Fraud isn't new, but the internet has provided hackers with the capabilities to easily use the threat vector to trick employees into providing access to their enterprises.
Cyberfraud attacks, often distributed via phishing or spear-phishing campaigns, consistently plague and sometimes even completely disable enterprises. Despite the growing number of technologies available to detect and prevent such social engineering attacks from being successful, the weakest link remains human error -- be it negligence, maliciousness or apathy.
Here, Institute of Electrical and Electronics Engineers member Kayne McGladrey describes the types of cyberfraud attacks enterprises will inevitably face, from credential harvesting to typosquatting attacks. He also offers best practices for creating and instituting a cybersecurity awareness program to prevent employees from falling victim to such threats.
What are the top types of cyberfraud plaguing enterprises today?
Kayne McGladrey: Credential harvesting via simulated login pages remains a popular option, but OAuth [Open Authorization] token-based attacks are becoming commoditized. OAuth attacks are, unfortunately, harder to explain to end users, as the attacks use legitimate URLs and will work with multifactor authentication.
Why are these attacks still so successful and such a major challenge?
McGladrey: Fake login pages have remained successful as users have increased their use of mobile devices for corporate email. It's very difficult to identify a phishing link when clicking on a link on a mobile phone, and threat actors have coupled that with sending urgent-sounding emails at specific times, like before lunch on a Monday or after working hours on a Friday. The user is distracted or in a hurry. His defenses are down, making the attack more likely to succeed.
OAuth attacks have been ramping up as maturing organizations have emphasized awareness of phishing. These attacks use valid SSL certificates and valid URLs, which are frequently taught during phishing education for employees. Unfortunately, OAuth attacks then authorize a third-party application to access the employee's email, calendar or files, giving the threat actor considerable latitude. These remain successful as organizations are not actively threat hunting for this type of permissions abuse by third-party applications.
What tried-and-true types of cyberfraud attacks are malicious actors using?
McGladrey: Cloning websites remains a popular option for threat actors, combined with homograph or typosquatting attacks. The reason threat actors clone corporate and other websites is to provide a realistic-looking user experience as part of the attack, including matching fonts, spacing, images and other visual clues that indicate that it's a legitimate website.
Homograph and typosquatting attacks continue to exist, as it's very expensive and time-consuming for an organization to purchase and maintain every permutation of its domain name across the rapidly expanding number of domain registrars. By comparison, it's very cheap -- sometimes free -- for a threat actor to purchase a domain; in some cases, domain registrars give refunds after seven days.
Why is the human still the weakest link despite all our cybersecurity knowledge and resources?
McGladrey: Threat actors have mortgages, car loan payments and child care expenses. They have annual performance reviews and work on projects, and many of them work regular hours in offices. Threat actors are rewarded on their innovation; unfortunately, their incentive structure is based around tricking other people into doing things that they might not otherwise do.
The challenge is that threat actors spend most of their working hours thinking up new ways to fool people. Cybersecurity defenders spend their working hours developing programs and tools to protect people. But average people -- students, families, employees, retirees -- don't think much about this at all, other than a vague worry that their personal or business data is going to be breached and that they are powerless to stop it. But that's a minor concern compared to child care, mortgage or rent payments, having enough for retirement or about getting a good performance review at the office.
Speaking of knowledge, how can companies better educate their employees to prevent these types of cyberfraud attacks?
McGladrey: Persistent engagement coupled with short training is key. Threat actors are already providing real-world engagement, but they don't provide end-user training. Companies should conduct realistic phishing and spear-phishing tests with their employees using the same techniques as threat actors and should encourage or reward employees who report suspected phishing emails for analysis. This reporting process gives defenders valuable insight into the continuous evolution of targeted and commodity attacks and can be used to reactively update protection mechanisms.
What advice do you have to build and implement an enterprise security awareness program?
McGladrey: In addition to using a formal framework, such as the Center for Internet Security Control 17, consider allowing end users to test out of training. By providing monthly 10-question quizzes and then only providing video-based or document-based training to people who need additional help on that topic, organizations can reduce the criticism of 'having to take training for training's sake.' Most employees genuinely don't want to watch the five-minute cybersecurity training video of the month, no matter how funny, well-produced or interesting that video might seem to a CISO. Using quizzes also allows organizations to show measurable progress on learning objectives for compliance purposes.