Categories
Uncategorized

CEO Article – How to improve organization’s phishing simulation programme

A lot of progressive organizations have been running phishing simulation programmes for their employees for many years now. These programmes are executed either with consultation of a cyber security company as a service or through a phishing simulation platform or as a hybrid model. The key objective of these programmes has been to train the end employees to detect and report most commonly known phishing incidents.

However, these programmes have been highly ineffective to identify topical phishing attacks resulting in a material impact on the organization. The reason being, some of the most high profile and successful phishing attacks were wrapped in the context of a usual business process of a critical user. These phishing attacks can be highly covert, if they are further wrapped in the context of a current topical matter, for instance COVID-19.

Definition of a critical user need not always be a system administrator or payment processing employee; it could be a PR / marketing department employee dealing with massive listing of customer leads generated or it could be a customer helpline executive possessing a list of high profile irate and vulnerable customers.

In this article, I am trying to bring about a change in mindset of how phishing simulation programmes should be conceptualized and executed.

To start with, let us understand the present threat landscape …

Since mid-March, cyber-criminals launched a variety of COVID-19 themed phishing and malware attacks against essential workers, healthcare facilities, and also the recently unemployed. One of the vital reasons behind the success of these attacks has been phishing sites running on HTTPS. A report suggesting the number of phishing sites protected by the HTTPS encryption protocol was published recently.

Image Source: ,APWG Report

In Q1 2020, a new high of 74% of sites used for phishing was recorded protected with SSL. Majority of phishing web sites continue to use SSL / TLS. Users have to learn that SSL doesn’t mean a site is legitimate. Virtually every website — good or bad — now use SSL.

Taking advantage of the ongoing pandemic situation, scammers are using COVID-19 as a bait for cyber-crimes. E-mails — purportedly from renowned health organisations like the WHO, UN and ICMR — along with websites, messages and apps are being used to steal crucial information.

Cyber-criminals topical “COVID-19” usage in Business Email Compromise attacks

COVID-19 themed phishing attacks started spiking in the second week of March. Same time when COVID-19 started to spike as a topic of general public interest according to Google Trends. Security researchers identified what may have been the first documented use of the pandemic as a lure in a “Business Email Compromise” or BEC attack.

In a BEC attack, a scammer targets employees who have access to company finances, usually by sending them email from a fake or compromised email account (a “spear phishing” attack). The scammer impersonates a company employee or other trusted party, and tries to trick the employee into sending money.

Soon after the spike of COVID-19 themed phishing attacks, a criminal group named “Ancient Tortoise” reached out to a company and posed as one of the company’s real suppliers. The criminal requested that the company pay past-due invoices, and used the coronavirus as a pretext to provide new payment details to the victim. The criminal explained that the outbreak had forced the supplier to change the bank it was using to receive payments. The new account turned out to be in Hong Kong, from which the criminal could retrieve funds via money mules.

Image Source: The attacker used a look-alike domain

to spoof the target company

Later on, security researchers reported that ransomware attacks on healthcare facilities were up 35%, versus similar attacks from 2016 through 2019. Healthcare providers must prevent disruptions to patient care, and cyber-criminals saw them as targets that would likely pay ransom. Researchers found that 70% of the healthcare attacks were directed at healthcare facilities operating with fewer than 500 employees. Attackers targeted smaller direct-patient care facilities because they might have smaller security budgets. It is predicted that threat actors would begin using ransomware against companies and organization in healthcare and related fields. By mid-March, cyber-criminals were spreading malware by adding text from COVID-19 news stories in attempts to bypass security software that uses artificial intelligence and machine learning to detect malware.

Current method adopted by organizations for phishing simulation programmes

Phishing attacks from an organizational impact context could be classified broadly in two categories

  1. High Frequency – Low Impact
  2. Low Frequency – High Impact

Impact can range of locking of files due to ransomware, compromise of internal / customer data, insertion of self-spreading malwares in the system, etc.

High Frequency – Low Impact: This type of attack targets a large set of users generally in the form of free vouchers / gift cards with an intention to get the personal / professional details enrolled by the victim.

