them. Download your cyber security kit for Cyber Security Awareness Month today, or contact an Integrity360 advisor to learn more.