Web-Scale Social Engineering: Phishing Beyond Email

Web-Scale Social Engineering. phishing beyond email.jpg

By Atif Mushtaq

When you sit down at your computer and scroll through emails, there’s a good chance that you can spot a scam right away – if your junk folder hasn’t already caught it. But it’s a whole new realm when you go to a trusted site or account and see a page or pop-up that looks like the legitimate sign-in but is really a cleverly constructed phishing attack form.

Cyber criminals today are creating super-realistic camouflage pages that appear to be the real deal. Because psychological manipulation of Internet users has been lucrative, hackers are investing a lot of time and energy to make these attacks look legitimate. Gone are those phony misspelled pleadings from Nigerian princes asking for “investments” or emails with obviously malicious file attachments.

These days, the bad guys are developing highly sophisticated web pages, log-in buttons, browser plug-ins and pop-ups, chat applications, and apps that look surprisingly legitimate but have fraudulent intent or hidden functionality that can trick even the savviest security practitioner, never mind your average employee.

Although phishing attacks have been around for many years, they have evolved to form the current fourth-generation threat landscape: phishing beyond email.

Five years ago, a phishing email might have started with credential theft and ended there. Today, users inadvertently open a backdoor, kicking off a wide variety of attacks on their personal or corporate data.

In other cases, an unsuspecting user will be tricked into fronting a multi-faceted attack over a long period of time, often targeting people in their own network.

In such a risky landscape, the real question for security teams is how are untrained, non-security staff supposed to recognize these threats that are hard to spot if you aren’t thinking like a hacker? Security systems are focused on first-gen (network), second-gen (signature-based), and third-gen (malware) attacks, but they simply cannot detect this new breed of fileless attacks that are designed to evade existing defenses.

The fourth-generation security landscape encompasses these new phishing attack vectors. As a result, new security solutions are needed to safeguard users before they click on or provide personal or corporate info to any convincing yet malicious phishing appeals. In fact, a typical gap analysis of our customers’ data shows that up to 90% of such attacks bypass multi-level security protections today. Hence the urgent need for web-scale social engineering protections today and into the future – solutions that can detect and block non-email phishing attempts coming to employees from the Web, ads, and apps.

In one type of social engineering tactic, mock web pages have become so realistic that it is impossible for humans to tell the difference. The hackers have grown so emboldened that they even created an imitation sign-up page for RSAC 2018, a major national security conference (see image below).

Image Source:  SlashNext

Image Source: SlashNext

The bogus web page fooled many security professionals into not only giving away their identifying information and credit card info, but the hackers also stole conference registration fees before selling backdoor access to those compromised computers on the Dark Web.

Too often, security training can only go so far, and security sandboxes put a needless burden on IT teams. New techniques are needed to create a kind of real-time, out-of-band session emulation that performs in-depth analysis on each interaction and online asset to determine if it’s malicious or not so that it can be blocked.

By recreating the user’s session through hundreds of computer science algorithms ranging from language translation to lexical semantics, optical character recognition and image identification, the system could probe all aspects of the session at CPU speed, without human errors and without human emotions. Through machine learning, these software agents can become smarter about social engineering attacks over time to protect unwitting employees from making the wrong moves online.

About Atif Mushtaq

Atif Mushtaq is the founder and CEO of SlashNext. Before founding SlashNext, Atif spent nine years at FireEye as a senior scientist, where he was one of the main architects of FireEye’s core malware detection technology. He has spent most of his career on the front lines of the war against cybercrime, working with law enforcement and other global organizations to take down some of the world’s biggest malware networks including Rustock, Srizbi, Pushdo and Grum botnets.

More About Atif