Phishing attacks, which are social engineering attacks that aim to steal user data, are experiencing a revolution. The recent rapid development of AI has done more than open up new pathways for legitimate businesses: ChatGPT is now being used to conduct phishing scams.
Phishing has been around almost as long as the internet. Early attacks took advantage of rudimentary email security which allowed attackers to scrape email addresses and shotgun-blast malicious messages across the airwaves. The figurehead of early phishing attacks was the Nigerian Prince scam. In this, a member of the apparent Nigerian royal family would reach out to potential victims offering an eye-watering amount of money. Playing upon their financial insecurities, vulnerable individuals would be promised the sum once they’ve sent across a “processing fee”.
Modern attacks have taken this template and grown and flourished far beyond typo-laden trickery. Thanks to the sheer volume of information handled by online accounts today, attackers now aim to collect anything from bank account details to usernames and passwords. Under the guise of a legitimate and reputable source, an attacker attempts to extract info with an enticing or alarming request.
In a recent proof of concept – despite the tool’s warning of a potential violation of its content policy – researchers requested the tool to impersonate an email from a hosting company. This created a good first draft. Iterating on this first attempt, they then asked for a variation that convinces the target to download a Trojan Excel document.
This was the result:
The researchers went further: with Open AI’s Codex program – used to convert text to code – they were able to create an excel document that automatically began downloading malicious code upon opening. Despite the limitations placed upon these AI systems, Codex failed to identify the malicious intent within the request. Much like ChatGPT’s phishing email, the initial code had flaws, but after a few iterations, offered a perfectly functional malicious script.
As phishing attacks evolve, it’s vital that your organization keeps one step ahead.
The core of any phishing attack is a message. This could be via email, through social media, or over the phone. The constant connection of modern smartphones and devices constitutes the largest attack surface in cyber history.
A phishing attacker often utilizes public information – whether it’s information posted across social media accounts, or previous leaks suffered by major data collectors. This background information helps them create a victim profile, including the name, personal interests, and work experience of the recipient. All of this data is fed into an attack to create a reliably convincing message. The recipients of modern phishing attacks are garnered from the millions of email addresses involved in data breaches every year. IBM and Ponemon’s recent Cost of Data Breach study found that data breaches now cost an average of almost $4 million, with up to 90% of businesses having suffered a breach throughout the last year. The leaked contact info is exchanged via underground markets, packaged into usable databases for widespread phishing campaigns.
The email that appears in a victim’s inbox will often attempt to disguise itself as legitimate: these campaigns can be supported with malicious attachments and supporting websites, designed to harvest even more personal data from their victims.
There are various channels attackers use to contact their victims. These phishing attacks represent a wide variety of compromises, with each type relying on certain strengths of its medium.
One of the oldest and most successful forms of phishing: attackers often register under domain names that are close spoofs to the legitimate version thereof. These can range from completely amateur – if the attackers choose to deliberately target those that skim-read emails – or spoofed email domains that appear almost identical to their legitimate versions. Replacing or adding special characters is one of the most common approaches (switching mybank to my-bank, for example.) With a solid spoof, they then begin spamming phishing attacks across thousands of potential victims.
While traditional phishing attacks rely on email, smartphones have opened up an entirely new approach to attacks over the last decade. Fraudulent SMS messages take full advantage of the looser security protocols that mobile devices (and their users) employ. These messages often link to a malware-infected site controlled by the attacker, with shortened URLs and a lack of mouse hover allowing attackers the upper hand.
In response to the spray-and-pray approach becoming increasingly less effective, attackers turned to a more potent form of attack: spear phishing. This condenses the efforts of attackers into a smaller number of victims, targeting a specific few. These attacks benefit from the full force of the attacker’s attention, alongside utilizing the full extent of information laid out in public Facebook and LinkedIn profiles.
Similar to smishing, attackers are also eager to utilize other approaches: voice phishing, or vishing, makes use of the more direct relationship between a caller and victim. This makes certain aspects of phishing attacks – such as induced urgency and threats – particularly potent. Here, attackers use the same trickery approach, often pretending to be a scam investigation team from the victim’s bank. From there, criminals often ask for the victim’s credit card info in order to verify their identity. Vishing can also be automated, however: these robo-calls often request the end-user to type personal details into the keypad.
