Coming together to tackle phishing for the greater good

Phishing is one of the oldest cyber attack techniques, dating back to the 1990s. Even today, this technique continues to evolve as scammers come up with new and sophisticated ways to steal user data from their victims. Nowadays, 91% of all cyber attacks begin with a phishing email.

A new phishing method that’s been on the rise lately is the “question quiz” attack campaigns. Recently, Akamai tracked an orchestrated attack campaign comprising of more than 9,000 domains and subdomains, mainly targeting victims located in China. The scam was abusing more than 15 high-profile and trusted brands in ecommerce, travel, and food & beverage. By using well-known brand names, the threat actors attempted to lure victims to participate in a quiz that, once completed, would result in winning an attractive prize. To claim these prizes, the victims are directed to answer a few questions that require sensitive and personal information, and most of these victims are more than willing to comply without a second thought.

There’s no sign of these relentless phishing attacks slowing down. According to Akamai’s State of the Internet / Security report 2021, there were 69,566 attacks from phishing kits in the first 12 days of February 2021.

So the question that remains is: are we doomed to continue battling phishing forever? We don’t think so.

Akamai believes that if security vendors and infosec providers can band together, we can surely turn the tide against phishing.

Collaboration as an industry is key

Although the competition between security and web performance providers can be fierce, we have a role to play for the greater good of the InfoSec community — combining forces to disrupt threat actors conducting criminal campaigns across the global internet.

For example, Akamai’s Threat Research team observed features in the “question quiz” phishing toolkit that enabled targeting specific victims, anti-detection techniques, and the ability to easily distribute attacks throughout social networks — reaching more potential victims. These features were all intended to make the phishing attack as effective as possible.

Akamai highly suspects that those origins were limited and that the usage of CDN features amplified, fortified, and scaled the attack. Registration of domain and subdomain names, management and availability of those domains, and the shielding of origin IP addresses are examples of CDN features the attackers leveraged to make the campaign more effective. Once details became clear, Akamai threat researchers worked proactively with the security team of the abused CDN vendor to help mitigate the scam.

Fighting phishing from all quarters

The responsibility of staying safe against phishing risks does not fall entirely onto infosec providers. Enterprises and consumers too must play a role in staying vigilant to combat these cyber attacks.

Enterprises can fight against phishing by adopting phish-proof security through multi-factor authentication (MFA). If an account is protected by MFA, the attacker won’t be able to access it because a phishing email won’t provide the other authentication factors, such as one-time passwords (OTPs) sent to a different device (e.g., a mobile phone), required to gain access to the system.

Akamai recently launched Akamai MFA, a phish-proof solution designed to enable enterprises to quickly deploy FIDO2 MFA without the need to deploy and manage hardware security keys. It uses a smartphone application that transforms existing smartphones into a hardware security key to deliver a frictionless user experience.

MFA, is a key component to achieving Zero Trust. It adds a layer of security to access a network, application or database by requiring additional factors to provide the identity of users. Enterprises should consider transitioning to a Zero Trust approach. Zero Trust can increase the speed of threat detection and remediation and reduce the impact of data breaches, making it more difficult for cybercriminals to make money. Additionally, enterprises can consider microsegmentation to create zones in data centers and cloud environments and isolate workloads from one another, securing them individually. This allows system administrators to create policies that limit network traffic between workloads based on a Zero Trust approach.

Consumers, on the other hand, can educate themselves on the latest phishing tricks and techniques. Simply by being armed with this knowledge allows consumers to avoid falling prey to phishing scams, which in turn discourages cybercriminals from continuing with their phishing attempts. A study conducted by the FINRA Investor Education Foundation and the Center for Economic and Social Research found that by being constantly exposed to fraud awareness education, consumers can successfully reduce one’s susceptibility to investment scams. Likewise, with constant education on such scams, consumers will be less likely to be tricked by phishing campaigns.

Fighting phishing together

The internet is the conduit powering global connections across both our personal and professional lives. As fraud continues to accelerate at an alarming pace, our security systems need to improve alongside it as well. Collaboration between infosec providers, Zero Trust approach and proper education all play a part in the universal fight against phishing attacks. Abuse of service providers by threat actors to execute more resilient, trustworthy, and evasive attack campaigns is not new to the threat landscape. As long as we remain vigilant, build our platforms with security in mind, and collaborate as an industry, we will be able to make the internet a safer place for all.