Low Frequency – High Impact: This type of attack is on a huge scale where the end intention of the attackers is to carry out major frauds / scams such as the direct bank transfer SWIFT fraud of Bank of Bangladesh, the Unacademy data breach of 22 million users found to be sold on dark web, the Italian email provider data breach exposing data of 600,000 users.

Range of attack methods used by cyber-criminals:

  • Email based phishing
  • SMS based (SMiShing)
  • Voice based (Vishing)
  • USB drops

Most of the phishing simulation programmes are towards detecting the “High Frequency – Low Impact”. These programmes are not contextual based trainings on the risk profiling of the organization considering topical threats, its business departments / processes, country of primary business, industry vertical (bank, insurance, healthcare, manufacturing etc.), key business processes, partnerships, etc.

While “High Frequency – Low Impact” approach should be continued for detecting run of the mill phishing attacks, special emphasis should be put on subjecting your critical employees on phishing simulation which may be highly obfuscated under standard business process related email interaction.

Let me illustrate few common business processes / departments which would exist in most organizations & how tailor-made & contextual phishing simulation programme could be created:

Get to know us

ProgIST offers a full range of cyber security consulting services and products for email security of employees, customers and third parties. Our consulting services include cyber security maturity assessments, incident response framework setup (SOC) and review, web application and mobile app security assessments (VAPT), security awareness, cloud / vendor risk assessment, forensic investigations etc. ProgIST is formed by practitioners who have an Information Technology and Information Security hands-on cumulative work experience of more than 100+ man-years.

ProgIST’s flagship and country leading DMARC analytics platform ProDMARC has provided us an opportunity to work alongside and understand, in-depth – the mailing ecosystem and related business processes of leading organizations across sectors viz. Banks, Insurance, NBFCs, AMCs, Healthcare and Pharma, Stock markets, IT & ITeS, Manufacturing, Power & Telecom, Media & Entertainment etc.

ProDMARC provides us the threat intelligence of the most of pervasive phishing attacks which are impacting organizations, their employees, suppliers, distributors and other third parties.

Based on our strong understanding of the business context and mailing ecosystem, we at ProgIST, have developed a unique cloud-platform “ProPhish”. We offer ProPhish based Employee Awareness Programme (P.E.A.P) which addresses the key lacunas mentioned in this article. Some of the key features included in the programme are:

We offer free trial for

ProPhish platform based phishing simulation

& corresponding “OTS – On-The-Spot” training.

Reach out to us on info@progist.net

Categories
Uncategorized

Phishing attacks targeting India about to be launched to steal COVID-19 aid; CERT-IN issues advisory

A North Korean sponsored hacking group famously known as Lazarus, has devised a plan to launch large scale phishing attacks through fake mails designed as COVID-19 relief efforts. The target of the attack are countries like US, UK, South Korea, Japan, Singapore, and India, where the respective governments extended incentives to deal with the pandemic.

These phishing emails are designed to route recipients to fake websites where they will be misled into disclosing personal and financial information.

As per security research firm CYFIRMA, there is a common thread across six targeted nations in multiple continents – the governments of these countries have announced significant financial support to individuals and businesses in their effort to stabilize their pandemic-ravaged economies.

Of these countries, Korea government allocated a total of US$200B of emergency relief funds; Indian government announced Rs 20 lakh crore package; Singapore announced almost SGD 100B; Japan announced funds of about 234 trillion yen; America set aside trillions of dollars to sustain its economy, and the UK government also came out with a pandemic recovery strategy.

As per researchers, the attackers plan to take advantage of on these announcements to bait vulnerable individuals and companies into falling for the phishing attacks. Given the potential victims are likely to be in need of financial assistance, this campaign carries a significant impact on political and social stability. The campaign is designed to mimic government agencies, departments, and trade associations who are tasked to oversee the distribution of the financial aid.

Image Source: CYFIRMA

For launching campaign in India, attackers are claimed to have 2 million individual email IDs. The strategy is to send emails with the subject “Free COVID-19 testing” to all residences in Delhi, Mumbai, Hyderabad, Chennai, and Ahmedabad provoking them to share personal information.

