15 Phishing Simulation and Social Engineering Insights from Submerge (Cofense) London Anti-Phishing Conference
SecureClick recently attended the Submerge conference hosted by Cofense (previously PhishMe) in London. IT security officers from from world-leading companies shared some of their insights from their IT security awareness programs and phishing simulations.
(Owing to the sensitive nature of IT security, many of the speakers expressed a desire to have Chatham House Rules applied to their content. For this reason, SecureClick has not attributed any of the insights below to particular individuals or organsiations)
From the accounts payable to payroll department
While accounts payable employees are still a huge target, attackers have increasingly moved their sights to payroll employees. Faked employee requests to change bank accounts for wages have proven an extremely common ruse over the last year.
Unusual files extensions are proving popular
Attackers have taken to using unusual file extensions as malicious attachments. These include .iso and .msg files. Formats such as these fly under the radar of most email gateways.
High-speed attacks + hijacked contact lists = more successful attacks
Many speakers commented on how once an initial breach has occurred phishing attacks are executed with unprecedented speed. Firstly, the victim gets their contact list hijacked. Then in the space of just 10 minutes, you could have 500 users all receiving phishing emails from the email account of a “trusted” user. This creates a massive headache to IT support and security teams. One speaker described this type of fast-moving phishing attack like playing a game of whack-a-mole.
Sextortion scams continue to increase
Sextortion scams continue to increase. The use of a previous or current email password in the ransom email lends instant credibility and this attack type continues to spook users.
For Sale: your organisation’s email addresses and passwords
Not all phishers will use harvested email credentials for their own attacks. Many phishers will put their “catch” for sale on the darkweb. Your organisation's emails and password credentials are basically put on a darkweb version of Ebay...lovely.
“Trusted” supplier domains continue to be launchpads for phishing attacks
Performing some OSINT, attackers are not long in finding who your suppliers are. They will phish them and then use their compromised email account to target an attack against your organisation. Most employees think you can trust an email from a known supplier can’t you… unfortunately, this attack works exceedingly well.
Human curiosity is still the biggest weakness
Human curiosity is still the biggest weakness. Attacks which employ strong emotional triggers keep on working. Users keep on clicking on files, links or attachments relating to time honored topics such as remuneration details or performance reviews. Moreover, some attackers have now taken to news sites such as Google News, Yahoo Finance and other news wire sites looking for recent news stories which they could exploit for phishing purposes.
“I don’t like Mondays…” neither does your IT support department
Just like the Bob Geldof song your IT support department probably don’t like Mondays. Most of them will already be busy dealing with support tickets from the weekend. They will not appreciate a deluge of user calls and emails resulting from one of your phishing simulations. Moreover, your IT support team are crucial allies for the smooth running of your IT security awareness program so be nice and don’t run your phishing simulations on a Monday. Some speakers learnt this the hard way.
Make it easy for management
A number of speakers spoke of how phishing metrics like resiliency ratios (Number of reported / number of susceptible) for phishing simulations do not always gain traction with management. While “traffic light” systems which use red and green to depict reporting and susceptibility rates can be much more effective.
Microsoft platforms continue to be abused by attackers
Microsoft platforms such as Office 365, Sharepoint and Microsoft.net continue to be used to dupe users and email gateways. After all, how can an email from another Office 365 platform be unsafe…? And understandably most IT administrators still don’t want to block Microsoft-related domains. Unfortunately, this plays into the attackers playbook perfectly.
Spear-phishing attacks have success rates of between 60% and 80%
Highly-targeted phishing emails (spear-phishing) sent to defined targets have success rates of between 60% and 80%.
Phishing CAPTCHAs are increasingly being deployed by attackers
Many users still believe that emails and URLs are the main conduits used in phishing attacks. However, they forget at their peril that more unusual techniques such as CAPTCHA phishing are increasingly being used. While not exactly new, this technique often catches users unawares.
Many speakers commented how their business unit gamification of security awareness can be more successful than gamification at user-level. Nothing like a bit of healthy business unit rivalry…
Emotet and its variants continue to be virulent threat
The feared Emotet trojan continues to be propagated via phishing attacks. This virulent threat is spread by malicious URL, PDF or macro-enabled Word document. This insidious trojan can extract all network passwords stored on a machine and has the ability to scrape names and email addresses from a victim’s Outlook email client. It exploits Microsoft’s SMB networking protocol, resulting in the infection of an entire network (domain or workgroup).
The unseen work of your IT department or IT security teams needs to be publicised
And finally, your staff need to be made aware of the, often unseen, work which your IT staff performs in keeping threats at bay. Still, too many employees don’t recognise the effort which IT teams expend on keeping their organisation’s information assets secure. Informing them of this effort sometimes helps highlight the profundity of IT security problem.