Google has no pretensions of being the best when it comes to cybersecurity, but it still stings for it to figure in unflattering reports of cyberattacks. Just recently, the world’s biggest online marketing platform suffered a security breach through a LinkedIn phishing spoof.
Google Workspace Security failed to detect and prevent a phishing email that sought to steal credentials. The phishing attack managed to evade Google’s usually reliable email security controls through creative ways of deceiving SFP and DMARC email authentication checks.
This “successful” attack serves as a reminder that there is no flawless solution against cyber threats. Cybercriminals always find new ways to take advantage of the littlest of vulnerabilities and defy defensive measures. Phishing and other social engineering styles of attacks are notably notorious because of the difficult-to-address human weakness to deceptive schemes.
The year 2022 has seen more than 255 million phishing attacks so far. This figure represents a 61 percent increase compared to last year’s number. This considerable increase shows how phishing remains to be one of the go-to attacks of cybercriminals. It is highly effective and most organizations still have not figured out the best defense against it.
In IBM’s Cost of Data Breach Report 2022, phishing is ranked as the second-costliest cause of data breaches. Organizations that fall prey to phishing lose nearly $5 million for each attack. The “easy money” makes this attack enticing to many cybercriminals.
There are many phishing attack types, but they share the same modus operandi: deception. Perpetrators trick potential victims into unwittingly sharing sensitive information, particularly login credentials and personal identification details. The deception also makes victims do certain actions that compromise their cybersecurity such as the installation of malware after clicking on a link or file.
Five of the most common types of phishing are as follows:
- Email phishing. Most email service providers already deploy phishing scanning tools, but many attacks still manage to penetrate the filters, just like what happened to the LinkedIn spoof email mentioned earlier.
- Spear phishing. This is also a form of email phishing, but it is slightly different because the perpetrators already know a good amount of details about their victims. This information allows the attackers to write convincing emails that trick victims into doing tasks like sending money or more information and multimedia content that can be used against the victims.
- This is a phishing attack that specifically targets people of authority or those with highly-privileged roles. It usually does not involve the use of fake URLs or dummy web pages. Instead, it leverages publicly available information about a target to compel them to perform actions that benefit the perpetrator.
- Smishing and vishing. These are a variation of phishing that focuses on audio calls, video calls (vishing), and SMS (smishing).
- Angler phishing. Another specialized form of phishing, angler phishing makes use of fake social media accounts or pages to impersonate a legitimate organization. This allows the perpetrators to obtain data about the victim with respect to the organization being imitated.
Why the Problem Never Ends
Phishing has been in existence for several years now. However, it remains to be a potent cyberattack. This unfortunate reality persists mainly because of three reasons, namely the lack of phishing or cybersecurity awareness orientation or training, the use of trusted services to host attacks, and zero-day attacks.
Lack of cybersecurity awareness. Until now, many do not instinctively suspect if the SMS or email they receive is possibly a phishing attack. Many are unable to determine if they are already dealing with a case of phishing, let alone respond appropriately.
The solution for this lack of phishing knowledge is meaningful phishing orientation or training. Users of web-connected computers and mobile devices can be taught to develop a healthy level of skepticism and the ability to spot the telltale signs of phishing. A 2021 study reported by Infosecurity Magazine reveals that 80 percent of organizations that provided cybersecurity awareness training observed decreased phishing susceptibility.
Unfortunately, not many organizations conduct sensible phishing awareness orientation or training. Also, some of those that do only do it for the sake of doing it, not necessarily providing the crucial knowledge, insights, and programs people need to be exposed to.
Trusted services used in staging or launching phishing attacks. Another lamentable reality that makes it difficult to significantly reduce the effectiveness of phishing attacks is the involvement of legitimate or trusted web services in the attacks. A 2022 state of phishing report cited by Security Magazine found that 32 percent of all threats are already being hosted by trusted services such as Amazon Web Services, Google Cloud, and Microsoft Cloud. There has been an 80 percent increase in threats hosted by trusted services.
Google, Microsoft, and Amazon are already doing something about their unintentional participation in the launch of attacks. However, it is clear that the challenge is anything but easy. It is difficult to identify which customers will eventually become phishing perpetrators or accomplices.
Zero-day attacks. Majority or around 54 percent of threats recorded in 2022 were classified as zero-day or zero-hour according to the same report cited by Security Magazine. Threat actors appear to be shifting tactics by doing their attacks in real-time to improve their attack success rates.
Zero-day attacks are difficult to detect and prevent because they have not been identified or profiled yet. Newly started phishing schemes are essentially zero-day or zero-hour threats since their mechanisms and the sites or links used are still unknown to security providers. Security scanners that rely on centralized threat intelligence will not be able to detect phishing attacks without the updated threat information.
The best defense against zero-day attacks is behavior or activity pattern analysis. In the case of phishing, it is the natural instinct to doubt the contents of an email, SMS, or audio/video call. Unfortunately, this instinct is apparently very difficult to develop. Some employees even have the tendency to intentionally suspend some security controls because they may appear obstructive or have the tendency to slow down processes.
One of the solutions to zero-day attacks is the principle of zero-trust or trustlessness. It is a system that compels security validation continuously or as often as possible. It removes any presumption of safety or security and subjects each and every email or message to verification and security evaluation.
Again, not everyone employs this solution. Many even prefer to ditch zero-trust to ensure expeditious processes.
Humans are already regarded as the weakest component in cybersecurity. Many easily succumb to deceptive schemes. Even those who have undergone cybersecurity training also have instances of cavalierness or negligence. The use of legitimate web hosts and services as well as the shift to zero-day attacks complicate the phishing problem further. Nevertheless, there are comprehensive cybersecurity platforms that provide a holistic approach in addressing phishing and other cybersecurity threats.
Originally posted 2022-11-03 03:33:57. Republished by Blog Post Promoter