While many attackers actively pursue their potential victims, angler phishing takes a different approach, instead waiting for them to reach out. By hiding behind the facade of a fake social media account for a genuine well known organization, the attacker can also include the profile picture of the genuine account. Alongside a convincingly fake handle, angler phishers take advantage of the growing trend of consumer complaints being handled via social media channels. While customers use these to ask for help, attackers are free to manipulate the conversation toward their own data harvesting goals.
While social engineering is a major component to malicious emails, there’s some good news: attackers often rely on a few key approaches in their messaging. These are recurrent enough that – by just keeping an eye out – it becomes possible to spot low-effort phishing attacks before a malicious link or document is clicked.
Negative, Urgent Consequences
Any message that threatens or places particular emphasis on negative consequences should be regarded with extreme caution. This is because the implication of threat triggers the brain’s cortisol response. While the heart beats faster and blood flows to the muscles in direct response to this stress hormone, the attacker hijacks this biological response. It’s one reason why fake password reset emails are such a potent tool in the attacker’s arsenal: by hiding under the threat of account compromise, attackers are able to bypass critical thinking processes that usually keep you protected. When paired with an urgent tone, victims are very prone to complying with the attacker’s every demand.
Another feature of phishing messages that should trigger immediate alarm within the recipient is an inappropriate or unexpected tone. The advantage held by victims is simple: you know how many of your colleagues, friends, and family communicate. This awareness places you on stronger footing to detect instances of abnormal communication. If a close friend sends a message including formal language, or a colleague starts using overly friendly terms, it can be the first indicator that allows you to protect yourself.
Similar to the tone of the email – requests built into a phishing email can provide another insight into the sender’s true intention. If you’re suddenly requested to perform an action that isn’t within your usual duties, it’s worth taking an extra second to double-check. This can take advantage of the greater contextual understanding available to victims: for instance, if your organization has a central IT team that manages software installation, you know to treat any email requesting software download with extreme caution.
Whilst it’s possible for individuals to become incredibly phish-wary, the fact remains that enterprise-wide phishing is simply a game of statistics: someone, somewhere, will be in a rush, and open the door for attackers. Enterprise-wide protection requires a mix of engaging and habit-focused training, and solutions that better support employees remain protected.
Employee Awareness Training
The foundation of solid phishing protection plans start with the victim: by arming employees with up-to-date and relevant information on the nature of today’s attacks, social engineering attacks become much harder to successfully commit. This makes employee training one of the most paramount forms of enterprise defense. Employees need to understand the aims and techniques of cutting-edge phishing attacks, and know what team members to report suspicious incidents to. This way, the organization not only supports employees, but takes a proactive cybersecurity stance that adapts and evolves with attackers.
Alongside this, employees should be encouraged to keep an eye out for positive indicators of security: trust badges from reputable antivirus solutions offer a quick and accessible indicator of site and application safety.
While users improve their own phishing protection, company-wide policies can support these efforts. Privileged user accounts are one of the highest targets for perpetrators, thanks to the greater blast radius afforded to a successful attack. The principle of least privilege allows for employees to still access the data they need, while minimizing the risk of becoming a target.
Test Resilience Before Attacks Hit
With training and infrastructure in place, your organization’s resilience to phishing is already beginning to take shape. However, the cost of data breaches today is too high to take chances, which is why both security teams and end-users benefit immensely from semi-regular phishing attack simulations. From users developing familiarity with modern attack techniques, to providing a macro view of how well-defended a company truly is, these tests are an ace card for proactive phishing protection.
The final piece of the anti-phishing puzzle is a layer of preventative mechanisms that block completely novel attacks. Traditional anti-phishing solutions operate by blocking known URLs already in use by attackers. While effective against older and more established threat actors, this approach is entirely reactive: it can only prevent attacks if their URL of choice has been flagged and reported. Attackers, on the other hand, are able to constantly jump from URL to URL, resulting in the vast majority of phishing architecture remaining outside the scope of this protection.
LayerX offers high precision threat detection with no reliance on prior knowledge. Instead of a simple list of blacklisted URLs, LayerX conducts Identification of suspicious sites based on analysis of the website’s projected activity. Our independent ML engine performs this analysis in real-time via an easy-installation browser extension, with zero latency. This way, malicious intent can be discovered before the end-user’s device connects to the attacker-controlled web server. With a proactive approach to phishing, your organization can stay ahead of any attacker – AI or human.