As the business world continues to grapple with an expanding definition of new normal, the phishing attack remains a common tactic for attackers. Why are phishing attacks still happening? How can we prevent them? We spoke to a threat analyst who has the answers.

In May 2020, X-Force research uncovered a precision-targeting (or spear phishing) attack on a German multinational corporation connected with a German government-private sector task force in the race to procure personal protective equipment (PPE).

Those threat actors targeted more than one hundred high-ranking executives in management and procurement roles. They reached out within their target group as well as to its third-party partners. Overall, X-Force observed about 40 targets. It’s likely that other members of the task force could be targets of interest in this malicious campaign as well. This shows the way we need to be more vigilant about what angles attackers could use.

Phishing: Still Common After All These Years

The sophistication required for the PPE attack is certainly important. However, most spear phishing attacks can be carried out with only a few clicks. For cyber criminals, launching a phishing attack is easier than ever. Therefore, it is critical for the enterprise to gain the awareness needed to avoid becoming targets.

Prefabricated phishing kits on the dark web streamline the workflow for threat actors. For example, look at the recently discovered package called LogoKit. It automatically pulls the victim company’s logo from Google’s photo search to display on the fake phishing login page.

“Unfortunately, the entry barriers are lower than ever with easy-to-use kits being sold on cybercrime forums for as little as a couple of hundred bucks,” says Brett Callow, threat analyst for Emsisoft. “These kits, which are basically web-based apps, enable even low-level scammers to conduct effective template-based phishing campaigns.”

According to Callow, the phishing sites are automatically created and closely resemble the site they’ve been designed to mimic. Once they collect the victim’s credentials, the phony site will sometimes redirect them to the real site. The more real-looking the login page, the higher chance of tricking the victim.

Yes, sometimes it is that easy for cyber criminals. Even as we publish this in mid-2021, large companies are still falling for phishing attacks. Is it possible to turn the tide?

The Uphill Phishing Attack Battle Only Gets Steeper

First, the bad news. Many bad actors running phishing scams are not of the cliche lone-attacker-in-the-basement type. Cyber criminals might be nation-state actors or part of gangs. In many cases, they organize well and operate like a real company.

One example is Cosmic Lynx, a Russian group that behaves more brazenly than most attacking groups. This new gang appears to be undeterred by the threat of prosecution in western countries. In addition, it often works with larger dollar amounts. The average sum most attackers will steal from a target company is about $80,000 USD, but for Cosmic Lynx, it’s well above that figure — a whopping $1.27 million.

The most common form of target phishing groups like Cosmic Lynx use is the Business Email Compromise (BEC). This attack aims to disguise itself as a C-suite executive’s email account. The attacker tweaks the account name and address to look similar enough to fool users. Most target phishing scams begin with a request for a financial employee to direct a seemingly normal payment right into the attacking group’s bank account.

Some attackers took advantage of the pandemic to fuel BEC scams in 2020. One attacker group sent a financial institution an email request for a $1 million transfer to address COVID-19 precautions. Fraudsters changed only one letter of the company CEO’s email address in an attempt to fool the victim.

What Helps Protect From Spear Phishing?

As cybersecurity people, it feels like we’re repeating ourselves far too often about the importance of education, culture and awareness. With every passing year, more companies are falling for these same scams.

“Phishing has been around for years, and one of the reasons for that longevity is simply that it works,” Callow says. “The other reason is that phishing is profitable, and underpins much of the cyber criminal economy with stolen information being used for everything from BEC scams to ransomware attacks.”

To best defend against these attacks, the winning strategy combines tech, awareness and vigilance.

“Defending against phishing attacks is not easy, but by adhering to best practices organizations can significantly limit the chance of becoming a victim,” he says.

Spear Phishing Prevention

It’s key that all employees — even more so those in the C-suite — must always default to ‘skeptical’ when on the receiving end of a request for sensitive data or a financial transfer. No matter how honest the email may appear, always follow up with a phone call or, better yet, an in-person meeting to confirm. Instead of defaulting to trust, which is only human nature, it’s critical to question everything regarding these emails. Skepticism should be perceived as a positive employee trait, and more importantly, a mark of fiscal responsibility.

Remember, a simple email to confirm is not going to cut it. If you simply reply to it, and it’s a scam, the cyber criminal will obviously confirm that all systems are go.

Vigilance is key here. If you receive a link to a website and aren’t sure about it, do not click on it directly. Just type in the website by hand so you can be sure you aren’t being scammed.

Staying Aware

“Awareness training is critical,” says Callow. “It’s also extremely important to create a better-safe-than-sorry culture in which your team feel completely comfortable reporting suspicious or confirmed spear phishing emails. If they don’t have that level of comfort, they’re more likely to make the decision themselves. Additionally, senior management should attend awareness training sessions. While executives are sometimes inclined to opt-out, the reality is that they’re the mostly likely targets for personalized and hard-to-spot spear phishing campaigns.”

To augment awareness, technical solutions can be equally crucial. Callow advises businesses to implement spam controls, URL blocking and two-factor or multifactor authentication, as well as adding voice checks into processes.

In the end, it still boils down to promoting a security-minded culture, which takes time, and more importantly, practice.

More from Incident Response

5 Golden Rules of Threat Hunting

When a breach is uncovered, the operational cadence includes threat detection, quarantine and termination. While all stages can occur within the first hour of discovery, in some cases, that's already too late.Security operations center (SOC) teams monitor and hunt new threats continuously. To ward off the most advanced threats, security teams proactively hunt for ones that evade the dashboards of their security solutions.However, advanced threat actors have learned to blend in with their target's environment, remaining unnoticed for prolonged periods. Based…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

People, Process and Technology: The Incident Response Trifecta

Let's say you are the CISO or IT security lead of your organization, and your incident response program needs an uplift. After making a compelling business case to management for investment, your budget has been approved and expanded. With your newfound wealth, you focus on acquiring technology that will improve your monitoring, detection and analysis of data traffic. Has the incident program really improved by the technology acquisition, or is the uplift merely cosmetic? If no other changes have been…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…