Why phishers are adapting to new schemes and tactics to prey on human instinct and weakness.

By Joseph Opacki, Vice President of Threat Research, PhishLabs, Inc.

Most people completely overestimate their ability to identify a phishing attack. As users, we’ve been bombarded for years with “phishing” training that has largely been in the form of the “don’t click” ideology. Largely because of this repeated message, users have become desensitized to phishing as a legitimate threat vector and have become unaware of how voluminous the problem is or how sophisticated the attack has become.

Phishing is generally defined as a social engineering attack against the end-user and is the primary attack vector for almost every single cyber-attack. It is the vehicle that threat actors use to start a breach attempt, how most credential theft occurs, and how most malware is delivered.

After analyzing millions of confirmed malicious phishing sites, tens of thousands of phishing kits used to create these attacks, and tens of thousands of malware samples delivered via this platform, there is one thing that is obvious. The business model for phishing is changing.

The clear majority of phishing activity is profit-driven and phishers have found a way to multiply those profits at the expense of companies that they aren’t even attacking directly. For the longest time, the attack methodology was known. The phisher impersonates a login page of a financial institution on a compromised website or hosts the scam page in some bulletproof hosting location, sends the phish to its targets, waits for the scam page to begin stealing credentials, then utilizes those credentials to illegally log into these accounts and transfer funds.

Don’t get me wrong, this paradigm still works and is widely used, however one thing is happening and we didn’t anticipate.

More and more companies are utilizing email addresses as usernames. If you don’t immediately understand why this is important, let me lay out the framework. Most end users don’t place enough emphasis on security over convenience. This means that the majority of us are doing things like reusing passwords at multiple websites. I’m guilty of this so don’t feel like I’m chastising you.

Basically what this means is that as an end-user you should be cognizant of any potential breach where you may have had an account as now the majority of threat actors are beginning to reutilize your email address and password combination to attempt to log into your financial accounts.

This idea of password reuse attacks is also why we as a security community have placed so much emphasis on attacks like the Yahoo breach where over a million user accounts were compromised.

In the last year, we observed significant phishing activity targeting a handful of Cloud Storage and Software as a Service company and this idea of the email address and password authentication is the reason why.

We expect to see more attacks targeting those types of sites than financial sites this year. Threat actors are refocusing.

It has become common practice for online sites to rely on email addresses instead of unique usernames, and people tend to reuse passwords – especially the passwords usually paired with email addresses.

All the phisher needs to do is compromise an email address and password pair one time in order to access a wide range of accounts like email, shopping, communications, social networking, and entertainment; literally “insert account type here.”

When these threat actors decide whom to target, it’s a question of which online sites have the largest user bases and therefore the biggest collections of these email address and password pairs; this is the primary reason why these sites are getting phished at unprecedented rates. The cybercriminals target them to mass harvest credentials that they ultimately use for other sites.

It’s why phishers are multiplying their profits at the expense of companies they are not even attacking directly. They focus on mass harvesting credentials by phishing a handful of sites with a ton of users but not actually looking to compromise the accounts at that site.
To compound this idea of threat actors shifting focus, most people don’t fully realize how complex the phishing threat vector has become. Phishers are using automated tools to test the stolen credentials across hundreds of sites, testing the validity of the credential. They can sell the good ones for profit or use them themselves.

Think about some of the credential dumps last year, it’s likely this trend played a role, especially where there was no evidence of a direct breach.

So now I know what you’re thinking. Phishing is a problem, so now what? Well, protecting against phishing needs to be a top priority to your business, for your employees, and even for you as an individual.

Billions are invested in technologies to try to stop cyberattacks, but phishing is still the trump card for cybercriminals because phishing is directly attacking you, the end-user, the person sitting behind the keyboard. People need to be aware of these attacks and how to spot them, and that’s not as easy as it sounds.

Most people have gone through some basic security awareness training at some point in their life, and in any case, most people tend to overestimate their own ability to spot phishing attacks. There is a basic psychological want to believe information that is presented.

There are a lot of really obvious phishing attacks out there and I think that’s what most people think of when they hear phishing. But then they fall victim to one of the more sophisticated phish, those with more polish and compelling pretexts and oftentimes don’t even know it.

If your organization possesses high-value data and users who can get to that data, the approach needs to be more along the lines of conditioning where they are being exposed to simulations of modern phish on a regular basis and get to learn from that experience and stay sharp without putting the organization at risk; kind of like developing muscle memory.
I also don’t think we realized the potential risk when we collectively decided to use email addresses as usernames. In hindsight, it’s obvious this decision has made it easier for cybercriminals. Sure it’s more user-friendly, but the costs were unanticipated. We’ve basically created ideal conditions for the mass theft of account credentials, which has profound security and privacy implications for individuals, businesses, and governments.
We are now in a sad reality where if you’re an online retailer you have to assume that the credentials for a large portion of your customer base can’t be trusted because they have been compromised through phishing attacks that didn’t even target you.

I don’t think that’s what we most organizations and individuals signed up for when they agreed to use their email address as their username. We should seriously consider whether this is something we should continue to allow. Transitioning users to unique usernames instead of email addresses would be painful in the short term, but doing so would have a huge impact on the success cybercriminals currently enjoy.

About The Author
Mr. Joseph Opacki is the Vice President of Threat Research at PhishLabs in Charleston, South Carolina where he is responsible for threat research, analysis, and intelligence. Previous to joining PhishLabs, Mr. Opacki was the Senior Director of Global Research at iSIGHT Partners and was also an Adjunct Professor at George Mason University where he taught malware reverse engineering in the Master of Computer Forensics program.
Mr. Opacki has also participated in several industry advisory councils to include the Cybersecurity Curriculum Advisory Council at the University of Maryland University College. Previous to his career in the private sector, Mr. Opacki was the malware reverse engineering Subject Matter Expert (SME) and a digital forensics specialist for the Federal Bureau of Investigation.

Joseph can be reached online at jopacki@phishlabs.com and @josephopacki and at our company website http://www.phishlabs.com/