key: cord-0987151-tog3c5ft
authors: Bhardwaj, Akashdeep; Sapra, Varun; Kumar, Aman; Kumar, Naman; Arthi, S
title: Why is phishing still successful?
date: 2020-09-30
journal: Computer Fraud & Security
DOI: 10.1016/s1361-3723(20)30098-1
sha: 1d9c0577304ccc45c28257c238963032ed777f81
doc_id: 987151
cord_uid: tog3c5ft

In recent times, there has been a dramatic shift from bulk spam emails to targeted email phishing campaigns. Such attacks have started to cause huge brand, financial and operational damage to organisations globally. Phishing attacks involve simple, straightforward, masquerading methodology. 1 The aim is to lure and trick an unsuspecting victim in order to elicit as much information as possible, using SMS, email, WhatsApp and other messaging services, or phone calls that have been spoofed to appear is if they are from known, reliable friends or colleagues. 2

There is a variety of ways to achieve continuous authentication but primarily a network does so by persistently collecting information about an entity's behaviour. Login credentials might be good for the front gate, but other factors are required to continuously authenticate in a non-obtrusive manner. In many cases, data will be persistently collected as a user travels through a network. That could cover any number of factors -face or voice recognition, how a user types on a keyboard, or just an individual's normal network use.

That data -collected over a series of sessions, days, weeks, months and even years -goes towards making a model of how that particular entity, user or device commonly uses the network. When that user's behaviour diverges from its normal pattern, the system will flag it as abnormal and perhaps prompt IT for further investigation, or temporarily quarantine the user to make sure that it is not a rogue threat. If, for example, an IoT device is found to be collecting data it wouldn't otherwise, or users are making an access request for a large dataset that doesn't correspond to their job title or their normal use of IT, the activity can be investigated and if necessary, shut down.

Zero trust isn't a collection of technologies. Zero trust is a mindset. It swings security's attention away from building high walls and refocuses it on an organisation's users, their devices, and the data, resources and applications they access. This means that enterprises can approach zero trust in a variety of ways.

One way that enterprises are looking at is the software defined perimeter (SDP). It can provide a central authority for policy enforcement and the authentication of users, devices and applications. Moreover, it can segment a network on a granular level basing restriction or permission on an application-by-application, user-byuser, or device-by-device basis.

Before an entity wants to connect to the network it must first be authorised. No part of the infrastructure is revealed until the user has been properly authenticated. By making resources 'dark', SDP denies attackers the intelligence they could normally rely on -such as seeing their target's DNS, internal IP address or port information -and stops the lateral movement that attackers need to get closer to critical systems and data.

Such an asset only adds to an already impressive array of security enhance-ments. Zero trust promises much. It's secure access at its best: providing the access that an enterprise and its staff and users want, with the security that they need. Many are rightly anticipating the architectures that can bring that data protection, trust and continuous authentication. Most of the respondents to the 2019 survey will be embarking upon their own path to zero trust within the next year or so. Nearly half (41%) are considering SDP as a way to do that. With the right secure access choices, they'll get there. 

The intent is to get the victims to click and log into cloned web portals such as company intranet or bank sites and social networking sites such as Facebook, Instagram, Twitter or even Yahoo and Gmail sites. 3 Once the unsuspecting victims click on the URL sent by the attacker, instead of the original site they are directed to the attacker's fake site. On trying to log in or submitting infor-mation on that website, victims provide the attacker with sensitive information. This can include user ID, email, password, address, mobile number, date of birth and payment card details, among other things. 4 Cyber attackers have enhanced their methodologies to include personalised attacks. Targeting senior-level, high-value personnel such as the head of HR, C-level executives such as CISO, CTO,

In recent times, there has been a dramatic shift from bulk spam emails to targeted email phishing campaigns. Such attacks have started to cause huge brand, financial and operational damage to organisations globally. Phishing attacks involve simple, straightforward, masquerading methodology. 1 The aim is to lure and trick an unsuspecting victim in order to elicit as much information as possible, using SMS, email, WhatsApp and other messaging services, or phone calls that have been spoofed to appear is if they are from known, reliable friends or colleagues. 2 CFO or board members is an advanced form of phishing attack against individuals, known as whaling. 5 Spearphishing attacks, on the other hand, target specific individuals within the organisation, and are highly personalised. 6 Such individuals include finance team members, IT security team members or even new hires. Apart from using cloned web portals, attackers also target two-factor authentication by cloning one-time passwords (OTPs) as well as creating fake QR codes which, if scanned by mobile phones, respond by offering huge discounts at restaurants, grocery stores or household service stores in return for online payment, which obviously goes to the attacker's account.

Such new age phishing attacks are effective and difficult to detect, as the malicious email or message is convincing and impersonates a trusted source known to the target. Although many organisations provide cyber awareness training for their staff, attackers are able to bypass human defences in various ways. This has to do with employee workloads and expectations, which have become ever greater and more complex. Due to this, employees -even experienced staff -make mistakes and can be deceived. No amount of training will be able to change this. Traditional email security systems are unable to detect spam and stop only the most basic level of phishing attacks. For cyber criminals, whaling and spear-phishing are the perfect means for performing a broad array of damaging attacks.

As per the latest phishing statistics from Security Boulevard, by mid-2020 the trends have become alarming as phishing attacks have become highly creative, exploiting the Covid-19 global pandemic. 7 Although the overall number of phishing attacks is on the decline, it is important to look beyond the phishing statistics. Cyber attackers are not giving up. In fact attackers keep coming up with new attack tactics, focusing on effectiveness, higher success percentage and attack qual-ity, instead of blasting out bulk phishing messages with the hope that one in 1,000 might work. This is the core difference in targeting victims with a laser-guided rifle instead of a machine gun.

