Phishing is back in the news, but it never really went away

The recent embarrassing hack of Twitter that led to the compromise of some very famous accounts (Bill Gates, Elon Musk, Barack Obama, et. al.) for use in a bitcoin-stealing scam grabbed global headlines for a few days. The story started winding down with the arrests of three young men in the UK and Florida. The attack showed some sophistication, combining surveillance of Twitter-internal Slack channels, SIM-swapping, the creation of a fake Okta authorization-server landing page, and social engineering of Twitter IT techs via voice calls, but did not rise to the level of state-actor or professional-cybercriminal attacks.

Twitter should feel lucky today that the thieves only set their sights on a small payday (netting less than $120K before they got caught) rather than broadcasting false headlines that might have shaken global financial markets.

It’s a useful reminder that phishing remains among the most popular and successful attack vectors for a variety of cybercrimes, accounting for some 30% of all breaches.

That statistic kicked off today’s panel discussion hosted by the Massachusetts Technology Leadership Council (MassTLC) entitled “A Multi-Layered Approach to Combat Social Engineering”. The one-hour session was moderated by Deb Brigs, CISO of Netscout, and included Katie Ledoux, Senior Manager of Trust and Security Governance at Rapid7, Rob Mitchell, Customer Success Lead and Threat Intel Manager at GreatHorn, and myself in my role as Director of Cyber Protection at Acronis.

In addition to the recent Twitter breach, the panel recalled other phishing war stories drawn from their personal experience, as well as from press reports. Examples ranged from:

• Scarily commonplace: An employee clicks on trustworthy-looking but malicious email and lets in a ransomware attack on their entire company.
• Stupidly embarrassing: Pathé executives pay over $21M to a fraudulent recipient before realizing the source of their email instructions was not actually their CEO.
• Futuristic: Criminals impersonate a CEO’s voice using AI-enabled deepfake audio technology to direct fraudulent wire transfers of $250K.

My fellow panelists and I discussed social-engineering attacks of both of the technical variety (e.g., malware delivered from poisoned email attachments or websites) and non-technical sort (e.g., sweet-talking an employee over the phone into giving away sensitive, high-privilege credentials).

We ascribed their prevalence and success to several factors:

• The boom in credential theft and resale. An estimated 8.8 billion sensitive credentials were exposed by breaches in May 2020 alone, per ITgovernance.co.uk. When used in credential stuffing attacks (exploiting the too-common practice of password reuse across applications and websites), cybercriminals can often make their first successful steps inside an organization, where social-engineering attacks can be employed to further escalate their privileges and access to sensitive systems and data.
• The sheer volume of messages (SMS, chat, email, voice, collaboration app, etc.) that a typical worker must process every day. The law of averages, fatigue, and deadline pressures practically guarantee that somebody, somewhere is going to make a mistake and click on a link or open an attachment that they shouldn’t.
• The difficulty that many organizations, particularly SMBs, face in trying to keep up with the cost and complexity of a complete cyber protection regime, including backup, behavioral anti-malware, vulnerability scanning, patch management, URL filtering, security configuration management, and other planks of a solid defense-in-depth strategy.
• The industrial scale and ingenuity with which modern cybercriminals prosecute their attacks, from cheap, effective ransomware-as-a-service operations to the clever introduction of malware into companies via giveaways of malware-delivering USB sticks and cables.

We concluded our panel discussion with a recap of white-hat cybersecurity professional wisdom in the form of key recommendations to fight social engineering attacks:

• Reduce access to privileged accounts, and add multi-factor authentication to them first if not throughout the organization
• Monitor users, applications, and networks for anomalous behavior, including suspicious failed logon attempts and uncommon network traffic patterns
• Conduct regular security awareness training, including exercises that test users’ ability to spot phishing emails and voice attacks, and don’t forget to include prize targets like your C-suite executives
• Assume that eventually a social-engineering attack will get through, develop a cybersecurity incident response plan, and rehearse its execution it regularly
• Make sure that any employee authorized to transfer major sums of money is regularly briefed on tactics like whale phishing, voice impersonation, etc., and equip them with additional measures for out-of-band verification of payment instructions
• Consider shrinking the social-media footprint of privileged executives like your CFO to limit intelligence-gathering opportunities for black-hat social engineers.

As with any cyberattack, no single solution will ever be enough to fend off the phishers or overcome the susceptibility of humans to the wiles of modern social engineering. Businesses must deploy defense-in-depth solutions that reinforce the weakest link in the attack chain (i.e., people) and buttress them with AI-enabled countermeasures and automation to detect, contain, and recover from phishing-based incursions.

My thanks to my fellow panelists, moderator, and to the MassTLC and host Sara Fraim for including us in this timely and lively cybersecurity discussion.