In light of the phishing campaign to be launched on India, CERT-IN has laid out a list of best practices to be followed in order to prevent falling for the phishing attack:

  • Don’t open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization’s website directly through browser.
  • Enforce application whitelisting on all endpoint workstations. This will prevent droppers or unauthorized software from gaining execution on endpoints
  • Block/restrict connectivity to the malicious domains/IPs shared by CERT-In from time to time. If any of the machines are found contacting them, take volatile evidence, isolate the machine, start necessary mitigation and containment procedures. Take forensic image of the machine for root-cause analysis. It is recommended to restore the system from a known good back up or proceed to a fresh installation.
  • Keep up-to-date patches and fixes on the operating system and application software such as client side softwares, including Adobe Products (Reader, Flash player), Microsoft Office suite, browsers & JAVA applications.
  • Restrict execution of PowerShell/WSCRIPT in enterprise environment. Ensure installation and use of the latest version (currently v6.2.2) of PowerShell, with enhanced logging enabled, script block logging and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.
  • Disable macros in Microsoft Office products. Some Office products allow for the disabling of macros that originate from outside of an organization and can provide a hybrid approach when the organization depends on the legitimate use of macros. For Windows, specific settings can block macros originating from the Internet from running.
  • Control outbound DNS access. Permit internal enterprise systems to only initiate requests to, and receive responses from, approved enterprise DNS caching name servers. Monitor DNS activity for potential indications of tunneling and data exfiltration, including reviewing DNS traffic for anomalies in query request frequency and domain length, and activity to suspicious DNS servers. The dnscat2 tool alternates between CNAME, TXT, and MX records when it is operating. Investigate abnormal amounts of these records going to the same second level domain, or a group of second level domains.
  • Deploy web and email filters on the network. Configure these devices to scan for known bad domains, sources, and addresses; block these before receiving and downloading messages. Scan all emails, attachments, and downloads both on the host and at the mail gateway with a reputable antivirus solution.
  • Consider deploying Microsoft’s Enhanced mitigation Experienced Toolkit (EMET) which provides end node protection against zero-day vulnerabilities and blocks and prevents memory-based attack approaches.
  • Enhance the Microsoft Office security by disabling ActiveX controls, Macros, Enabling Protect View, File Protection Settings.
  • Apply software Restriction policies appropriately. Disable running executables from unconventional paths.
  • Protect against drive-by-downloads through controls such as Browser JS Guard
  • Leverage Pretty Good Privacy in mail communications. Additionally, advise the users to encrypt / protect the sensitive documents stored in the internet facing machines to avoid potential leakage
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e. the extension matches the file header).
  • Block the attachments of file types, “exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf”
  • If using VPN services to access organizational networks, consider configuring mandatory 2 Factor authentication. It is recommended to consider an additional form of authentication, prior to granting access to internal network resources.
  • Consider limiting users’ access using VPN services to a single IP address at a time. No multiple simultaneous remote access by the same user should be allowed.
  • Consider Geo-limiting users access to known geographical locations. Use Geo Location analysis to identify impossible connections, such as a user calling from 2 points geographically remote in a short period of time.
  • Check if the VPN software writes session data to the remote workstation’s disk. If possible, use a connection method that keeps the data in memory only, preferably encrypted.
  • Maintain up-to-date antivirus signatures and engines.
  • Restrict users’ ability (permissions) to install and run unwanted software applications.
  • Enforce a strong password policy and implement regular password changes.
  • Enable a personal firewall on workstations.
  • Disable unnecessary services on agency workstations and servers.
  • Exercise caution when using removable media (e.g. USB thumb drives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats; implement appropriate ACLs

HOW CAN WE HELP

DMARC, developed in 2012, is a protocol that uses both SPF and DKIM authentication to secure email, and additionally has a mechanism that sends the domain owner a report whenever an email fails DMARC validation. This means the domain owner is notified whenever an email sent by an unauthorized third party.

