‘Old School’ email social engineering or data-entry phishing is an attack method that has been on the rise in recent months, notably employed by the Syrian Electronic Army to hack seemingly every major media outlet in the Western hemisphere. Data-Entry phishing emails lure employees into freely giving up their login credentials by taking them to a seemingly legitimate landing page. Attackers then use the credentials to establish a foothold in the network.
When spear phishing, data-entry style emails contain a link that takes the recipient to a webpage that appears to be a genuine corporate or commercial site soliciting login information. Despite their pervasiveness and high-success rate, data-entry attacks seeking login credentials and other sensitive information have been a secondary concern for enterprises. Information security teams have been more concerned with phishing emails that attempt to carry out drive-by attacks through a malicious link or malware delivery via an attachment.
Since data-entry phishing attacks don’t require malware, it’s quite possible to fall victim to this technique and never even realise it. Victims will often enter their information and not recognize something is wrong. Without the presence of malware, these attacks often go undetected by technical solutions.
However, this doesn’t mean the consequences are any less severe.
Once attackers gain legitimate credentials into the network, their activity is difficult to detect. Using these credentials they can often exfiltrate significant amounts of information from overly permissive file shares, search for other devices with weak or default credentials, and possibly escalate privileges to dump entire username/password databases that can continue to grant future access. This activity may have the appearance of an insider threat, so breaches caused by data-entry phishing are often attributed to this source. Is it really an inside job if they gained access through a spear phish? From an attacker’s perspective, what is easier, researching social media to craft a spear phishing email? Or recruiting an actual insider within the organization?
Some experts in the security industry have identified two-factor authentication as a way to mitigate this threat; however, two-factor authentication will not prevent phishing. While two-factor authentication makes it more difficult to phish an account, it will not prevent this type of attack from being successful.
If a user is tricked into revealing login credentials to a false landing page, two-factor authentication will only limit the time the hacker has access to the account. Attackers would need to collect the second factor of authentication, but the underlying tactics would remain the same.
Even if two-factor authentication could prevent phishing, for large enterprises implementing the solution across the board is often cost prohibitive and a logistical nightmare. This isn’t to say that two-factor authentication doesn’t improve security, but it isn’t a panacea.
The same goes for technologies and services that take down phishing websites. At best these technologies offer lead times of four to eight hours to take down phishing sites. It can often take longer, particularly if the site’s domain is in an unfriendly country or if the site is hosted using a subdomain on a large provider. In PhishMe’s experience running simulated phishing attacks, most recipients interact with emails in a matter of minutes or seconds, so even a quick takedown in four hours could be too late.
One of the main ways organisations can protect against these data-entry phishing attacks is through employee training. A well-trained user base is a critical element to a robust security posture, however one of the greatest challenges facing security awareness initiatives is providing employees with an experience they will actually engage and retain.
Immersive training is one of the most effective ways to educate staff on security threats. By continually conducting simulated phishing scenarios and providing staff with immediate feedback and education on their performance, IT security teams can analyse and measure the overall company progress and level of user susceptibility. The program is meant to be carried out at different points throughout the year.
Data-entry phishing attacks are difficult to detect and there is no specific technical appliance that can help protect against them. However by providing immersive security training organisations can use their staff as a first line of defence to identify and report suspicious email activity. A well-tuned network of human sensors can be particularly effective when faced with malware-less attacks, providing real time intelligence that can make the difference between rapid remediation or prolonged compromise.
Scott Greaux, VP of product management and services at PhishMe.
PhishMe launched publicly in 2008, and incorporated as an independent entity in 2011. PhishMe Incorporated is based in Northern Virginia, just outside of Washington, DC, with staff across the country. Our support, operations and sales teams are headquartered in our Virginia office, with additional offices in New York and London.
Our team developed the PhishMe concept based on dozens of years of experience in penetration testing, social engineering, abuse management, incident response and forensics. As our founding team looked at the results of the annual assessment model we implemented for clients, we realized that to effectively combat phishing attacks, our customers needed to combine compelling exercises with dynamic, immersive training.