Don’t Bite: Phishing Has Evolved

This blog series focuses on key areas highlighted in the recent ZeroFox report: “The Future of Digital Threats: 2020 Insights, 2021 Predictions.” In this report, the ZeroFox threat research team reviews trends that defined 2020 and predictions for 2021 to help security teams prepare for another year of uncertainty in the digital-first world that now dominates modern life. In this series, we are reviewing the acceleration of the top three trends we’ve come to know: starting with targeted ransomware, moving into phishing, and ending with the expanded use of malware as a service. In this post, we will review phishing in more detail.

***

A primary trend the ZeroFox threat research team noted in 2020 was the dramatic spike in phishing attacks. The latest FBI Internet Crime Complaint Center (IC3) report confirms this with “a record number of complaints from the American public in 2020: 791,790, with reported losses exceeding $4.1 billion.” When comparing 2019’s total complaints, 2020 saw a 69% increase. Phishing scams were a leading threat, with 241,342 complaints and losses of over $54 million in 2020 alone. 

These types of attacks provide a wealth of opportunity for threat actors. While nothing new, the volume and sophistication of phishing attacks have evolved. The simplicity of phishing attacks, combined with tools like phishing kits that make them accessible and easy to deploy, are likely contributors. However, this spike can largely be attributed to the rapid shift to a remote-first world in 2020, which resulted in significant opportunities for malicious actors to take advantage of the instability everyone was forced to navigate. 

Phishing actors modified tools they already had, but the real differentiator was the expanded landscape they now had available to them. In this post, we’ll review the evolution of phishing as well as steps security teams can take to effectively address these attacks in 2021.

Defining Phishing and How it Has Evolved

Phishing is a form of social engineering centered around convincing the victim to share sensitive information by posing as a trusted source. The sensitive information they are after runs the gamut; this includes bank account details, social security numbers, financial information, and login credentials. Merely sending an email crafted to look like the legitimate, trusted source is all it takes to kick off an effective phishing attack. The rest comes easy after the user is duped. Malicious links, malware-infested attachments, and phony login forms are just a click away.

Spear phishing is a method of attack that involves targeting specific users with tailored phishing content under the guise of a known contact. The goal is the same but what makes spear phishing so unique and effective from the threat actor’s perspective is the attack's specification. Spear phishing attacks are complex and effective (relying on a combination of platforms from email, social media, domains, and more), and this makes them difficult to identify and thwart.

In 2020, we saw both methods heavily utilized within highly effective cyber attack campaigns. On a large scale, threat actors leverage the lowest hanging fruit: 

• They capture the information from social media we share ourselves for their phishing campaigns. 
• They use compromised account credentials from previous breaches with the knowledge that many users don’t like to change their passwords, and they tend to reuse the same passwords between multiple accounts. 
• They continually use malicious documents (maldocs) and Business Email Compromise (BEC) techniques that have been successful for decades. 
• They use live-off-the-land (LOTL) approaches to more closely resemble normal user activity. 
• They use the information we give them to see what works and how it works, so they only have to create the absolute minimum amount of original material for success. 

Ross Rustici, ZeroFox’s Global Head of Security Architecture and Threat Intelligence, explains that “one of the large trends we saw in 2020, was a continuation of what we were observing in 2019. Rather than seeing a new evolutionary leap in threat actors’ capabilities or tactics, techniques, and procedures (TTP), what we saw was threat actors taking advantage of the chaos that the pandemic and global events caused for us. Rather than some fancy new piece of malware, what threat actors really did was double down on going after the human. In general, we like to joke as security professionals that the problem exists between the keyboard and the chair. Threat actors took advantage of that as well. They went after spear phishing, which increased several hundred percent each quarter this year. They went after anything that could be socially engineered to allow them to gain access as there were rapid changes in the IT environment. We didn't see much in terms of new techniques. We just saw the old hats getting reused.” You are welcome to listen to more insights from Ross in the full video below:

Phishing in a Virtual World 

As companies shifted rapidly to a remote-first business model in 2020, there was significant concern about how hackers would adapt to this new attack surface. Many expected that virtual tools (think Zoom, Slack, Google Drive, etc.) and home networks would become the new battleground for corporate IT. This was set to put corporate security teams at a more significant disadvantage because they were not able to effectively monitor outside of typical perimeters. This led to increased blind spots and greater susceptibility to things like “man in the middle” exploitations.

