Can anyone go phishing?

Representational image of a cybercriminal
(Image credit: Future)

The accessibility of the internet has created a culture where everything is available to everyone at any time. We can share insights and collaborate with individuals all around the world, and the web is home to the biggest database of ‘how to’ resources ever created.

About the author

Magni Sigurðsson is Senior Manager of Detection Technologies at Cyren.

Cybersecurity is no exception to this trend, and unfortunately, this accessibility means that anyone can now become a cybercriminal. The image of ingenious threat actors hidden away behind countless computers, devising an intricate attack campaign is no longer reflective of today’s modern criminals. Thanks to the development of phishing kits, the next person targeting your business could be anyone you pass in the street.

Given their adaptable and relatively simple nature, phishing attacks remain a popular technique used by threat actors, particularly throughout the long periods of remote working. One of the biggest trends we’ve noticed is the rise in phishing sites targeting Chase Bank account users, with research revealing a 300 percent increase in phishing URLs using the Chase brand.

The cyber industry has witnessed several developments in the phishing sector, all as threatening as the last.

Phishing has always been a threat actor’s best friend: it’s simple, adaptable, and inexpensive. Regardless of how the wider email and malware threat landscape has evolved, phishing has remained at the center.

The primary motivation behind every phisher is the acquisition of credentials that unlock the business’s vault of data or finances. Recently however, there has certainly been an increase in adversaries directly pursuing the high-value information such as bank details or social security numbers, rather than going for the easy targets like usernames and passwords. Yes, this information is harder to access, but the profitable rewards are well worth some additional effort.

While phishing is often deployed as a single step attack, it also features in larger, multistage campaigns. Phishing is usually the first step – as the technique used to gain initial access to the network – but it is then followed by a second stage with a different objective like ransomware, for example. These multi-stage attacks can be extremely damaging for businesses, but it all starts with a simple phishing email.

However, the number one trend we’ve been following is the development of phishing kits. New kits are regularly being released, the latest focusing on the use of mobile devices to trick victims. Thanks to ongoing hybrid working, IT and security teams lack complete visibility into what devices are being used by employees at home, or whether the correct procedures and practices are being upheld by all workers. One naïve and vulnerable employee could be all it takes to unravel the company’s defenses.

The shift towards phishing kits

Phishing kits are becoming far more accessible on the web and are essentially a ‘do-it-yourself’ package for phishing attacks. The kits hold the code for setting up the phishing site, which is easily deployed once the individual purchases the necessary domain. At this point, the user must simply acquire their email targets – which can easily be found online – and get started. For those wishing to make the attacks more efficient, there are technologies than can automate the process and can be left running without supervision.

Our research into phishing kits has revealed that these ‘starter kits’ are rapidly becoming more sophisticated and are now built to harvest high-value data, including banking and credit card information, home addresses and social security numbers. We found a popular kit on the market named as the Chase XBALTI, which specifically targets Chase and Amazon account holders. The individual deploying the kit no longer needs to be a skillful hacker, as the technology does everything for them. In fact, we’ve seen kits that have been created to capture the one-time codes used for multifactor authentication (MFA), making them even more threatening.

Without a doubt, these kits are revolutionizing the face of phishing.

How to fight the phishing frenzy

As standard, all organizations should follow the basic cyber hygiene practices. This includes using MFA across as many processes as possible, avoiding the re-use of passwords, and trusting your gut feeling. In most cases, if something seems deceitful then it probably is. It’s vital that all companies appreciate the true value of human intuition, as it’s one of the most powerful tools in a security team’s toolbox. Teaching employees how to recognize the signs of a phishing attack with security awareness training and then equipping them to apply those learnings in practice will be highly effective against criminals’ social engineering techniques. Just simply contacting the bank to verify an email could be the difference between a successful and a prevented cyber attack.

There are several other forms of protection against phishing attacks, accommodating all budget sizes. As a starting point, businesses should consider deploying an email security solution that analyses the email content to determine whether it’s genuine. The in-built email filters can deliver high-speed detection for a wide selection of incoming threats, such as malware, spam, and any well-known phishing URLs. These defenses can be strengthened with specialist layers of detection that learn and identify more advanced threats by using machine learning and natural language processing.

The number of incoming phishing attacks show no sign of slowing down, so it’s vital that businesses act fast. In addition, with phishing kits becoming more accessible each day, the pool of potential attackers is quickly growing. While they might not all be mastermind criminals with a toolbox full of advanced skills and techniques at their disposal, the kits being used have enough capabilities to locate overlooked weaknesses in company perimeters. If just one phishing email successfully fools an employee, that could be all it takes. To avoid becoming the next victim, businesses cannot afford to underestimate the power of phishing kits and those willing to use them.

Magni Sigurðsson is Senior Manager of Detection Technologies at Cyren (NASDAQ:CYRN), an established provider of advanced threat detection and threat intelligence solutions for enterprise, service providers, and cybersecurity solutions vendors.