LAS VEGAS -- Security awareness training has been a common tactic to prevent phishing attacks, but at least one security professional believes such training is doomed to fail.
In a Black Hat 2017 presentation titled "Ichthyology: Phishing as a Science," Karla Burnett, security engineer at mobile payment company Stripe, presented findings from her extensive phishing research within the company and argued that attacks have become so well-designed that it's virtually impossible for even educated users to distinguish between legitimate and today's spoofed email. "It doesn't matter how technical you are," she said. "This applies to all of us. Everyone is vulnerable to this."
Burnett cited Daniel Kahneman's 2011 book Thinking, Fast and Slow, which describes two distinct modes of thinking in the human brain: System 1, which is fast, instinctive and often gullible, and System 2, which is slower, more methodical and deliberate. Burnett argued that with the volume of email people receive every day, it's not possible for users to apply System 2 thinking to every single email they receive.
"There just isn't the time for it in the day," she said. "And the problem we have with phishing training at the moment is that it's focused on training people to look at URLs or hover over links. But all of those things are System 2 methods of thinking, not System 1. Phishing training is only useful when someone is already suspicious of the email, not beforehand."
Karla Burnettsecurity engineer, Stripe
The presentation focused primarily on credential-based phishing attacks, which are designed to trick users into giving up their usernames and passwords with fake login requests. Burnett said that fraudulent sites used to harvest the credentials are often extremely convincing; attackers use what looks like a legitimate domain that's often hosted on HTTPS and is designed to look exactly like the vendor page it is copying.
Burnett said the phishing sites have gotten so effective that they include "trailouts" for users, such as redirects to the original site or follow-up messages confirming successful logins, to convince them even after they've entered their credentials that everything is normal. "Credential phishing is useless if someone realizes immediately after the fact [they've been phished] and rolls their credentials," she said.
Phishing research results
Burnett presented some campaigns and results from her internal phishing research at Stripe, which she said shows how vulnerable even the most informed users are to such attacks. For example, she showed images of Slack notification email messages -- one of which was legitimate and one that was a phishing test -- that were nearly identical. But Burnett said there wasn't enough information for users to tell the difference unless they had a real Slack notification in front of them to compare the email messages to.
"People who know what they're doing fall for this stuff," she said.
But Burnett said the actual conversions for that campaign were low because she didn't use an HTTPS domain for the phishing site, so most users didn't give up their credentials. "People have been trained to look for the green lock [in web browsers]," she said. "But the green lock does not mean it is not phishing -- it means someone knows how to run Let's Encrypt."
Another campaign Burnett launched mimicked GitHub email messages; she copied a legitimate GitHub email into two fake messages: one was in plaintext, which GitHub uses for transactional messages, and the other was in HTML. Burnett said the campaign showed a 10% conversion rate for the plaintext email and close to 50% for the HTML email.
Burnett's phishing research also used analytics to track page opens, keystrokes and form submissions, which produced more troubling results. "The interesting thing we learned was that although we installed password managers on all of our employee machines, about half of them had typed in their passwords by hand," she said. "More concerning was about half of them had copied and pasted their passwords into the field. That means they were using a browser extension that tells them that the website is not legitimate and they said, 'Eh, it's probably not working, I'll just copy and paste my credentials in anyway.'"
And lastly, Burnett ran a campaign that tested the effectiveness of the company's phishing training using Amazon Web Services (AWS) email and domains. She set up a training session where she showed an AWS phishing page and then several months later used the same site to see how many people caught it. The phishing training emphasized checking URLs, especially long, complicated ones, and trusting password managers.
Yet, three months later, Burnett spoofed an email from the head of Stripe's security team and used a Gmail bug to bypass the Sender Policy Framework protection. The attack collected both primary account and two-factor authentication credentials for AWS and would have given attackers full access to the company's cloud servers. The results? Of the employees who opened the email, 40% clicked on the link, and two-thirds of those users entered their credentials, resulting in one out of four users being successfully phished.
"I sent this to every engineer in the company," she said. "It's pretty terrifying, right?"
The kicker, according to Burnett, was that two of the people who were successfully phished were co-workers who actually helped her build the campaign. While they didn't know what the email and link would look like exactly, she said, they both knew a phishing test was coming -- yet, they still fell for it.
Defending against phishing attacks
Common defense approaches like phishing training and two-factor authentication (2FA) aren't very effective, Burnett said. "Two-factor authentication, while it's valuable, is not actually designed to solve this problem," she said, arguing that SMS flaws and other workarounds make common 2FA measures vulnerable. "It's only incidentally making it a little harder."
So, what should be done? Burnett argued for more technical answers to the problem. For example, Stripe began using SSL client certificates for additional authentication tied to the domain that's requesting the credentials or factors for a successful login. "The server requests a certificate and the user's machine serves it up," she said. "They're kind of like cookies, but without all the downsides of cookies. They're not a single shared secret being passed around everywhere."
Burnett also highlighted Universal 2nd Factor (U2F), which was originally developed by Google and Yubico and is now managed by the FIDO Alliance. Burnett said U2F is like using an SSL client certificate, except it generates a specialized, one-time credential for each domain that requires authentication. So, rather than having SSL certificates being reused and potentially leaked, U2F keys are constantly changing.
While companies like Google and Intel are supporting U2F, she said, not enough companies are using it yet. Burnett also noted that support for mobile applications is a work in progress. Still, she emphasized that enterprises need to explore emerging technology rather than rely on employee training.
"The underlying issue here is that any protection that relies on a human being making a reasonable decision is going to fail," Burnett said. "We need to find technical solutions to this problem rather than just say, 'We'll train people and everything will be fine.'"
Find out how to avoid phishing email messages that spoof top-level domains
Learn about the most effective approaches to anti-phishing training
Read how Google and Facebook got phished