On 30 October, Cyjax analyst William Thomas presented his talk on the phishing threat landscape at BeerCon2: Rise of the Rookie. The presentation was wide-ranging and included an exploration of threat actors leveraging the cloud to support delivery, bypassing defence mechanisms, and the top-tier threats in this ecosystem.
Will’s talk can be found on the Beer Farmers YouTube channel here.
Almost every major phishing campaign in 2020 leverages the cloud as part of its attempt to harvest credentials or for malware deployment. We have observed legitimate platforms such as Google Docs, Google Forms, Canva, Typeform, and Firefox Send abused for this. Cloud is a quick and simple method for threat actors to stand up their infrastructure as it can be done for free and anonymously.
Two-factor authentication (2FA) is widely regarded as one of the best forms of defence against phishing attacks and account compromise. However, threat actors have been upgrading their TTPs to bypass this. As we have noted in previous blogs, there has been a surge in ‘live’ phishing kits in recent times. These prompt their targets for a one-time passcode (OTP) for which the threat actor is already waiting, ready to break into the connected account.
Free malware-hosting through content delivery networks (CDN) is one of the most effective ways for cybercriminals to support deployment. As we have previously explored, the Discord CDN is currently being abused by threat actors to host payloads distributed in phishing campaigns. Other services’ CDNs – such as Basecamp, Trello, or Slack – are also being abused this way by the BazarLoader malware.
New techniques to evade security systems and escape automated tools are regularly being detected by researchers. We continue to see open redirect vulnerabilities being exploited on legitimate domains that point to attacker-controlled sites, often seen as trusted and thus bypassing secure email gateways (SEG).
The tactics discussed above are leveraged by organised cybercrime groups to orchestrate their campaigns. Phishing has always been, and remains, one of the most effective techniques for initial access that is used to establish a foothold. As such, it is one of the most common threats that defenders are faced with. In his talk, Will also outlines mitigation advice regarding defence and interdiction. Precautions such as 2FA, blocking emerging threats, checking for email forwarding rules, and sending takedown requests are recommended at a minimum. Additional precautions can be taken such as Red Team phishing simulations, awareness training annually and for onboarding new staff.
The phishing threat landscape is fluid – new TTPs are regularly tested and found to be successful. The number of SMiShing attacks is growing and may eventually overtake the threat of traditional phishing attacks. Collaboration and instant messaging apps, such as Microsoft Teams and Slack, have also contributed to the decline of phishing as users abandon email for faster methods of communication. In 2019, the FBI received 23,775 Business Email Compromise (BEC) complaints with adjusted losses of over $1.7 billion. This number may well be exceeded in 2020, particularly due to the significant difficulties that organisations have faced in their transitions to work-from-home during the coronavirus pandemic.
There were dozens of talks at BeerCon2, all of which were fascinating and illuminating. Check out the full list here.