Phishing is a cyber-criminal tactic that continues to threaten organizations of all sizes. While the objective of phishing to gain access to IT systems remains the same, tactics have changed. In this article we’re going to take insights from CrowdStrike’s 2023 Threat Report and observations from our own Security Operations Center to give you a current view of phishing trends.
We’ll discuss how phishing threats have evolved; uncover three tactics to look out for; and equip you with the knowledge and strategies to prevent your company from becoming a victim of a phishing attack.
Definition of phishing – The practice of stealing credentials or confidential information by manipulating individuals into taking an action that provides access to accounts or data, bypassing other layers of security.
Phishing Objectives Have Changed
According to the CrowdStrike report, there has been a dramatic increase in the offering of access broker services on the dark web. An access broker is a type of cyber-criminal who is focused on gaining access to online accounts through legitimate credentials. Once they have this access, they sell it to others in the cyber-criminal eco-system who take further actions to monetize that access.
Once a bad actor gets access to a device or network through a person’s business email or online account, they’re not just dumping ransomware as they have in the past. They’re using extortion, lateral movement, and interactive intrusions to get the biggest payoff they can.
Double Extortion Replacing Ransomware
Ransomware has been a go-to tactic for cyber-criminals because taking data and IT systems hostage in return for a payment worked a lot of the time. It doesn’t work when the victim doesn’t pay the ransom and that is what has fed a surge in double extortion.
With double extortion, the cyber-criminal gains access to data often through phishing. Instead of downloading ransomware to encrypt the data, the bad guy threatens to expose the data to the public. The threat of having sensitive proprietary and financial data, as well as customer and employee information leaked, is an incentive to pay a ransom, without the involvement of ransomware at all.
Lateral Network Movement
Another popular action that cyber-criminals take after gaining access to a device through phishing is to move laterally through the corporate network. When they can move around unseen in a network, bad guys can get access to higher-privileged accounts. When access boundaries are removed, they can deactivate security products and destroy data.
Cyber-criminals also utilize lateral network movement to go after a bigger target, either by gaining access to connected IT systems, or gathering the intel necessary to personalize a spear phishing attack. Spear phishing is highly effective because the perpetrator has inside information that makes the impersonation imperceptible.
Hands-On Intrusive Activity
The CrowdStrike report shows a 50% gain in interactive intrusion activities compared to 2021. Interactive intrusion is similar to a pilot turning off autopilot and taking manual control of an aircraft. In other words, the cyber-criminal is actively typing and clicking in order to execute actions on the compromised IT system.
The technology industry has seen the biggest jump in interactive intrusive activity, followed by the financial, healthcare and telecommunications industries. Phishing is a common method these intruders are using to get access and take control of computers.
Watch Out for These Phishing Tactics
Now that you know about a few of the things that cyber-criminals are doing after they gain access to a computer or network, let’s look at how they’re actually gaining access.
QUishing – Malicious QR Codes
For phishing to work, the victim has to download malware that opens the door to whatever the cyber-criminal wants to do next. Traditionally, this has been downloading a file that hides malware, or clicking on a link that will automatically download malware from a web page. QR codes have become a popular tactic to take a victim to a malicious site.
Quick Response (QR) codes are more difficult for message content filters to find because their source code is shorter. QR codes are sometimes being disguised as MFA notifications, requesting the recipient to scan the code. The messages are personalized as other phishing emails are, with company logos and other familiar information.
Human to Human Social Engineering
Vishing, or phishing via phone calls is also increasing to download malware or bypass MFA. The cyber-criminals who practice vishing are very adept at tricking individuals to share their passwords, or their MFA codes by impersonating people who may have legitimate business with them or their employer.
As with phishing emails, the social engineers use familiarity and urgency to get people to respond quickly. Oftentimes the victim doesn’t even know that they did something they shouldn’t but may just have an uncomfortable feeling about the interaction.
It used to be easy to spot a phishing email. There were typos and misspellings, grammar was incorrect, and the made-up story was easy to spot. Now cyber-criminals are using ChatGPT and other Artificial Intelligence (AI) language models to create email messages that are more difficult for filters to catch or for humans to recognize.
AI doesn’t just make the language flow, it can pull in information from different sources and put it together to make a convincing spear phishing campaign. Not only that, but voice cloning technology has made it possible to mimic the voices of familiar people making vishing an even more effective phishing tactic.
How to Counter Evolving Phishing Threats
The best approach to counter phishing threats is to have a multi-layered security strategy that includes technical and non-technical tactics. There’s more to creating a strategy than pulling software tools off the shelf or checking the boxes to make sure you’re including all the tactics. Each piece works with the others.
It’s beyond the scope of this article to describe how to create a security strategy but we will call out a technical and a non-technical component that are must-haves for your strategy.
- Cybersecurity awareness training will equip your people to recognize potential phishing attempts them they see them.
- Microsoft 365 hardening is the process of configuring your Microsoft 365 environment so that you’re utilizing all of the security features available.
Time to Up Your Security Game
Here at XPERTECHS, we work with clients to create security strategies that meet up with each organizations’ risk profile and the evolving threat landscape. The result is that business leaders are confident that they’re effectively managing cyber risks. If you don’t have that confidence, it’s time to up your security game.