Mar 31, 2023 | Email & Web Spam, Security Awareness, Web Filtering
Security experts have long recommended that multi-factor authentication be implemented to protect against phishing attacks and for good reason. Single-factor authentication – a password – provides a degree of protection against unauthorized account access; however, with modern GPUs, it is possible to automate brute force attempts to guess passwords and many passwords can be cracked quickly, especially if the passwords are weak. Phishing attempts seek access to credentials and if a user discloses their password on a phishing site, if the password is the only form of authentication required, the attacker will be able to gain access to the account.
Multi-factor authentication requires an additional form of authentication before account access is provided. If a password is guessed in a brute force attack or if the password is compromised in a phishing attack, access to the account will not be granted unless an additional form of authentication is provided. Multi-factor authentication will therefore greatly improve security, and more and more businesses are heeding the security advice and are adding multi-factor authentication to their accounts. It would be a mistake, however, to believe that multi-actor authentication is infallible, as it is possible to bypass this security safeguard, and threat actors are increasingly using a phishing kit that allows them to access MFA-protected accounts. The phishing kit allows a threat actor to conduct an adversary-in-the-middle attack and get around multi-factor authentication.
The attack starts like any other phishing attempt with initial contact made via email (or text message). The communication contains a ruse to get the user to click a link, such as a message indicating a contact has shared a file. The link directs the recipient to a website hosting the phishing kit, and to view the shared document they are required to enter their credentials. If the credentials are entered they are captured as they would be in any phishing campaign, but if multi-factor authentication is in place, account access would be prevented. With this phishing kit, however, multi-factor authentication is bypassed.
This is because the phishing kit acts as a proxy between the user and the legitimate service. The phishing kit will log in to the legitimate account using the credentials provided via the phishing site, and the legitimate site will send the MFA request which is relayed to the user. The user then authenticates and the legitimate site returns a session cookie as the MFA check has been passed, and the session cookie is then used by the attacker to access the service as the legitimate user. Access will remain possible for as long as the session cookie remains active.
This month, Microsoft’s Threat Intelligence Team reported that one such phishing kit is being offered by a threat actor it tracks as DEV-1101. The threat actor started offering the kit on hacking forums for just $100 a month as a licensing fee in the summer of 2022, but the huge popularity has seen the price increase to $300 a month, or $1,000 a month for a VIP license. Since the kit allows MFA to be bypassed, it is a small price for a threat actor to pay to guarantee their phishing attempts will be successful. There have been many takers, and the phishing kit has been used for high-volume campaigns that see millions of phishing emails sent each day. One of the campaigns involved more than a million messages in a single campaign.
While MFA can be bypassed, it does not mean that it shouldn’t be implemented. MFA is still an important security control that will block many unauthorized attempts to access accounts. Businesses should also enforce conditional access policies such as whitelisting IP addresses, only permitting compliant devices to log in, and setting up and enforcing geographical restrictions, and all sign-in requests should be evaluated and access continuously monitored for suspicious activity. Advanced anti-phishing measures should be implemented to block the initial phishing email to prevent the click. A web filter is recommended to control the websites that can be accessed by employees, and end-user training is important to help employees identify phishing attempts.
TitanHQ can help protect against these attacks through SpamTitan Email Security, WebTitan Web Filtering, and SafeTitan Security Awareness Training. All three solutions are available on a free trial to allow businesses to evaluate the solutions in their own environments before deciding on a purchase. For further information give the TitanHQ team a call.
Mar 30, 2023 | Email & Web Spam, Internet Security, Web Filtering
There has been a marked increase in phishing attacks that share a link to a malicious HTTPS URL, rather than a standard HTTP site. There is a major difference between HTTP and HTTPS and that is the latter is much more secure. The reason is due to an HTTPS website using Transport Layer Security (TLS) to encrypt HTTP requests and responses and also digitally sign those requests and responses, as opposed to an HTTP site that uses hypertext structured text which is not encrypted.
When a user visits an HTTP site, any information disclosed on that site can be intercepted and viewed. So if credit card details are supplied for a purchase, they could be intercepted by someone other than the website owner. With HTTPS sites, which use Hypertext Transfer Protocol Secure, the connection between the browser and the website is encrypted and cannot be decrypted without authentication. When a site uses HTTPS, it is accompanied by a padlock sign in the browser indicating to the user that the connection is secure.
Adoption of HTTPS has been growing and public awareness of the importance of only disclosing sensitive information if the site starts with HTTPS has been growing, but while HTTPS prevents the interception of data in transit and indicates the connection is secure, that does not mean that the site is safe. A cybercriminal cannot intercept data on an HTTPS site, but if they are hosting phishing content on an HTTPS site, they will be able to capture data as it is entered.
The problem is that many Internet users understand the need to have that padlock and they even check that the site starts with HTTPS, but they mistakenly believe the site is safe when that is not necessarily the case. Cybercriminals take advantage of this.
Domain registrars and certificate issuing authorities have controls in place to prevent SLL certificates from being issued for malicious websites, but those controls are often bypassed. Attacks are also conducted on legitimate HTTPS sites and once access is gained, phishing content is uploaded and the sites are used for phishing attacks without the owners being aware. The vast majority of phishing websites now use HTTPS, so HTTPS is most definitely not an indication of safe browsing. That should be covered in security awareness training to help dispel the myth that HTTPS is secure.
Key Elements of Phishing Defense
So how can businesses protect against phishing? Four main anti-phishing controls should be considered, three of which are technical controls. First, there is a spam filtering solution, which will scan all inbound emails and look for signs of phishing, including malicious links to phishing content that have been embedded in the emails. For the best protection, you should consider SpamTitan Plus, which has the fastest detection rates of malicious URLs thanks to the inclusion of all major phishing feeds and AI-based detection for identifying zero-day attacks. Fewer phishing emails in inboxes means fewer opportunities for employees to click.
The second main technical control is a web filter. A web filter – such as WebTitan – is used to carefully control what sites a user can visit. When a URL is identified as malicious, the web filter is updated and any attempt to click that URL will see the connection to the URL refused. Web filters are also used to control the categories of content that can be accessed to provide even greater protection. With policies in place, Internet access is restricted to those websites that are vital for business operations.
The last main technical control is 2-factor or multi-factor authentication. Phishing attempts usually seek credentials, and if credentials are compromised they can be used to access an account. 2-factor and multi-factor authentication protect against unauthorized access by requiring a password and an additional form of authentication before access to the account will be granted. A password may be obtained in a phishing attack, but 2FA or MFA acts as an additional layer of protection to prevent the password from granting access to the account.
The final measure that businesses should use is security awareness training for all members of the workforce. The workforce should be trained on security best practices and the red flags to look for in emails, text messages, and other communications. By training the workforce how to recognize threats, if a threat is encountered, it can be avoided. SafeTitan can be used by businesses to easily create security awareness training courses for the entire workforce, customized to be relevant to each employee. The platform also includes phishing simulations to improve security awareness and identify individuals who have gaps in their knowledge to allow further training to be provided.
If you have a security program with all four of these elements, your business will be well protected against phishing attacks. Speak with TitanHQ for more information and to register for a free trial of one or all of these solutions.