ProDMARC as a product is built on a mission to achieve a secure and spoofing free email channels across all of internet space; makes reporting of DMARC, providing volumes and trends of the outbound mails including that of phishing campaigns and yield confirmation for reliability of the outbound mails in terms of SPF, DKIM & DMARC conformance; smooth and uncomplicated. Summarizing, ProDMARC helps improve customer and third party trust in email communications.

Combining ProDMARC with ProPHISH, our offering to train your employees not to fall prey to the cyber-attacks, you can ensure that your first line of defense is well prepared not to get phished. ProPHISH provides threat simulation by recreating real life scenarios. This simulation helps in defining your existing employee awareness levels and basis on that, preparing a plan of action to increase employees’ knowledge levels.

References:

Categories
Uncategorized

Phishing attacks & how to be safe from them

The history of phishing reveals that the first phishing email originated sometime around the year 1995. Though, then the attacks were not so exceptional but still did the trick. Phishing attacks are often initiated through email communication. The phishing mail includes generic greetings as well as target’s name, phone number and other details to make it look genuine.

Technology, banking, and healthcare are the most targeted sectors for phishing attacks. This is because of two main factors: a huge number of users and higher dependency on data

In time, the mediums of phishing have also evolved. Now phishing attacks can be initiated via email, SMS, phone, etc.

32% of the data breaches in 2018 involved phishing activity

Phishing attacks account for more than 80% of reported security incidents

Phishing used in 78% of cyber-espionage cases for the installation of backdoors

Here are five most common types of phishing attacks:

1. Phishing – Email based threat

The first and the original one.! In phishing, scammers personalize the e-mail with the target’s name, designation and phone number making the recipient believe that they are receiving the mail from a known sender. These attacks are well thought of. The attacker does a complete research of the target individual / group through social media profiles and company website. Phishing emails are classified in two types: hyperlink based & attachment based.

Example of hyperlink based phishing:

Example of attachment based phishing:

2. SMiShing – SMS based threat

SMS based threats are phishing attacks targeting individuals and groups via text messages with a hyperlink based approach. Tiny URLs are an effective way to hide phishing links by using link-shortening tools like TinyURL to shorten the URL and make it look authentic. These links are malicious in nature and redirect users who click the link to attackers’ sites replicating the original sites – thus tricking the users to enter information. People tend to open unknown links from unknown senders under the impression of discounts and sales on their mails and text messages.

Examples of SMS based threats:

3. Vishing – Voice based threat

Vishing refers to phishing done over phone calls. Since voice is used for this type of phishing, it is called vishing. Voice + Phishing = Vishing

This is one of the earliest and the most effective method. Wherein an attacker just needs to sound confident enough to reveal the victim’s personal and confidential information. They will talk to you as a friend, relative, help desk executive or any associate of a brand and will ask you to share your confidential information.

Example of Vishing:

4. Removable device based threat

Removable device or USB based threat aims at creation of a scenario by threat actors where the target individuals / groups are lured by placing malicious removable devices at common places or designated desks with an expectation that the victim shall pick up the device and connect it to their machine. The ordinary-at-glance removable device when connected to the victim’s machine, infects it, creating either a backdoor or encrypting all the files and acting as a ransomware.

Example of removable device based threat:

5. Social media based threat

Many a times we see people being excessively active on social media, posting every single update, location tags, laying out information to the world related to their whereabouts. On some social media applications, people accept random friend requests and messages sharing malicious stuff, such as opening unknown links under the impression of cashback or some other tempting offers. They are even ready to share their email and contact details at any public place if approached by a complete stranger who states he is conducting survey on some topic. Many a times, one way to get phished is by clicking a hidden links on the buttons reading “CLICK HERE” or “DOWNLOAD NOW” or “SUBSCRIBE”.

These are examples of hidden links, which makes it easier for scammers to launch phishing attacks.

Other common types of phishing attacks include:

Spear Phishing

Unlike traditional phishing which involves sending emails to hundreds and millions of unknown users, spear phishing is typically targeted in nature, and the emails are designed in a way to target a particular user. In spear phishing, scammers personalize the e-mail with the target’s name, designation and phone number making the recipient believe that they are receiving the mail from a known sender. Out of the different types of phishing attacks, spear phishing is the most commonly used type of phishing attack on individual users as well as organizations.

