What Thieves Know About Anti-Phishing Solutions & What This Means To You

What Thieves Know About Anti-Phishing Solutions & What This Means To You

Anti Phishing Techniques

Without taking proper precautions, your computer is a veritable smörgåsbord for hackers. Hackers have developed an array of techniques to infiltrate your system, extract your data, install self-serving software, and otherwise wreak havoc on your system. Every network in the world is vulnerable to hacking attempts; it’s simply a matter of which systems the hackers deem worth the effort. Preventing hackers from successfully compromising your data requires an understanding of the various solutions. However, very few of those solutions are truly effective.

The Differences Between Phishing and Spear Phishing

Phishing casts a wide net to hundreds, thousands or even millions of email addresses. Phishing can be used to steal passwords, perform wide-scale malware deployment (think WannaCry), or even as a component of disinformation campaigns (think Russia). More often than not phishing is carried out by financially motivated criminals. In most cases, the phishing breaches are not detected until it is too late and it is nearly impossible to prevent damages.
Spear phishing, like the name implies, is a more targeted version of phishing. Spear phishing campaigns are generally conducted against companies, specific individuals, or small groups of individuals. The primary goal of spear phishing campaigns is to make entry into a target network. The DNC hack for example, was accomplished by using spear phishing as an initial method of breach. Once the breach was affected the hackers began performing Distributed Metastasis (aka pivoting) and secured access to sensitive data.
In nearly all cases, businesses and governments are ill prepared to defend against phishing attacks. This is in part because the solutions that exist today are largely ineffective. Most commercial phishing platforms provide the same basic level of benefit as automated vulnerability scanners. If you really want to defend against phishing then you need to use a solution designed specifically for you and your network.

Real (not commercial) Tactics For Phishing and Spear Phishing

An email will go out, supposedly from a trusted source. In reality, it will be a chameleon domain set up specifically by the hackers to leverage your trust. A chameleon domain is a domain which appears to be the same as your company’s domain or a high profile domain but isn’t. (The domains are often accompanied by a clone website with a valid SSL certificate.) For example, instead of linkedin.com, the chameleon domain might be 1inkedin.com. These two domains might look identical at a glance, but in the second the L of LinkedIn is exchanged for the number one. Historically, hackers used Internationalized Domain Name (IDN) homograph attacks to create chameleon domains, but that methodology is no longer reliable.
An email might also arrive from a different Top Level Domain (TLD). Let’s say, linkedin.co, linkedin.org, or even linkedin.abc. There are many opportunities for deception when it comes to creating a chameleon domain. All of these oppotrunities exist because the human brain will read a word the same way so long as the first and last letter of the word are in the correct place. For example, you will likely fall victim to phishing if you just the word “opportunities” and didn’t notice that we swapped the places of the letters “T” and “R”. Experienced hackers are masters at exploiting this human tendency.  (https://www.mrc-cbu.cam.ac.uk/people/matt.davis/cmabridge/)
When (spear) phishing is combined with malware it becomes a powerful weapon. A common misconception is that antivirus and antimalware software will protect you from infection. If that were in fact true, then things like the recent WannaCry (MS17-010) threat would never have been a problem.  The reality is that antivirus technologies aren’t all that effective at preventing infections. In fact, Intrusion Prevention Systems (IPS) also aren’t all that effective at preventing intrusions. If they were then we would not be seeing an ever-increasing number of breached businesses (nearly all which use some form of IPS or third party MSSP).
The bad guys may target 3 or 30 people with a spear phishing attack. To be successful with a well-crafted attack they only need a single victim.  That victim usually becomes their entry point into a network and from there it is only a matter of time until the network is fully compromised.  With a normal phishing attack, campaigns with larger numbers of victims are desirable. More victims equates to more captured data.

Businesses Making Money from Anti-Phishing

For some companies, there’s not a week that goes by without a phishing attempt landing in their email server. They are the consternation of companies everywhere.
Security companies, concerned about the devastation that phishing and spear phishing efforts can rain, have taken up the mantle of offering education about phishing to their clients. They have special programs for mid- and large- level corporations to combat phishing efforts.
Once a company signs up for education it’s common to test the company soon afterward to see what needs to be covered. For instance, a phishing attempt is made against half or all of a company. It will be a typical, run-of-the-mill ‘attack,’ where the users are given a convenient link and encouraged to go there to ‘make it right’ again.
After clicking on the link, the user is taken to a site which informs them that they were phished, how they were phished, and safety measures to prevent future successful phishing. Information about the success rate of the phishing attempt is also gathered, so the security company has a baseline. From that information, educational materials are given to the company for further training.
A set amount of time later, usually a few months, the security company runs the same type of phishing attempt on the employees of the target company. The success rates are then compared (the second try usually has fewer people who were fooled) and the target company receives certification that they are safer from phishing attempts now that they have been educated.

