As more transactions between all types of businesses and their customers move online, the opportunity for attackers to steal credentials through phishing continues to grow. Making matters worse, adversaries are launching more sophisticated attacks that are quite difficult to spot, even for the trained security professional. It’s clear that current approaches to detection and mitigation of phishing and web spoofing are falling short.
The recent disclosure by YouTube of a phishing campaign is a prime example. A reported 23 million YouTube customers may have been affected by the attack. These were YouTube content creators who make very popular videos that are subscribed to and viewed by millions. This was no coincidence. The adversary specifically targeted these users by building realistic-looking emails that appeared to come from YouTube’s parent company, Google, urging them to change their passwords. These emails contained a link that sent users to spoofed URLs that were almost identical to the real thing. Because of the success of this phishing attack, many of these “YouTubers” lost access to their channels, and YouTube even had to delete others.
What can organizations learn from the YouTube phishing scheme?
- 2FA isn’t a solution to phishing prevention. For the most part, this was a textbook example of phishing that leveraged phony emails and spoofed URLs, but here’s where things get more sophisticated: The attackers were able to bypass Google’s two-factor authentication (2FA), a signature security tool that Google has invested in heavily, possibly by using a tool to intercept text messages containing the security codes. This tool is available for purchase on the dark web, and sends the 2FA codes straight to the hackers instead of the users. It has been widely assumed in the security community that 2FA was enough to stop an adversary from capturing user credentials through a spoofed website, but this attack shows that assumption to be false.
- Your customers are being targeted because they trust your brand. Hackers like to orchestrate these attacks using brand recognition as a cover for their nefarious activity. It makes sense that an email from Google is going to get a customer’s attention and encourage a response – after all, it’s one of the most recognized brands in the world. The same goes for any large bank or retailer. Your customers trust content that appears to be coming from you, and are more likely to take an action. Hacker know this and are using it against your customers.
- Your business is responsible for detecting spoofed URLs –not your customers. One of the more frustrating responses from businesses such as Google in the event of an attack like this is to push the responsibility onto their users. Yes, consumers should be more vigilant and know the signs of a phishing attempt, but the reality is, these attacks are now believable enough to fool even the trained eye. It’s not your customers’ role to detect when your website is being spoofed. It’s yours. Too many times, organizations are being alerted to this activity by their own customers, whose data is at stake.
Over my four decades as a computer science professor, data loss detection researcher and entrepreneur, my expertise has been called upon by corporations and government agencies alike. Most recently, a large financial institution needed help with a pervasive security problem. Their security team had detected five website spoof attacks in a single month, all done with the intent to steal customers’ login credentials. They were frustrated to learn that their digital risk protection service had only identified four of them. The fifth one was reported by a customer. After the spoofed websites were taken down by the bank’s ISP, the security team was still left with unanswered questions. They wanted to know:
- How long were the spoofed sites active?
- Are there more spoofed sites that have gone unnoticed?
- How many customers have been impacted and who are they?
- Who did it, and what has he or she done with the stolen information?
- How can the stolen information be poisoned to limit risk?
Unfortunately, most popular commercial solutions for phishing and spoofing detection are based on monitoring domain registrations and conducting manual web searches. They lack the capability to answer any of those questions. Not only are these practices are susceptible to human error, but they can only identify spoofed websites after the fraud has occurred and the data has been stolen. That is a reactive solution that puts customer data at risk.