Whaling

Whaling is not very different from spear phishing, but the targeted group becomes more specific and confined in this type of phishing attack. In a whaling attack, the hackers target CEOs, VPs, COOs who are commonly referred as whales in phishing terms and send out emails consisting personal information relating to the recipient, familiar (but not identical) company logo, and email domain that tricks the receiver to believe that the message has been originated from the legitimate source.

Normally, the whaling email comes with a subject line saying it as a critical business matter and if the person clicks on the mail or the attachment, the recipient will be led to a fake website where they will be tricked to enter login details and alternatively their computers are infected with malware, which allows hackers to gain confidential data.

Here are a few steps a company can take to protect itself against phishing:

  • Educate your employees and conduct training sessions with mock phishing scenarios
  • Use encryption for data transmission
  • Educate employees to not publish sensitive corporate information on social media
  • Keep all systems updated with the latest security patches
  • Encrypt all sensitive company information
  • Install an antivirus solution, schedule signature updates, and monitor the antivirus status on all devices
  • Deploy a web filter to block malicious websites

Conclusion

Considering the fact that hackers are evolving and finding different techniques and method to infiltrate and steal sensitive information, cyber security awareness plays a significant role in securing the confidential data. It is equally as important to make sure that their employees understand the types of attacks they may face, the risks, and how to address them. Well-educated employees and properly secured systems are the key helping to protect your company from phishing attacks. Following a good cyber hygiene never fails to prevent breaches. A simple care can save us from losing the confidential data and inviting its after effects.

Categories
Uncategorized

DMARC: A vaccine against Coronavirus scams

With a battle against COVID-19 worldwide, a different sort of battle is being waged in the electronic conduits of the internet. People around the world have fallen prey to email scams supposedly from trusted organizations during the coronavirus pandemic.

Click here to read our article on one such Coronavirus themed phishing attack.

In the most recent high-profile coronavirus scam, an email supposedly from the World Health Organization (WHO) was sent around the world requesting donations. The sender’s address was ‘donate@who.int’, where ‘who.int’ is the real domain name for WHO. The email was confirmed to be a phishing scam, but at first glance, all signs pointed to the sender being genuine, as the domain belonged to the real WHO.

Although, this is one in a growing series of phishing scams that use emails related to coronavirus to steal money and sensitive information from people. But if the attackers are using a real domain name, how can we distinguish a legitimate email from a fake one? How are the attackers able to employ email domain spoofing on such a large organisation with such efficiency? And how do entities like WHO find out when someone is using their domain to launch a phishing attack?

The answer is DMARC !

Email is the most widely used business communication tool in the world, and still it’s a completely open protocol. On its own, there’s very little to monitor on who sends what emails and from which email address. This becomes a huge problem when attackers disguise themselves as a trusted brand or public figure, asking people to give them their money and personal information. As per statistics, over 90% of all company data breaches in recent years have involved email phishing in one form or the other. And email domain spoofing is one of the most leading causes of it. In an effort to secure email, protocols like Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM) were developed.

What are SPF and DKIM ?

SPF cross-checks the sender’s IP address with an approved list of IP addresses, and DKIM uses an encrypted digital signature to protect emails. While these are both individually effective, they have their own set of blemishes.

To learn more about SPF, DKIM and DMARC, click here

THE UNIFIED COMBATANT : DMARC

DMARC, developed in 2012, is a protocol that uses both SPF and DKIM authentication to secure email, and additionally has a mechanism that sends the domain owner a report whenever an email fails DMARC validation. This means the domain owner is notified whenever an email sent by an unauthorized third party.

Also decisively helping out the email receivers how to handle unauthenticated mail: whether to let it reach inbox, quarantine it or reject it outright. In theory, this should stop bad email from flooding people’s inboxes and reduce the number of phishing attacks. So why doesn’t it?

