‘Old school’ email social engineering or data-entry phishing is an attack method that has been on the rise in recent months, notably employed by the Syrian Electronic Army to hack seemingly every major media outlet in the Western hemisphere.
Data-Entry phishing emails lure employees into freely giving up their login credentials by taking them to a seemingly legitimate landing page. Attackers then use the credentials to establish a foothold in the network.
When spear phishing, data-entry style emails contain a link that takes the recipient to a webpage that appears to be a genuine corporate or commercial site soliciting login information.
Despite their pervasiveness and high-success rate, data-entry attacks seeking login credentials and other sensitive information have been a secondary concern for enterprises.
Information security teams have been more concerned with phishing emails that attempt to carry out drive-by attacks through a malicious link or malware delivery via an attachment.
Since data-entry phishing attacks don’t require malware, it’s quite possible to fall victim to this technique and never even realise it. Victims will often enter their information and not recognize something is wrong. Without the presence of malware, these attacks often go undetected by technical solutions.
However, this doesn’t mean the consequences are any less severe.
Once attackers gain legitimate credentials into the network, their activity is difficult to detect. Using these credentials they can often exfiltrate significant amounts of information from overly permissive file shares, search for other devices with weak or default credentials, and possibly escalate privileges to dump entire username/password databases that can continue to grant future access.
This activity may have the appearance of an insider threat, so breaches caused by data-entry phishing are often attributed to this source. Is it really an inside job if they gained access through a spear phish?
From an attacker’s perspective, what is easier: researching social media to craft a spear phishing email, or recruiting an actual insider within the organisation?
Some experts in the security industry have identified two-factor authentication as a way to mitigate this threat; however, two-factor authentication will not prevent phishing. While two-factor authentication makes it more difficult to phish an account, it will not prevent this type of attack from being successful.
If a user is tricked into revealing login credentials to a false landing page, two-factor authentication will only limit the time the hacker has access to the account. Attackers would need to collect the second factor of authentication, but the underlying tactics would remain the same.
Even if two-factor authentication could prevent phishing, for large enterprises implementing the solution across the board is often cost prohibitive and a logistical nightmare. This isn’t to say that two-factor authentication doesn’t improve security, but it isn’t a panacea.
The same goes for technologies and services that take down phishing websites. At best, these technologies offer lead times of four to eight hours to take down phishing sites. It can often take longer, particularly if the site’s domain is in an unfriendly country or if the site is hosted using a subdomain on a large provider. Continue reading…