‘Old school’ email social engineering or
data-entry phishing is an attack method that has been on the rise in recent
months, notably employed by the Syrian Electronic Army to hack seemingly
every major media outlet in the Western hemisphere.
Data-Entry phishing emails lure employees into
freely giving up their login credentials by taking them to a seemingly
legitimate landing page. Attackers then use the credentials to establish a
foothold in the network.
When spear phishing, data-entry style emails
contain a link that takes the recipient to a webpage that appears to be a
genuine corporate or commercial site soliciting login information.
Despite their pervasiveness and high-success
rate, data-entry attacks seeking login credentials and other sensitive
information have been a secondary concern for enterprises.
Information security teams have been more
concerned with phishing emails that attempt to carry out drive-by attacks
through a malicious link or malware delivery via an attachment.
Since data-entry phishing attacks don’t require
malware, it’s quite possible to fall victim to this technique and never even
realise it. Victims will often enter their information and not recognize
something is wrong. Without the presence of malware, these attacks often go
undetected by technical solutions.
However, this doesn’t mean the consequences are
any less severe.
Once attackers gain legitimate credentials into
the network, their activity is difficult to detect. Using these credentials
they can often exfiltrate significant amounts of information from overly
permissive file shares, search for other devices with weak or default
credentials, and possibly escalate privileges to dump entire username/password
databases that can continue to grant future access.
This activity may have the appearance of an
insider threat, so breaches caused by data-entry phishing are often attributed
to this source. Is it really an inside job if they gained access through a
spear phish?
From an attacker’s perspective, what is easier:
researching social media to craft a spear phishing email, or recruiting an
actual insider within the organisation?
Some experts in the security industry have
identified two-factor authentication as a way to mitigate this threat; however,
two-factor authentication will not prevent phishing. While two-factor
authentication makes it more difficult to phish an account, it will not prevent
this type of attack from being successful.
If a user is tricked into revealing login
credentials to a false landing page, two-factor authentication will only limit
the time the hacker has access to the account. Attackers would need to collect
the second factor of authentication, but the underlying tactics would remain
the same.
Even if two-factor authentication could prevent
phishing, for large enterprises implementing the solution across the board is
often cost prohibitive and a logistical nightmare. This isn’t to say that
two-factor authentication doesn’t improve security, but it isn’t a panacea.
The same goes for technologies and services that
take down phishing websites. At best, these technologies offer lead times of
four to eight hours to take down phishing sites. It can often take longer,
particularly if the site’s domain is in an unfriendly country or if the site is
hosted using a subdomain on a large provider. Continue
reading…
0 comments:
Post a Comment