Email authentication requires sender domains to publish their SPF, DKIM and DMARC records to the Domain Name System (DNS). There’s a lack of serious implementation of DMARC across the business landscape, and it’s not gotten much better over the years. Many large scale private, public and not-for-profit organizations are yet to implement DMARC with their domains.

Here are some of the most serious concerns cited by major companies and businesses to implement DMARC authentication:

1. Deployment challenges

The strict enforcement of security protocols often means a high level of coordination in large institutions, which they often don’t have the resources for. Beyond that, many organisations don’t have much control over their DNS, so publishing DMARC records becomes even more challenging.

2. Risk of breaking the existing system

The relative novelty of DMARC makes it more prone to improper implementation, bringing up the real risk of legitimate emails unable to pass through. Businesses that rely on email circulation can’t afford to have that happening, and hence don’t bother adopting DMARC at all.

3. Concerns for returns on investment

DMARC authentication has direct benefits to the recipient of the email rather than the domain owner. The lack of serious motivation to adopt the protocol has kept many companies from incorporating DMARC into their systems.

Recognizing the need to implement DMARC

While the concerns expressed by businesses have merit, it doesn’t make DMARC implementation any less imperative to email security. The longer businesses continue to function without a DMARC-authenticated domain, the more all of us expose ourselves to the very real danger of email phishing attacks.

As the coronavirus email spoofing scams continue to teach us, no one is safe from being targeted or impersonated. Think of DMARC as a vaccine — as the number of people implementing it grows, the chances of catching an infection go down dramatically.

There are real & viable solutions to the problems expressed that might overcome people’s concerns over DMARC adoption. Here are just a few that could boost implementation by a large margin:

1. Reducing friction in the implementation process

The biggest hurdle standing for a company adopting DMARC are the overheads such as identifying the business processes which use third party mailing services for aspects such as marketing, CRM, HRMS, invoice generation etc., coordinating with such third parties for ensuring they become DMARC compliant, monitoring the steady state compliance levels etc. ProDMARC, through its automated platform and managed services ensures that the DMARC compliance is achieved quickly and maintained.

2. Streamlined deployment

By automating the compliance checks for the DMARC anti-spoofing authentication (SPF / DKIM) and ensuring sufficient learning curve in the “only-monitoring” but “no-blocking” phase of DMARC deployment, the project team can assess the impact it has on organization’s mailing ecosystem before going for a full deployment i.e. “block-everything” but “the-whitelisted”. ProDMARC, through its highly scalable automated platform ensures sufficient visibility of all mail senders of the organization from a SPF / DKIM and thereby DMARC compliance.

3. Improving usefulness

For the DMARC project team to justify the ROI for the DMARC project, they need to provide the requisite insights to the management in terms of improved mail deliverability as well as mitigation of spoofed mails impacting their brand. ProDMARC’s highly scalable data analytics setup provides large number of visually appealing dashboards for justifying the ROI.

Click here to read our article to learn more about the DMARC deployment roadmap.

Every new invention brings its new challenges. Every new challenge pushes us to find a new way to overcome it. DMARC has been around for some years now, still phishing has existed for much longer. In recent times, the coronavirus pandemic has only given it a new face.

At ProDMARC, we’re here to help you meet this new challenge with all guns blazing! ProDMARC as a product built on a mission to achieve a secure and spoofing free email channels across all of internet space; makes reporting of DMARC, providing volumes and trends of the outbound mails including that of phishing campaigns and yield confirmation for reliability of the outbound mails in terms of SPF, DKIM & DMARC conformance; smooth and uncomplicated. Summarizing, ProDMARC helps improve customer and third party trust in email communications.

The economy being in slump and resources scarce. Here’s where ProDMARC announces a limited-time offer during the Coronavirus pandemic — 3 months of DMARC health assessment report, completely free for all organizations who wish to gain visibility of the mail based phishing threats which are at an all-time high.

Sign up for your 3-month ProDMARC trial by writing to us on info@progist.net so that while you stay home safe from coronavirus, your domain is safe from email spoofing.

#StayHomeStayPhishFree