The authors classified phishing attacks based on new and upcoming tactics adopted by cyber attackers while luring victims and performing fraudulent activities to obtain personal and sensitive information. Tactical and social engineering techniques are detailed in Figure 1 .

Cyber criminals perform phishing activities for money, and to ensure that their scheme is effective and evades detection, they do not make rational or ethical decisions. To combat phishing, this research presents the phisher's mindset and methodology of attack. The authors designed and developed a phishing toolkit using Kali Linux and Python. As shown in Figure 2 , the attacker's toolkit has options to choose from, including using cloned social media sites, gathering two-factor authentication OTP code or using a QR code in the form of pre-designed templates. To generate the cloned forged Twitter link, the authors set up a reverse tunnel using an Ngrok proxy on the attacker's command and control (C&C) server. This proxy application launches multiple virtual tunnels as local network services. These capture the network traffic for detailed inspection. This helps gather the victim's sensitive details, using one unique phishing method from three options to maximise success.

If the attacker starts with the social media sites option, this is followed with options to choose between cloned Instagram, Facebook, Snapchat or Twitter sites, as illustrated in Figure 3 .

Assuming the attacker chooses the Twitter social media template (option 4), a reverse proxy server is started on the attacker's system. This generates a forged Twitter link and presents the spoofed social media website to the victim. In our attack, the forged link is https:// e89e09404a68.ngrok.io as shown in Figure 4 .

Trained and aware employees can detect this link as an incorrect URL or forged link. The motivation for this research is to increase phishing awareness and not actual phishing, so DNS spoofing is not applied here. That would easily provide a legitimate link or a similar one to those used by Twitter. The attacker disguises the Ngrok link as shown in Figure 5 and then sends it to the victim using social engineering attacks.

When the disguised link is clicked, the attacker's command and control system starts to gather the victim's details. These include hostname, location, IP address, ISP, country and currency, as shown in Figure 6 .

The attacker's C&C server waits for the victim to log in and enter the email address and credentials on the forged Twitter login page. These details are also captured by the attacker's C&C server, as illustrated in Figure 7 .

These credentials are saved in the /sites/Twitter/Saved.IP.txt file for advanced future attacks such as identity spoofing and lateral movement on the victim's network and other systems. More victims can be trapped as and when they click the disguised link, as illustrated in Figure 8 . The attacker has options to use enhanced phishing methods, a twofactor authentication attack to grab the victim's OTP or even lure the victim to send Paytm, Google or WhatsApp money by scanning a QR Code, as illustrated in Figure 9 .

Creating phishing awareness generally involves having end users attend a course, read documents related to 'good practices' and 'Dos & Don'ts'. However, it is human nature to forget and focus on the micro task when going about daily chores. The authors reviewed over 300 phishing mails received by Gmail and Yahoo. The top 15 unique tactics and phishing features adopted by cyber attackers are presented in Table 1 . The authors propose creating anti-phishing rules by IT security teams to check and validate these phishing features. These can easily help detect and block phishing attacks.

Bio-wearable, body sensors, Internet of Things (IoT) devices or smart systems in our homes, offices and buildings have changed our lives for the better. These devices have become an intrinsic part of our work and lives, found everywhere in our offices, houses, schools, vehicles, hospitals, manufacturing industries and even on our bodies.

However, each IoT device communicates and connects via the insecure Internet and this is a major concern when we consider the increasing development of smart cities, integrated with multiple automation systems, IoT devices and 'things' inside homes. Such 'things' include televisions, web cams, music systems, washing machines and air conditioners, among other devices, and all this adds up to an insecure environment. Every connected device increases the threat surface and probability of an attack on our privacy.

This gets amplified more as these 'things on the Internet' are actually inside our houses, controlled and connected remotely by the user's smartphone or user systems. Malware deployed via phishing is capable of controlling these devices, which may well cause more harm than benefit. IoT devices and sensors usually collect data and are mostly connected to various networks and the Internet. This leads to an individual's personally identifiable information (PII), location and voice being stored in these devices. This PII can range from personal details such as name, age, location, email password credentials or even health data. Thus for any cyber attacker, there are easy, lowhanging assets with value information, making any individual -not just highvalue executives -potential targets.

Phishing attacks are the number one threat vector against untrained and unaware employees. Cyber attackers continue to evolve malicious attacks that are becoming difficult to differentiate from real emails and authentic communication. Cyber attackers carrying out phishing attacks, whaling or spear-phishing are difficult to track. Only by increasing employee awareness and proper training can we hope to add proactive mechanisms to detect and block phishing.

The innovative and increasing use of the Internet of Things (IoT), wearable devices and smart cities have also presented huge opportunities to cyber criminals. It has become imperative to balance the use of the insecure Internet in our daily lives with new age devices if we are to securely communicate with others and realise the benefits of these technologies without being exploited by phishing attacks. 

What is a phishing attack?' Imperva

What is phishing? Phishing attacks and prevention explored'. Forcepoint. Accessed

14 real world phishing examples & how to recognise them'. CSO

What is a whaling attack

What is spear-phishing? Why targeted email attacks are so difficult to stop'. CSO 21

Phishing Statistics: The 29 latest phishing stats to know in 2020

'2020 Data Breach Investigations Report'. Verizon

The 3Ts of Email Attacks: Tactics, Techniques, Targets'. FireEye