How can you defend your network from phishing, which is one of the top two methods threat actors use to access your network?
Actually, it’s part of the number one method attackers prefer, which is credential theft.
But more on that in a moment...
First, in the most recent Prodcast, Vectra AI Product Market Manager, John Mancini talks about how phishing is rising – it actually never went away – and why it’s now a huge threat to users and SOC teams everywhere. In his brief overview, John provides a highly informative and relevant update on the state of phishing, including:
· A brief history of phishing
· What we’re seeing in the wild today
· New tactics attackers are using to fool even the smartest end-user
· How to best defend against them
In the Beginning, There Was Phishing...
Phishing has been around since the beginning of the digital age, with the first phishing attack launched against AOL in 1996. That may surprise you, but it shouldn’t. The phishing attack used the aptly-named phishing kit, “AOHell,” which enabled attackers to gain access to user accounts and do whatever they wanted–including having an AI agent, enabling them to automatically reply to AOL messages in whatever manner they wanted to.
The ultimate goal was to steal users’ accounts in what could be called the “script kitty era” of hacking. Not a lot of financial impact was suffered, mostly just inconvenience. The phishing attack was eventually stopped by AOL when they stopped users from creating unlimited accounts in AOL using random credit card numbers, which was where the attacks were originating.
In that same year, a company called e-gold came online, which was a sort of digital currency before cryptocurrency came along. e-gold allowed users to transfer “digital” gold that had real dollar value in the real world. But it was a one-way transaction. Once the dollar value of e-gold had been transferred, there was no way to return the value. In other words, once the attacker accessed an e-gold user’s wallet, the attacker could send the e-gold value to another wallet and the e-gold account holder had no means of recovering their stolen money.
By 2001, thousands of dollars were being lost per day on e-gold. It was stopped when e-gold added a one-time PIN challenge for new IPs, which was really just a primitive type of MFA.
Where Is Phishing Today?
All of this should sound very familiar because the basics of phishing haven’t changed much from then to now. Yes, credential abuse is the #1 tactic used by attackers today to access your network. But as mentioned above, phishing attacks play a role in helping attackers gain access to your credentials, so the two are closely related.
What’s more, phishing’s two objectives are to either drop a payload onto an endpoint or capture credentials to run end-to-end attacks purely based on identity. So basically, we’re still in the same situation today with phishing attacks as we were back in 1996. In short, phishing kits, though more sophisticated than in the past, are still how many phishing attacks are run today.
Open Source Makes Phishing Attacks Easier Than Ever
For example, open source kits such as Gophish and Zphisher make executing a phishing attack as simple as a few clicks on a keyboard. In fact, defenders often use either or both to mimic attacks and thereby test their users. They’re super easy to use, with custom templates and landing pages, as well as entire catalogs of landing pages and templates that let attackers easily mimic top websites for credential theft, mimic convincing emails that have been sent out, track campaigns, determine which emails have been sent and which have been opened, password capture and other powerful attack functionalities.
Over the past couple of years, from an attacker’s perspective, phishing has proven to be more productive than ransomware in terms of the impact and opportunity it affords them. Email-based attacks simply provide a much wider menu for leveraging a breach over time instead of a one-time ransomware event.
The New (Old) Reality: Phishing-as-a-Service Kits
The realization that email-based attacks open up many more exploitation opportunities has led to the widespread development and sale of Phishing-as-a-Service tools. Created by and for attackers, Phishing-as-a-Service kits deliver the specialized tools that attackers want so they can run sophisticated attacks, such as the ability to do reverse proxy, detection evasions, remote execution capabilities, and more, but without requiring attackers actually to have any advanced technological knowledge.
What’s more, there are a variety of Phishing-as-a-Service kits out there and can be bought for as little as $100. Upgraded kits can be had for around $300 or more, again, by anyone without any need for a technological background. As you might imagine, today’s kits are magnitudes more powerful and sophisticated than the phishing attack kits from 1996. They can be stopped dead in their tracks, but you gotta know how to spot them early.
To learn more about how these Phishing-as-a-Service kits work, what problems they’re presenting to your security colleagues, and how Vectra AI can neutralize them before they damage or steal your data, watch the brief video, below.