Earlier this year, SlashNext debuted “Phish Stories,” a videocast and podcast series during which cybersecurity experts discuss new zero-hour phishing attacks before a live audience of CISOs, CSOs and cybersecurity professionals.
In Episode Two, Zero-Hour Attacks Hacking Humans Today, Patrick is joined by Chris Hadnagy, the Founder and CEO of The Social Engineer and host of the Social Engineer Podcast. The two discussed the latest spear-phishing attacks, including those targeting pharmaceutical companies developing COVID vaccines and therapeutics; trends in multi-vector phishing attacks, including mobile SMiShing and browser-based phishing attacks; and how to protect remote workers from multi-vector attacks.
Social Engineering Changes
Chris began by discussing how social engineering has changed over the past year and what it looks like today.
“Even though it [social engineering] has been around since humans have been communicating, threat actors have been using horrible, catastrophic events of the past five years to start fake charities and scam people out of money. And now, with the COVID-19 pandemic, this attack surface has expanded into a global one. Combine that with the fact that distributed working has become a reality and that families are accessing both business, educational, and entertainment resources from their home networks, it is not surprising that phishing has gone through the roof,” he said.
Patrick provided statistics underscoring why 2020 should be viewed as the year of the phish:
“I believe we have now reached the most dangerous point in cybersecurity history to date. The broad amount of affordable computing power, legitimate infrastructure, open-source information, and sophisticated technology combine to make a recipe for an environment that is not good. Already, there has been a 3,000% increase in phishing attacks across communications channels,” he said.
According to Chris, parents are under a lot of pressure given how the entire family is now ‘working’ from one location. And when people are under stress, they tend to make poor decisions.
“In the past, people left the office at 5:00 pm. But now, with them working from home, they can easily fall into a routine of checking emails until late at night. While attackers used to have a 09:00 to 5:00 window, that has been expanded exponentially with regular working hours a thing of the past,” said Chris.
Patrick added examples of recent, multi-vector strategies commonly used in fast-moving second-generation phishing attacks. He recently ran across phishing attacks embedded in browser extensions when his youngest used his computer for homework, illustrating how remote live/work makes it easier for hackers to be successful in their phishing and social engineering attempts.
“After all, it is easier to hack a human than a network or well-defended machine. A shift has happened where hackers now have a wealth of tools available to them. From using legitimate infrastructure from Google, Azure, and so on, to being able to access open-source, artificial intelligence models that launch attacks based on behavioral information about the person, attacks are more sophisticated and automated than ever,” said Patrick.
It is a case of surrounding the user with attacks that do not involve purely credential-stealing but rather getting people to install software with malware embedded.
Education Remains Vital
Chris went on to explore how companies need to not only find tools to mitigate these pervasive phishing attacks but also continuously educate people.
“Teaching employees how to recognize phishing is about more than sending templated information. Companies must show them how to use the tools available to them and understand how phishing occurs using real-world examples, not just the stereotypical 411 Nigerian prince scams.”
For Patrick, it is very much a case of nothing ever being 100% foolproof and the need to educate people immediately at the point of attack:
“Any good security defense requires a multilayered approach. Training is vital. How you train is vital. How people understand technology is vital. [And yet], we always see the same click-happy users. Perhaps they just not paying attention, or they just don’t want to because it’s a CBT based training, and they’re like, let’s keep going. And then they’re done. And then the next quarter comes around, and they fall for the same tactics.”