close
Gartner Report:
Innovation Insight for
Security Orchestration,
Automation and Response DOWNLOAD NOW

Please Do Not Feed the Phish

How to Avoid Phishing Attacks

We've all heard the phishing attack stories that start with someone receiving an email that requests an urgent invoice review or password change, and ends with a data breach where personal information is compromised and money is lost. Although many of us may roll our eyes at the possibility of falling for such an obvious scam, we must acknowledge that if those tricks didn't work, malicious actors wouldn't keep trying. Sometimes, previously established filters and phishing mailboxes aren't enough. Vulnerabilities can still exist. At times, the content of an email can be troublesome. If a message asking for a money-wire transfer comes through looking urgent and legitimate enough, an unsuspecting employee might just take a requested action out of fear of repercussion. If an attachment looks innocent or a link seems harmless, it's inevitable that someone might succumb. PhishMe reports that over 90 percent of data breaches can be traced back to phishing emails (PhishMe, 2017).

Phishing is often the initial step of a larger attack. Advanced persistent threat (APT) activity often leverages phishing emails as an initial intrusion method. Phishing provides actors with the ability to target specific individuals or organizations unlike other methods such as strategic web compromises. Even as organizations put their defenses up against these attackers, the tactics continue to advance.

Another common tactic is to spoof URLs to appear similar to that of a legitimate organization. This makes a link look trustworthy at first glance. For example - a full URL might be https://threatconnect.com.badguys[.]com, but unless the recipient looked closely and noticed that the domain was actually  badguys[.]com, they might be fooled. Another domain spoofing technique involves registering domains with missing characters or subtle spelling errors, such as www.threatcomect[.]com which replaces two "n" characters with one "m" character. At a glance, the domain looks like it might be the legitimate ThreatConnect website, but upon closer examination it is clear that the characters aren't quite right. This is a technique commonly used by many APTs including Fancy Bear, Deep Panda, and APT10.

Our ThreatConnect Research Team identified  Fancy Bear most likely was the threat actor responsible for the World Anti-Doping Agency (WADA) phishing incident that used this spoofing technique as well. Fancy Bear used domains such as wada-arna[.]org that were slightly misspelled in comparison to WADA's legitimate wada-ama[.]org. The phishing emails using links to these domains likely were used in an attempt to harvest recipients' credentials. By leveraging ThreatConnect and DomainTools, our team was able to identify an additional domain registered by the same individuals -- tas-cass[.]org -- that spoofs a domain for the Court of Arbitration for Sport, which works closely with WADA. . Taking a deeper look into spoofing and being on the lookout for domains spoofing your organization can help your team prevent and mitigate similar incidents in the future.

When it comes to phishing, early detection and speedy incident response are imperative to prevent data breaches. Doing so can then help to establish filters so the offending email can't make it to the intended recipients and phishing mailboxes to ingest the email into ThreatConnect for knowledge management, investigative, and research efforts. By proactively establishing these security measures, security teams can deter or monitor some of their threats that use these techniques.

However, email filters and phishing mailboxes aren't foolproof, and if malicious emails get through those defenses, recipients may have their guard down. Attackers are experts at creating phishing pages. In researching Fancy Bear activity targeting the DNC and the citizen journalism organization Bellingcat, ThreatConnect researchers identified the use of Google-spoofing phishing emails and credential harvesting pages. In incidents where the malicious actor is attempting to harvest target credentials, this emphasizes the importance of multi-factor authentication (MFA). In the worst case scenario where a credential harvesting campaign successfully compromises an individual's credentials, MFA mitigates the malicious actor's ability to login to the given account.

It isn't just large organizations that attackers go after. Small and medium sized companies aren't safe just because of a smaller revenue stream. Since phishing attacks are relatively easy attacks to launch, its recommended that even the smallest teams be on the lookout for suspicious emails. When it comes to prevention and mitigation, one of the strongest defenses any organization can enable is automation. Establish a system that can evaluate and flag potential threats as they come in, and your security team will have the time to craft an effective response to the most pertinent threats.

Phishing attacks could be considered a "classic" example of cybercrime as we approach an era where we're inundated with online danger. Although there is no one size fits all solution to preventing and mitigating phishing, security teams can save themselves time and stress by leveraging threat intelligence and establishing stronger filters. Teach your team to check URLs by hovering over them before clicking and always check with management before opening suspicious attachments. Spending that extra minute looking over any email you're just not sure about and training employees to know what to look for when scrutinizing messages could save your company a lot of time, energy, and money.

ABOUT THE AUTHOR

Kellie D'Amico is a Marketing Specialist at ThreatConnect. She loves the fast-paced world of technology marketing. When not at work, she enjoys exploring the culinary scene in DC, and can always be found listening to a podcast. She holds a B.A. in Media Studies - International Communications Option from Penn State.