2 min read

Black Hat 2017: Researcher shows how phishing scams are getting so good they can even trick techies

Filip TRUȚĂ

July 28, 2017

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Black Hat 2017: Researcher shows how phishing scams are getting so good they can even trick techies

Security experts agree that a sure-fire way to get your data compromised is to not train your staff in cybersecurity. However, as one researcher showed at Black Hat 2017, even solid training may not thwart the newest phishing scams.

We also need hardcoded solutions against today”s email and website spoofing, according to Karla Burnett, security engineer at mobile payment company Stripe.

In a Black Hat presentation titled “Ichthyology,” Burnett demonstrated how even her colleagues – who helped her set up rigged sites as part of a test – fell victim to their own phishing experiment.

How? The answer to this question, Burnett believes, can be found in Daniel Kahneman’s book “Thinking, Fast and Slow.” The book explains how the human brain uses two modes of thinking when faced with decisions: System 1 is instinctive, and System 2 is more methodical and calculated.

Burnett argues that with the huge influx of emails to our inbox every day, it”s impossible to apply System 2 to every single message. Couple this with the fact that phishing sites now include “trailouts” (redirects to the original site they are impersonating) and you can trick even technical users into handing over their credentials.

“People who know what they’re doing fall for this stuff,” she said.

While two factor authentication (2FA) is good, it does little to protect users against phishing, according to the researcher. SMS is just one example of a flawed system that renders 2FA nearly useless in a phishing attack.

Burnett advocates a technical solution. She proposed SSL client certificates for authenticating the domain making the request.

“The server requests a certificate, and the user’s machine serves it up,” she said. “They’re kind of like cookies but without all the downsides of cookies. They’re not a single shared secret being passed around everywhere.”

U2F (Universal 2nd Factor) would also work well, as it generates a unique credential for each domain every time that domain requires authentication.

“The underlying issue here is that any protection that relies on a human being making a reasonable decision is going to fail. We need to find technical solutions to this problem rather than just say, ‘We’ll train people and everything will be fine’,” Burnett concluded.

In the first three months of 2016, spam email containing attached files increased 50% from a year earlier, data from Bitdefender”s Antispam Lab revealed. Around the same time, spammers stepped up their use of new clever tactics like whaling and spear-phishing.

Locky and Petya, two emerging ransomware threats, were largely responsible for the uptick. Ransomware accounted for 15.5% of all measured e-mail antivirus detections last year. In other words, one in seven malicious email attachments delivered in Q1 2016 contained some form of ransomware.

tags


Author



Right now

Top posts

The Holiday Guide to Tech Support: Fixing the Family Computer

The Holiday Guide to Tech Support: Fixing the Family Computer

November 24, 2021

2 min read
Bitdefender Celebrates 20 Years of Cybersecurity Leadership

Bitdefender Celebrates 20 Years of Cybersecurity Leadership

November 04, 2021

3 min read
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

October 26, 2021

3 min read
What are drive-by download attacks and how do you prevent them?

What are drive-by download attacks and how do you prevent them?

October 25, 2021

2 min read
Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

October 22, 2021

2 min read
Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

October 20, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Iranian Threat Actor Deployed Malicious PowerShell Script through Phishing, Then Stole Files and Credentials Iranian Threat Actor Deployed Malicious PowerShell Script through Phishing, Then Stole Files and Credentials
Silviu STAHIE

November 26, 2021

1 min read
Ukraine Arrests Five iPhone Hackers of the Phoenix International Hacking Group Ukraine Arrests Five iPhone Hackers of the Phoenix International Hacking Group
Filip TRUȚĂ

November 26, 2021

1 min read
Couple arrested for secretly installing cryptomining software on department store PCs Couple arrested for secretly installing cryptomining software on department store PCs
Graham CLULEY

November 26, 2021

1 min read