In 2019, attackers are phishing targets to retrieve sensitive information that ultimately leads to data compromise. Phishing is the technique where a malicious actor lures a victim into revealing sensitive information. This can be through large “spray-and-pray” type campaigns involving multiple recipients or, a more targeted approach crafting attacks for specific individuals, known as Spear Phishing. Phishing has been around since the early days of the Internet as one of the oldest vectors of attack.
Phishing provides a very successful avenue to obtain credentials for hackers. The simplest and most efficient way to achieve this is by redirecting users to a website with some sort of submission form. With a little bit of effort such as purchasing domains with similar names and using tools to scrape and mirror legitimate website content, an attacker can forge a highly-convincing scenario.
In a recent Office of the Australian Commissioner (OAIC) notifiable data breach report, a staggering 43% of Australian cyber breaches originate from compromised credentials through phishing attacks.
Recently, Privasec team conducted a red team engagement where the team gained substantial access to internal infrastructure, compromising multiple services and moved around laterally within a corporate network. The team’s initial foothold started with credentials phished from a forged email, using similar techniques described above.
Most perimeter controls are easily thwarted when an attacker has valid credentials. No failed logon attempts are generated, and no alarms or suspicion is raised. This allows the attacker to blend in with the environment, maintain stealth and have uninterrupted access to your network.
Security awareness is key to fix this issue. This is nothing new, but as an industry we’re still not doing enough to help educate our colleagues, families and friends. An organisation could confidently say they have met peak maturity when every employee is performing the duties of a security guard to identify when something isn’t right and report it. Getting there is a journey that requires constant training and awareness.
Here are top 5 phishing quick tips:
- NEVER click on something you’re unsure of or not expecting.
- NEVER submit credentials by following a link. Always go directly to the site.
- If you have mistakenly submitted credentials or clicked on something that isn’t right, RESET your password and REPORT it. (If you’re reusing passwords, reset it for all accounts and logins where it is used)
- Use MFA. There’s no excuse to not be using it in 2019.
At Privasec, we can help identify your current exposure level through phishing exercises, or even conduct complete red team engagements to find vulnerabilities so you can remediate and work towards securing your assets.
Please click here to reset your password.
Author: David Roccasalva - Security Consultant, Privasec