Multple outlets such as HelpNetSecurity blog are reporting that a New Gmail Phishing Technique Fools Even Tech-Savvy Users. An effective new phishing attack is hitting Gmail users and tricking many into inputing their Gmail credentials into a fake login page. How the attack unfolds: The phishers start by compromising a Gmail account, then they rifle through the emails the user has recently received. After finding one with an attachment, they create an image (screenshot) of it and include it in a reply to the sender… to invoke recognition and automatic trust. IT security experts from Balabit, Lastline, Prevalent, VASCO Data Security and NuData Security commented below.
Balázs Scheidler, Co-founder and CTO at Balabit:
“Phishing techniques are improving and can be so elaborate that they can scam even tech-savvy people such as privileged users, who have access to sensitive corporate assets. Should such an account be compromised, attackers can cause a lot of damage through the privileged accounts. Clearly, holding the credential for an account may not be enough to ensure that the logged-in user is indeed the legitimate user. The actual user’s behavior is the one thing that helps security professionals discover misused accounts by automatically spotting behavioral differences an intruder and a legitimate user’s baseline. Behavior analytics solutions can identify exactly those cases where malicious actors use stolen credentials, and can prevent resulting data breaches.”
Bert Rankin, CMO at Lastline:
“Unfortunately, constantly evolving and improving phishing attacks are now a way of online life for all of us. For those enterprise IT administrators with the mission of protecting the organization, education of the employees is not enough. It takes just one accidental well-meaning click on a malicious email to inflict irrevocable damage to the whole of the organization. In addition to employee education and awareness about how phishing attacks work and how to check a suspicious email, it is an imperative that IT put filtering mechanisms in place that use technology – not people – to sort, test and eliminate such malicious emails before they even have a chance to test the eyes of the employees.”
Jeff Hill, Director, Product Management at Prevalent:
“Today’ disturbing reality is that there is no effective defense for a well-conceived phishing attack. Reliance on email communication, the sheer volume of it, and the frenetic pace of life combine to create a superbly fertile environment for cyber attackers to exploit. In the corporate environment, relying on external defenses to prevent an intrusion is a foolish, head-in-the-sand approach to cybersecurity, something InfoSec professionals are well aware of. The challenge is to detect the intrusion quickly after the inevitably successful phishing attack, shut it down, and make it very difficult for bad actors to access sensitive information in the interim even if they gain access the network.”
John Gunn, VP of Communications at VASCO Data Security:
“As attack methods become more sophisticated – as this attack demonstrates – defenses must keep pace or the number of victims will continue to grow. Passwords are thirty-year old technology and they merely provide a false sense of security with no real protection. 2017 must be the year that the industry replaces passwords with multifactor authentication.”
.
.
Robert Capps, VP of Business Development at NuData Security:
“This level of sophisticated phishing attack has the potential to fool even the savviest of users. It’s a sad reality that users must maintain their vigilance online by assuming we’re all working and playing in a hostile environment.The tools exist that can make these phishing attacks pointless by devaluing information that crooks are going after. It’s going to take a shift in thinking and identity verification. The answer is using solutions like passive biometrics and behavioral analytics that never store static credential data. Unlike other solutions, behavioral biometrics can’t be mimicked or stolen and cause no extra hassle or friction to end users. When these tools are widely implemented, phishing scams like this will become a thing of the past because the stolen data isn’t the primary information needed to unlock the account.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.