While the adoption of virtual tools and cloud infrastructure technologies was steadily increasing, the COVID-19 epidemic drove organizations to rely heavily on these types of systems at an exponential rate. Zoom alone saw users skyrocket in 2020 almost immediately. Eric Yuan, Zoom founder, stated in an April 2020 blog: “Usage of Zoom has ballooned overnight – far surpassing what we expected when we first announced our desire to help in late February. This includes over 90,000 schools across 20 countries that have taken us up on our offer to help children continue their education remotely. To put this growth in context, as of the end of December last year, the maximum number of daily meeting participants, both free and paid, conducted on Zoom was approximately 10 million. In March this year, we reached more than 200 million daily meeting participants, both free and paid.” 

In Q3 2020, the worldwide cloud market grew 33% to USD 36.5 billion. This upward trend is expected to continue in 2021, with 49% of companies expecting to increase cloud spending. In tandem, organizations now more heavily rely on VPNs and virtual meeting software to access systems and conduct business. 

Increased usage of these technologies has not gone unnoticed by threat actors. However, despite the new technology stack, hackers primarily employ traditional exploitation techniques, making slight modifications rather than building whole new capabilities. Some of these old tricks include network scanning, watering-hole-style attacks, and (vishing).

Last year, threat actors performed vishing operations against victim organizations, directing employees to fake VPN login portals over the phone. Neither vishing nor phishing pages are new techniques, although it was the combination of these techniques that caught some victims off guard. Credential theft remains a significant source for compromise, and thus VPNs continue to attract threat actor attention. 

While we will continue to see an increase in headlines about hacks of virtual infrastructure, it is important to focus on the underlying techniques and attempt to understand how the operation took place rather than where. This shift has resulted in a considerable burden on IT and security teams. At the same time, threat actors appear to be repurposing old techniques to have a similar, if not greater, success rate. Suppose corporate networks start to harden as remote-first work becomes more of a permanent fixture. In that case, hackers may begin to target virtual tools and home networks as a new and more reliable intrusion vector.

Phishing Still Works, Build Your Defenses

While the adoption of new technologies and remote-based tools may change the appearance of an organization’s infrastructure, the techniques that threat actors are using to compromise them have not substantially changed. Threat actors continue to target a number of these increasingly popular technologies, and phishing is a classic “way in” that doesn’t seem to be retiring anytime soon. 

Defending against phishing attacks for your organization or your customers should be an approach that defends against an ecosystem rather than just a link in an email. A strong defense against phishing first requires understanding the tools and mechanisms attackers use to target organizations. Thinking like an attacker will enable your enterprise to be agile in identifying and tackling evolving threats like phishing campaigns.

Analyzing the campaigns, the developers behind them, and the operator’s TTPs can equip a cybersecurity team with a holistic view of who and what they are combating. Whether it’s the spam infrastructure, the phishing infrastructure, or studying the developers selling phishing kits, these bits of threat intelligence can help hunt for the vast array of actors that operate in this space.

ZeroFox leverages AI-powered technology to quickly identify and remediate phishing, fraud campaigns, and malware-based attacks. Whether through email, social media, or malicious domains, ZeroFox quickly spots phishing links, sites, and posts, working on your behalf to not only stop phishing campaigns but dismantle the infrastructure behind those campaigns. We strongly suggest adopting a comprehensive protection and intelligence platform to equip your security team with the resources required to remain vigilant in detection, disruption, and mitigation efforts. Download ZeroFox’s latest report, “The Future of Digital Threats: 2020 Insights, 2021 Predictions,” to learn more about these phishing tactics in more detail and how they work together with other trending cyber attack methods that our threat research team continues to track.