A lot of progressive organizations have been running phishing simulation programmes for their employees for many years now. These programmes are executed either with consultation of a cyber security company as a service or through a phishing simulation platform or as a hybrid model. The key objective of these programmes has been to train the end employees to detect and report most commonly known phishing incidents.
However, these programmes have been highly ineffective to identify topical phishing attacks resulting in a material impact on the organization. The reason being, some of the most high profile and successful phishing attacks were wrapped in the context of a usual business process of a critical user. These phishing attacks can be highly covert, if they are further wrapped in the context of a current topical matter, for instance COVID-19.
Definition of a critical user need not always be a system administrator or payment processing employee; it could be a PR / marketing department employee dealing with massive listing of customer leads generated or it could be a customer helpline executive possessing a list of high profile irate and vulnerable customers.
In this article, I am trying to bring about a change in mindset of how phishing simulation programmes should be conceptualized and executed.
To start with, let us understand the present threat landscape …
Since mid-March, cyber-criminals launched a variety of COVID-19 themed phishing and malware attacks against essential workers, healthcare facilities, and also the recently unemployed. One of the vital reasons behind the success of these attacks has been phishing sites running on HTTPS. A report suggesting the number of phishing sites protected by the HTTPS encryption protocol was published recently.
Image Source: ,APWG Report
In Q1 2020, a new high of 74% of sites used for phishing was recorded protected with SSL. Majority of phishing web sites continue to use SSL / TLS. Users have to learn that SSL doesn’t mean a site is legitimate. Virtually every website — good or bad — now use SSL.
Taking advantage of the ongoing pandemic situation, scammers are using COVID-19 as a bait for cyber-crimes. E-mails — purportedly from renowned health organisations like the WHO, UN and ICMR — along with websites, messages and apps are being used to steal crucial information.
Cyber-criminals topical “COVID-19” usage in Business Email Compromise attacks
COVID-19 themed phishing attacks started spiking in the second week of March. Same time when COVID-19 started to spike as a topic of general public interest according to Google Trends. Security researchers identified what may have been the first documented use of the pandemic as a lure in a “Business Email Compromise” or BEC attack.
In a BEC attack, a scammer targets employees who have access to company finances, usually by sending them email from a fake or compromised email account (a “spear phishing” attack). The scammer impersonates a company employee or other trusted party, and tries to trick the employee into sending money.
Soon after the spike of COVID-19 themed phishing attacks, a criminal group named “Ancient Tortoise” reached out to a company and posed as one of the company’s real suppliers. The criminal requested that the company pay past-due invoices, and used the coronavirus as a pretext to provide new payment details to the victim. The criminal explained that the outbreak had forced the supplier to change the bank it was using to receive payments. The new account turned out to be in Hong Kong, from which the criminal could retrieve funds via money mules.
Image Source: The attacker used a look-alike domain
to spoof the target company
Later on, security researchers reported that ransomware attacks on healthcare facilities were up 35%, versus similar attacks from 2016 through 2019. Healthcare providers must prevent disruptions to patient care, and cyber-criminals saw them as targets that would likely pay ransom. Researchers found that 70% of the healthcare attacks were directed at healthcare facilities operating with fewer than 500 employees. Attackers targeted smaller direct-patient care facilities because they might have smaller security budgets. It is predicted that threat actors would begin using ransomware against companies and organization in healthcare and related fields. By mid-March, cyber-criminals were spreading malware by adding text from COVID-19 news stories in attempts to bypass security software that uses artificial intelligence and machine learning to detect malware.
Current method adopted by organizations for phishing simulation programmes
Phishing attacks from an organizational impact context could be classified broadly in two categories
- High Frequency – Low Impact
- Low Frequency – High Impact
Impact can range of locking of files due to ransomware, compromise of internal / customer data, insertion of self-spreading malwares in the system, etc.
High Frequency – Low Impact: This type of attack targets a large set of users generally in the form of free vouchers / gift cards with an intention to get the personal / professional details enrolled by the victim.
Low Frequency – High Impact: This type of attack is on a huge scale where the end intention of the attackers is to carry out major frauds / scams such as the direct bank transfer SWIFT fraud of Bank of Bangladesh, the Unacademy data breach of 22 million users found to be sold on dark web, the Italian email provider data breach exposing data of 600,000 users.
Range of attack methods used by cyber-criminals:
- Email based phishing
- SMS based (SMiShing)
- Voice based (Vishing)
- USB drops
Most of the phishing simulation programmes are towards detecting the “High Frequency – Low Impact”. These programmes are not contextual based trainings on the risk profiling of the organization considering topical threats, its business departments / processes, country of primary business, industry vertical (bank, insurance, healthcare, manufacturing etc.), key business processes, partnerships, etc.
While “High Frequency – Low Impact” approach should be continued for detecting run of the mill phishing attacks, special emphasis should be put on subjecting your critical employees on phishing simulation which may be highly obfuscated under standard business process related email interaction.
Let me illustrate few common business processes / departments which would exist in most organizations & how tailor-made & contextual phishing simulation programme could be created:
Get to know us
ProgIST offers a full range of cyber security consulting services and products for email security of employees, customers and third parties. Our consulting services include cyber security maturity assessments, incident response framework setup (SOC) and review, web application and mobile app security assessments (VAPT), security awareness, cloud / vendor risk assessment, forensic investigations etc. ProgIST is formed by practitioners who have an Information Technology and Information Security hands-on cumulative work experience of more than 100+ man-years.
ProgIST’s flagship and country leading DMARC analytics platform ProDMARC has provided us an opportunity to work alongside and understand, in-depth – the mailing ecosystem and related business processes of leading organizations across sectors viz. Banks, Insurance, NBFCs, AMCs, Healthcare and Pharma, Stock markets, IT & ITeS, Manufacturing, Power & Telecom, Media & Entertainment etc.
ProDMARC provides us the threat intelligence of the most of pervasive phishing attacks which are impacting organizations, their employees, suppliers, distributors and other third parties.
Based on our strong understanding of the business context and mailing ecosystem, we at ProgIST, have developed a unique cloud-platform “ProPhish”. We offer ProPhish based Employee Awareness Programme (P.E.A.P) which addresses the key lacunas mentioned in this article. Some of the key features included in the programme are: