Intro

As mentioned in Part 2 of this series, the Coveware Quarterly Ransomware Report covering Q3 of 2020 identified RDP as the largest single attack vector for ransomware attacks, accounting for over 50% of attacks.  Second behind RDP though, accounting for over 25% of attacks, was phishing campaigns.  Interestingly, that same report showed that for very large organizations, phishing campaigns were more frequently used than RDP, likely because those larger organizations are more likely to use more robust means of remote access beyond RDP.

What Is Phishing?

According to the CISA definition, phishing is "an attempt by an individual or group to solicit personal information from unsuspecting users by employing social engineering techniques.  Phishing emails are crafted to appear as if they have been sent from a legitimate organization or known individual. These emails often attempt to entice users to click on a link that will take the user to a fraudulent website that appears legitimate. The user then may be asked to provide personal information, such as account usernames and passwords, that can further expose them to future compromises. Additionally, these fraudulent websites may contain malicious code."

While the CISA definition above and the discussion below focuses on email phishing techniques, it's important to note that some phishing techniques do not rely on email.  Some phishing techniques utilize SMS/text (Smishing), phone calls (Vishing), and forged websites.  Regardless of the technique though, the end goal of phishing is typically to get the targeted individual to:

• Provide personal data that can be used for identity theft or other forms of financial gain, either direct or indirect
• Provide sensitive information, such as credential that can be used to compromise systems and allow attackers direct access to install malware/ransomware
• Unknowingly download and install malware/ransomware

Why Especially Now?

Phishing scams have been around since the 1990s. However, crises such as the current pandemic present a prime opportunity to lure victims into taking phishing bait. During our current crisis, people are looking for information and direction from lots of different authorities such as employers, government, and health agencies. Any email that appears to offer pertinent information to the crisis will likely receive less scrutiny than at other times.

Phishing Techniques

There is no standardized categorization of phishing techniques, but commonly recognized ones are:

• Standard Phishing - This is the most common technique, using emails that appear to come from a recognized sender.  These emails are sent to a very large number of users in a "spray and pray" approach.  Many are hastily put together and are frequently easy to identify by spelling and grammar mistakes.
• Spear Phishing - Spear phishing is more focused than standard phishing.  Attackers target specific organizations and well-researched individuals using emails that are less generic and more personal in hopes that individuals will be less suspicious.  These emails are also more difficult to identify by automated means.
• Whaling - Whaling is very focused, targeting executives and other high-profile targets at large organizations.  Many times, whaling includes a second phase that involves using an executive's compromised email account to conduct further phishing within the organization or in related organizations.
• Search Engine Phishing - While standard phishing, spear phishing, and wailing rely on targeted emails, search engine phishing is more passive. With search engine phishing, attackers build complete websites and rely on getting highly ranked and indexed by legitimate search engines to get users to visit.

How to Identify Phishing Emails

Phishing campaigns vary widely in sophistication, with some being very easy to spot while others are difficult to spot and very convincing. In their security tip ST04-014 titled "Avoiding Social Engineering and Phishing Attacks", CISA offers the following five common indicators of a phishing attempt.

• Suspicious sender’s address. The sender's address may imitate a legitimate business. Cybercriminals often use an email address that closely resembles one from a reputable company by altering or omitting a few characters. 
• Generic greetings and signature. Both a generic greeting—such as “Dear Valued Customer” or “Sir/Ma’am”—and a lack of contact information in the signature block are strong indicators of a phishing email. A trusted organization will normally address you by name and provide their contact information.
• Spoofed hyperlinks and websites. If you hover your cursor over any links in the body of the email, and the links do not match the text that appears when hovering over them, the link may be spoofed. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net). Additionally, cybercriminals may use a URL shortening service to hide the true destination of the link.
• Spelling and layout. Poor grammar and sentence structure, misspellings, and inconsistent formatting are other indicators of a possible phishing attempt. Reputable institutions have dedicated personnel that produce, verify, and proofread customer correspondence.
• Suspicious attachments. An unsolicited email requesting a user download and open an attachment is a common delivery mechanism for malware. A cybercriminal may use a false sense of urgency or importance to help persuade a user to download or open an attachment without examining it first.

Tools to Combat Phishing

Like much of cybersecurity, several layers of defense may be needed for an effective anti-phishing solution because there is no single layer that is 100% effective.  Key tools to combat phishing are:

• SPF, DKIM, DMARC
• Secure Email Gateway
• Endpoint Security & Web Filtering
• Security Awareness Training

SPF, DKIM, DMARC

SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) are email security protocol standards that have been around for many years.  While they don’t eliminate the threat of phishing, they are no-cost options to authenticate mail servers and prove to receiving mail servers that senders are truly authorized to send email.  For these protocols to work, both the sending domain and receiving domain must be configured to use them.  The sending domain must have extra TXT records created in DNS, and receiving domains must check these DNS records to ensure email is truly coming from the sending domain.  When properly configured, all three prove the sender is legitimate, their identity has not been compromised, and they’re not sending email on behalf of someone else.

So, what is the difference between these three?  SPF identifies which servers can send email for a particular domain.  DKIM ensures the content of an email hasn’t been tampered with and therefore can be trusted.  DMARC is built around both SPF and DKIM, and is intended to:

1. Verify the sender’s email is protected by both SPF and DKIM
2. Tell receiving mail servers what to do if neither of those authentication methods passes
3. Provide a way for receiving server to report back to the sender about messages that pass and/or fail the DMARC evaluation

Are all three needed?  The answer is “yes” if you can.  At a minimum, SPF and DKIM should be implemented since they have gained relatively wide adoption, while DMARC is taking a while to catch one.  Implementing all three however provides the most protection and shows others that the organization is serious about doing its part in preventing, phishing and other email security issues.

Secure Email Gateway

Secure email gateways are servers specifically designed to protect organizations from incoming and outgoing email threats such as spam, phishing, and malware/ransomware.  They act as a firewall for email, enforcing rules about what email can enter and leave an organization.  They also inspect all inbound and outbound email looking for signs of threats to prevent them from ever reaching users.  Many also provide encryption and archiving capabilities.

In addition to basic prevention techniques based on signature-based and reputation-based measures, advanced secure email gateways also provide features such as:

• Virtual Sandbox - A virtual sandbox inspects attachments and URLs that cannot be definitively identified as benign or malicious using other methods.
• Content Disarm and Reconstruction (CDR) - CDR strips away active content or content that doesn’t conform to that file type's specification in real-time to build a sanitized version that can be delivered to the recipient.  This real-time process helps avoid negative productivity impact caused by sandbox detonation and quarantine delays.
• URL Rewriting - URL rewriting secures URLs before they are delivered to the recipient by making URLs non-clickable.

Endpoint Security & Web Filtering

While secure email gateways have made great strides in preventing phishing emails from reaching users, it’s important to continue using other tools that are likely already part of a security infrastructure.  That includes products such as endpoint security software and a web filter.  Both represent a good second line of defense for email threats that slip past a secure email gateway but are also needed for threats that aren’t delivered via email.  For example, a web filter and up-to-date endpoint security software help protect against a search engine-based phishing campaign.

Security Awareness Training

The combination of systems mentioned above significantly helps to reduce the risk of successful phishing campaigns, including ones intended to deliver ransomware.  However, the most important step to take to combat phishing is training users about phishing risks specifically, and security risks in general. That is because email security tools are not fool-proof and may still allow some phishing emails through. For example, some phishing threats are now being written to get around sandboxing by remaining dormant for days or weeks to avoid detection.

There are several companies offering security awareness training. Most rely on a repeating cycle of:

• Assess - Evaluate user knowledge level and establish a baseline
• Educate - Educate users threats, how to spot them and how to respond
• Measure - Monitor security metrics and results from simulated phishing

Undertaking a comprehensive security awareness training program requires a substantial financial and time commitment that may not be immediately possible.  Until an official security awareness training program can be implemented, CISA's security tip ST04-014 suggests the following common-sense guidelines that should be shared with employees.

• Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
• Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person's authority to have the information.
• Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
• Don't send sensitive information over the Internet before checking a website's security. (See Protecting Your Privacy for more information.
• Pay attention to the Uniform Resource Locator (URL) of a website. Look for URLs that begin with "https"—an indication that sites are secure—rather than "http.”
• Look for a closed padlock icon—a sign your information will be encrypted.
• If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information.

KnowBe4, a firm specializing in security awareness training published two very helpful single-page documents that highlight a range of clues to be aware of when dealing with suspicious emails and URLs.  Due to their format, these can be handy reference documents for users.

Conclusion

By targeting people with phishing campaigns, ransomware gangs can bypass traditional security technologies.  Email is a weak link in many organizations’ infrastructure, and attackers have been able to exploit this by using phishing emails to trick users into opening malicious URLs and attachments.  Comprehensive email security is needed to help prevent phishing campaigns, including those that spread ransomware.  Security products such as secure email gateways and web filters can certainly help.  But user awareness and training are equally, if not more important.  Users need to understand what email threats look like and how to respond when found, not only to protect themselves but also the rest of the organization.