Navigating the Digital Deception: The Dark Art of Phishing and Social Engineering

Phishing is a trick that bad actors use on the internet. They send fake messages or emails that look real. Those messages try to get you to share your personal information, like passwords or bank details. It’s like someone pretending to be your friend to get something from you, but it’s happening online. However, unlike a trick played by a friend, phishing can cause severe setbacks, often ending in financial loss.

Phishing is a form of Social Engineering, done in the digital world. Social Engineering exploits a person’s gullibility. Think of it as when someone tricks you into doing something you normally wouldn’t do by pretending to be someone they’re not. It’s a clever disguise to make you believe them and convince you to share information or do things you shouldn’t. Just like a magician tricks your eyes, social engineers trick your trust. And this trick, this crime, happens online.

The Scary Reality of Phishing Sophistication

Hackers are using increasingly sophisticated tactics, including imitating real individuals and crafting fake social media profiles, to deceive victims into clicking on phishing links and revealing their usernames and passwords. The UK’s National Cyber Security Centre (NCSC), the cybersecurity division of GCHQ, has issued an alert highlighting these phishing attacks, which target both individuals and organizations across various industries.

The main objective of these phishing attacks is to trick victims into clicking on malicious links that direct them to fake but convincing-looking login pages. Once there, victims unknowingly share their login credentials, granting hackers access to their accounts. These compromised accounts are exploited directly or used to infiltrate other targets.

These attacks often copy well-known cloud software and collaboration tools, such as OneDrive and Google Drive. In one instance, attackers set up a fake Zoom call, during which they sent a malicious URL through the chat. They even created multiple personas in the phishing conversation to put on an appearance of legitimacy.

These spear-phishing campaigns begin with research, using publicly accessible profiles from social media and networking platforms to gather information about the targets, including personal and professional contacts. Attackers also establish fake profiles based on real individuals to enhance the authenticity of their approaches. Some methods may cite real events to seem credible.

Instances of Dangerous Phishing Campaigns

The campaigns originate from notorious cyber-attacker groups SEABORGIUM and TA453, as reported by UK’s National Cyber Security Centre. Although distinct, these campaigns overlap in tactics due to their effectiveness in tricking individuals into falling victim to phishing attacks. A common feature is their targeting of personal email addresses, possibly to bypass cybersecurity measures on corporate accounts and networks.

The attackers use a patient approach, building rapport over time with their targets. They engage in email exchanges that seem normal initially, gradually progressing to links and attachments once trust is established. These attachments redirect victims to attacker-controlled servers where credentials are gathered.

NCSC Director of Operations, Paul Chichester, emphasized the continued ruthlessness of these campaigns and urged organizations and individuals to stay alert and follow mitigation advice.

AI: A “Friend” to Everyone

The success of AI tools is due to their ease of use. An individual doesn’t need to spend hours learning how to code to use an AI Tool like Bard or ChatGPT. Simply entering a prompt or a question will make the AI tool generate a response. It is truly a “friendly” tool for everyone. Unfortunately, not everyone has clean or harmless intentions.

According to a recent report by Zscaler, phishing threats are on the rise, and cybercriminals are employing increasingly sophisticated techniques, making their attacks harder to detect and prevent.

The report highlights that a majority of modern phishing attacks heavily depend on stolen credentials. It also discusses the growing menace of Adversary-in-the-Middle (AitM) attacks. Additionally, the report stresses the escalating use of the InterPlanetary File System (IPFS) and phishing kits sourced from black markets, as well as AI tools like ChatGPT.

Deepen Desai, Global CISO and Head of Security at Zscaler, noted, “Phishing remains one of the most prevalent threat vectors cybercriminals utilize to breach global organizations. Year-over-year, we continue to see an increase in the number of phishing attacks which are becoming more sophisticated in nature.”

The Evolution of Phishing Due to AI

The use of new AI technology, such as ChatGPT, has made it easier for cybercriminals to create malicious code, engage in Business Email Compromise (BEC) attacks, and craft polymorphic malware, complicating victim identification.

Malicious actors have also adopted the InterPlanetary File System (IPFS) to host their phishing pages, presenting challenges in removing these pages due to the distributed nature of the network.

The report also highlights the rise of Adversary-in-the-Middle attacks, a method that gets around conventional multi-factor authentication techniques, and the evolution of vishing attacks where actual voice snippets of executives are used to dupe victims.

Impersonation of popular brands like Microsoft and Binance remains a successful tactic. The U.S. continues to be the most targeted country for phishing attacks, with substantial increases observed in Canada, the U.K., Russia, and Japan.

The education sector saw a significant rise in phishing campaigns, with the student loan repayment and debt relief application process likely factoring in the rise. The finance, insurance, government, and healthcare industries also witnessed a considerable surge in phishing attempts, while retail and wholesale sectors experienced declines.

Preparing Against Phishing Campaigns

A saying that goes “An ounce of prevention is worth more than a pound of cure” continues to be relevant. In cybersecurity, prevention starts with preparedness, having all the necessary policies, procedures, and tools in place to protect against cyberattacks as well as recovering from it. There is currently no perfect cybersecurity system, but it is worth having an almost perfect system rather than having no system in place at all. Coincidentally, having an imperfect or bad cybersecurity system is like having no system at all.

Phishing attacks have surged by 61% since 2021, a trend worsened by the pandemic’s impact. These attacks, pushed further by increasingly sophisticated tactics, pose a serious threat even to well-prepared individuals and businesses. While some poorly executed phishing attempts may be easy to spot due to obvious errors, the real danger lies in the convincing nature of advanced phishing campaigns.

Hackers now make complex schemes, imitating coworkers or replicating legitimate websites, which can include using voice-altering technology to impersonate colleagues or creating near-perfect replicas of trusted platforms. As such attacks become more complex, traditional defenses aren’t enough.

Even with diligent training, the inevitable human error remains a weakness. The pivotal element of most phishing campaigns is the malicious link. No matter how vigilant users are instructed to be, lapses occur. Therefore, to protect a company’s network effectively, acknowledging this reality and implementing an appropriate strategy is crucial.

The Value of “Zero Trust”

Common approaches like blacklisting certain websites or categories fall short against evolving phishing tactics. Hackers constantly create new avenues and imitate trustworthy sources, making such countermeasures ineffective.

A more promising strategy involves an “allow” list instead of a block list. In this proactive approach, the default assumption is that nothing on the internet is trustworthy, apart from explicitly approved URLs. A well-considered list of verified, low-risk sites becomes the only accessible content. Specialized tools can assist in assigning risk levels to services, ensuring a strict filtering process. This strategy, known as zero trust, shifts the network environment from unrestricted access to a controlled, secure framework.

By adopting this approach, even if users mistakenly click a phishing link, access to malicious sites is prevented. While phishing attacks remain inevitable and increasingly sophisticated, a proactive stance offers genuine protection against their scams.

Another key point to add to preparing against phishing attacks is to run phishing simulations from time to time. This helps assess the cyber resiliency of employees and keeps them constantly aware of phishing attacks, effectively increasing the chances of avoiding getting phished.

Facing the reality of a growing threat landscape, organizations must shift from reactive defense to proactive, tailored network protection to effectively defeat phishing attempts.

About IPV Network
Since 2016, IPV Network has been a trusted partner of leading enterprises in the Philippines. It brings the best-of-breed cybersecurity solutions. IPV network helps businesses identify, protect, detect, respond, and recover from cyber threats. Email us at [email protected] or call (02) 8564 0626 to get your FREE cybersecurity posture assessment!