Protecting Users Against Themselves: Proper Security Blocks Latest Phishing Attacks
Social engineering and more specifically, phishing attacks have been around as long as attackers wished to gain unauthorized access to a restricted resource. Whether it is law enforcement attempting to foil a terrorist plot, cybercriminals breaking into bank accounts for financial gains, or a jealous lover trying to read the private messages of their significant other, the only consistency these scenarios offer is that one party holds the data and another party wishes to access it. Attacks never get better; they only get worse. As e-mail filters and security solutions become more capable of spotting and blocking phishing attacks, attackers are coming up with new and innovative ways to steal user data.
Every Tuesday, I open my T-Mobile Tuesday app, an application developed by the mobile phone carrier to deliver rewards to subscribers each week. This past Tuesday, my loyalty to my wireless carrier was rewarded with an ebook PDF copy of a slow cooker cookbook. If nothing else, the bandwidth used to download the cookbook was well worth it to see a picture of T-Mobile CEO John Legere in full cooking regalia. To my surprise, the web address used to host the ebook ended in “windows.net.” After giving it some thought, it did make sense if T-Mobile was using Microsoft Azure for its CDN to deliver the ebook. However, attackers are leveraging the fact that Azure hosted websites end in “windows.net” to trick users into disclosing their login credentials.
Phishing attacks are becoming more sophisticated and hosting the sites on Azure takes advantage of two crucial lessons security practitioners have engrained in their users for years. The website will have a domain of microsoft.net or azurewebsites.net. These domains will bypass many security solutions that only look at the DNS record or reputation of the website. The reputation of windows.net to most users will not raise any alarms as they are taught to look for Microsoft or Windows in the URL when entering in their credentials. The SSL certificate will also appear to be signed by Microsoft. While most users will not go as far as inspecting the SSL certificate for an Office 365 login page, many phishing filters and security solutions will examine the issuance of the SSL certificate to determine the site’s reputation and trustworthiness.
A recent attack campaign utilizes Azure as its attack platform and uses social engineering techniques to convince the victim further to click on the phishing link and enter their Office 365 credentials. The victim will receive a spoofed e-mail from Microsoft stating that a large number of files are being deleted from his or her OneDrive account and to click on a link to verify this activity. The pressing nature of the e-mail indicating that files are being deleted may cause users to panic and forego their common sense and security awareness training and click on the link to prevent further deletion of data. Security practitioners can often make the mistake of confusing security awareness for security behavior. When giving users their annual security awareness training and asking questions such as “Should you click on links that come from an external source?”, most users would pass the test and select “NO.” In practice, social engineering and advanced phishing methods can cause users to forget everything they know and have been taught. Security teams can teach and enable users to practice safe security and under the right conditions and context, they will perform correctly every time. Security teams also often overlook human nature, where users will often try to get things done most quickly and efficiently possible. With worker productivity at an all-time high, many organizations are asking employees to do more with less. Rather than opening up a new browser tab and logging into OneDrive directly and see that no alert is present, a user will click the link in the e-mail to find out more about the supposed warning.
An interesting question was posed to security researchers last month asking if repeatedly failing internal phishing tests should be a fireable offense. There have been documented cases of this, but most security experts disagree with this policy. Trying to trap and ensnare employees into losing their job will demotivate employees and turn them against the security team. If a user were to fall for a phishing link, he or she would be more inclined to report it to the security team knowing they would not be fired for doing so. If falling for a phishing attack were a fireable offense, that same user might not report the link hoping to sail under the radar.
When human behavior trumps security awareness, proper security controls are needed to compensate. Protecting users no matter where they are: on the corporate network, at a hotel, coffee shop, or home is essential to not leave any gaps in security that can be exploited by a sophisticated attacker. With a 400% increase in phishing attacks utilizing SSL or TLS-based encryption, it becomes essential to inspect this traffic for malicious data. Security is everyone’s responsibility and working with users and enabling them to be extensions of the security team will be the only way to fight the cyber wars effectively.
Speaking of slow cooking, I leave you with my world famous slow cooker lasagna recipe:
1 lb Ground beef or sausage, or a combo of both, browned
½ Chopped onion
4 to 5 Cups spaghetti sauce (sometimes people substitute a large jar of tomato sauce and a 15 oz. can of petite diced tomatoes with basil and garlic)
24 oz Cottage cheese or use less cottage cheese and add other cheeses if desired (I personally use provolone)
8-10 No-boil lasagna noodles (I use Barilla)
2-3 Cups mozzarella cheese
1. Brown onion and beef
2. Combine egg and cottage cheese
3. Layer half of the beef mixture, the dry noodles, the cottage cheese mixture and the mozzarella cheese in the slow cooker. Repeat layers.
4. Cover and cook on high 4 hours or low 6 to 7 hours.