How Effective Are Anti-Phishing Companies?

Employing an anti-phishing security firm can provide a false sense of security for companies that would be vulnerable to phishing attempts. Going through the education prevents the likelihood of a blatant and basic phishing attempt from being successful, but it usually does not do much to prevent a real-world, targeted attack, especially a spear phishing one.
Anti-phishing companies generally use automated systems to test a company’s phishability. They use the most rudimentary phishing techniques, but many advertise that their solutions will be more effective than they actually are against real-world phishing attempts. In other words, these anti-phishing companies generally provide a political solution rather than a real solution to the problem of phishing and spear phishing. This very similar to how vulnerability scanning companies market themselves.
The people who want to break into a company’s system are patient. They custom-create a strategy to get into your systems, not send a blanket email to everyone in the company. It’s too blatant. Their attempts to socially engineer a favorable outcome are most likely going undetected.
The biggest question that an anti-phishing company has to ask itself is whether they are providing the level of security that they are promoting. By certifying employees as being phish-proof, does that mean that those employees are truly savvy enough to detect ANY phishing attempt? Is the security company simply marketing, or is it truly interested in protecting their clients against phishing?
Before going with a company that advertises anti-phishing education, keep in mind that spear phishing is highly customized and most likely won’t come to you as an email from Paypal, LinkedIn, or another popular site. It will most likely come to you from someone you know, possibly within your own company. Ask them what measures they plan to take to help you truly fight against the spear phishing attacks at your company.
 

Blog Posts

Karen Huggins

Chief Financial, HR and Admin Officer
Karen joined the Netragard team in 2017 and oversees Netragard’s financial, human resources as well as administration functions. She also provides project management support to the operations and overall strategy of Netragard.
 
Prior to joining Netragard, she worked at RBC Investor Services Bank in Luxembourg in the role of Financial Advisor to the Global CIO of Investor Services, as well as several years managing the Financial Risk team to develop and implement new processes in line with regulatory requirements around their supplier services/cost and to minimize the residual risk to the organization.
 
With over 20 years of experience in finance with global organizations, she brings new perspective that will help the organization become more efficient as a team. She received her Bachelor of Finance from The Florida State University in the US and her Master of Business Administration at ESSEC Business School in Paris, France.

Philippe Caturegli

Chief Hacking Officer
Philippe has over 20 years of experience in information security. Prior to joining Netragard, Philippe was a Senior Manager within the Information & Technology Risk practice at Deloitte Luxembourg where he led a team in charge of Security & Privacy engagements.

Philippe has over 10 years of experience in the banking and financial sector that includes security assessment of large and complex infrastructures and penetration testing of data & voice networks, operating systems, middleware and web applications in Europe, US and Middle East.

Previously, Philippe held roles within the information system security department of a global pharmaceutical company in London. While working with a heterogeneous network of over 100,000 users across the world and strict regulatory requirements, Philippe gained hands-on experience with various security technologies (VPN, Network and Application Firewalls, IDS, IPS, Host Intrusion Prevention, etc.)

Philippe actively participates in the Information Security community. He has discovered and published several security vulnerabilities in leading products such as Cisco, Symantec and Hewlett-Packard.

He is a Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), PCI Qualified Security Assessors (PCI-QSA), OSSTMM Professional Security Analyst (OPSA), OSSTMM Professional Security Tester (OPST), Certified in Risk and Information Systems Control (CRISC)and Associate Member of the Business Continuity Institute (AMBCI).

Adriel Desautels

Chief Technology Officer
Adriel T. Desautels, has over 20 years of professional experience in information security. In 1998, Adriel founded Secure Network Operations, Inc. which was home to the SNOsoft Research Team. SNOsoft gained worldwide recognition for its vulnerability research work which played a pivotal role in helping to establish today’s best practices for responsible disclosure. While running SNOsoft, Adriel created the zeroday Exploit Acquisition Program (“EAP”), which was transferred to, and continued to operate under Netragard.
 
In 2006, Adriel founded Netragard on the premise of delivering high-quality Realistic Threat Penetration Testing services, known today as Red Teaming. Adriel continues to act as a primary architect behind Netragard’s services, created and manages Netragard’s 0-day Exploit Acquisition Program and continues to be an advocate for ethical 0-day research, use and sales.
 
Adriel is frequently interviewed as a subject matter expert by media outlets that include, Forbes, The Economist, Bloomberg, Ars Technica, Gizmodo, and The Register. Adriel is often an invited keynote or panelist at events such as Blackhat USA, InfoSec World, VICELAND Cyberwar, BSides, and NAW Billion Dollar CIO Roundtable.